[7] [JSC] Delay PC advancement until after operationCallMayThrow in IPInt
Severity: Medium | Component: JSC IPInt (In-Place Interpreter) | 714bf5b
Medium 평가는 두 가지 판단에 근거합니다. 관찰 가능한 효과가 Wasm exception dispatch에서 잘못된 catch가 선택되는 것(web content에서 도달 가능한, 매번 재현되는 논리 오류)이라는 점이 첫 번째입니다. Wasm 수준의 type confusion으로 확대될 가능성은 IPInt의 catch-entry path가 operand-stack height를 재구성하는지 여부에 달려 있습니다. 이 점은 아직 확인되지 않은 아키텍처적 질문입니다.
Source/JavaScriptCore/llint/InPlaceInterpreter64.asm
ipintOp(_call_indirect, macro()
saveCallSiteIndex()
- loadb IPInt::CallIndirectMetadata::length[MC], t2
- advancePCByReg(t2)
-
move sp, a2
move cfr, a1
move MC, a3
- advanceMC(IPInt::CallIndirectMetadata::signature)
operationCallMayThrow(macro() cCall4(_ipint_extern_prepare_call_indirect) end)
+ # operationCallMayThrow는 call site index를 저장하므로, PC 전진은 이후에 수행해야 합니다.
+ loadb IPInt::CallIndirectMetadata::length[MC], t3
+ advancePCByReg(t3)
+ advanceMC(IPInt::CallIndirectMetadata::signature)
Patch Details
_call_indirect, _return_call_indirect, _return_call_ref 세 가지 IPInt opcode handler에서 advancePCByReg와 advanceMC 명령이 operationCallMayThrow 호출 이전에서 이후로 이동되었습니다. 새로운 guard나 type이 추가된 것은 없으며, 실행 순서 변경이 fix의 전부입니다.
Exception dispatch를 위해 call-site index로 기록되는 PC 값의 off-by-one — may-throw 호출 전에 PC가 전진되어 잘못된 위치가 기록됩니다.
Background
IPInt는 JSC의 최하위 WebAssembly interpreter로, offlineasm(InPlaceInterpreter64.asm)으로 작성되어 있습니다. Opcode handler들은 PC(Wasm bytecode)와 MC(metadata cursor) 두 포인터를 조작하며, unwind 가능한 연산에 대해서는 operationCallMayThrow를 통해 C++ helper를 호출합니다. operationCallMayThrow는 호출 시점의 PC로부터 도출된 현재 call site index를 per-frame 상태에 기록하며, 이 값이 Wasm의 exception-handler 탐색에 사용됩니다. Wasm exception handling은 함수가 catch block을 PC 범위에 연결할 수 있도록 허용하며, throw 발생 시 runtime이 가장 안쪽의 일치하는 catch를 선택하는 방식으로 동작합니다.
Analysis
패치 이전에는 세 가지 indirect-call handler가 operationCallMayThrow 호출 이전에 PC를 call 명령 너머로 전진시켰습니다. 그 결과 저장된 call site index가 call 다음 명령을 가리키게 되었습니다. 이후 indirect call에서 throw가 발생하면 — signature mismatch, null table entry, 또는 callee의 throw로 인해 — unwinder는 이 off-by-one index를 사용해 함수의 exception-handler table을 탐색했습니다.
Aaaa Aaaaaaa Aaaaaa Aa Aaa Aaaa Aaaaaa Aaa Aa Aaaaa Aaa Aaaaa Aa Aaa Aaaaa Aaaaaa Aa Aaaaa Aaaaaa Aaa Aaaa a Aaaaa a Aa Aa Aaaaa a Aaaaa Aaaaaaa Aa Aaaaa Aaaaaaaa Aaaa Aaa Aaaaaa Aaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaa Aaaa Aaaaa Aaaaaa Aaaa Aaa Aaaa Aa Aaaaaa Aa Aaa Aaa Aaaaa Aa Aaaaaaaa Aaaaaaaa
a Aaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaa a Aaaa Aaaaaaaaa Aaaaaaaaa Aaaa Aaaaaaa Aaaa Aaaaaaa Aaaa Aaaaaaaaa Aaaaaa Aaaa Aa Aaaaaaaa Aaa a Aaaaa Aa Aa Aaaaaaaa Aaaaaa Aaaaaaaaaa Aaaa Aaaaa Aaa Aa Aaaaaaa Aaaaaa Aa a Aaaaa Aaaaaaaaaaa Aaaa Aaaaaaaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaa Aaaaaaaaaaaa Aaa Aaaa Aaaaa Aa Aaa Aaaaaa Aaaaaaa Aa a Aaaaaaa Aaaaaa Aaaaaa Aaa Aa Aaaaa
🔒The exception-dispatch correctness implications and the open question of whether wrong-catch selection can be escalated into a stack-type primitive are explored in depth.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaaaaa Aaaaaa Aa Aa Aaa Aaaaa Aaaaaaaaaaa Aaaaaa Aaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaa Aaaa Aa Aaaaa Aaaaaaaa Aaaaaa Aa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaa
a Aaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaaa Aaa Aaaaa Aaaaaa Aaaa Aa Aaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaa Aa Aaa Aa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaaa Aaaa Aaaaaaaaaa Aaaaaa
a Aaaa Aa Aaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaaa Aaaaaa Aaaaaaaa Aaaa Aa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaa Aaa Aaaaaa Aaaaaaaaaaa Aaa Aa Aaaaaa Aaaa Aaaaaaaa Aaa Aaaaaa
a Aaaaaa Aaaaaaaaaaa Aaaaa Aaaaaa Aaaaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaa Aa Aaa Aaa Aaaaa Aaaaaa Aaaa Aa Aaa Aaa Aaaaaaaaaaa Aaa Aaaaa Aaa Aa a Aaa Aaa Aaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaa Aaaaaa
🔒Multiple reusable audit patterns for interpreter PC-snapshot ordering and Wasm handler-table lookup integrity, with concrete starting files and grep targets.
더 확인하려면 구독해 주세요