[22] [JSC] Move FTL stack overflow check to prologue
Severity: Medium | Component: JSC FTL JIT | 1b42291
JIT prologue 상태 불변식을 수정하는 diff이기 때문에 Medium으로 평가되었습니다. Stack overflow의 late path가 callee-save를 pop한 이후, ThrowStackOverflowAtPrologue로 점프하기 전에 SP를 복원하지 않았습니다. 결과적으로 throw thunk는 부분적으로 구성된 frame을 가리키는 SP 상태에서 실행되었습니다.
Stack overflow patchpoint는 emitFunctionPrologue, frame allocation, callee-save spilling이 모두 완료된 이후 — 즉 lowered function body 안에서 실행되었습니다. 이 상태에서 "at prologue" stack shape을 기대하는 thunk로 점프하기 전에 상태를 되돌리려 했습니다.
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+ Ref<B3::Air::PrologueGenerator> mainPrologueGenerator = createSharedTask<B3::Air::PrologueGeneratorFunction>(
+ [=](CCallHelpers& jit, B3::Air::Code& code) {
+ jit.emitFunctionPrologue();
+ // Stack overflow check before frame allocation; SP == FP, no callee-saves saved.
+ ...
+ auto stackOverflow = jit.branchPtr(...);
+ stackOverflow.linkThunk(...ThrowStackOverflowAtPrologue...);
+ if (ftlFrameSize)
+ jit.subPtr(CCallHelpers::TrustedImm32(ftlFrameSize), CCallHelpers::stackPointerRegister);
+ jit.emitSave(code.calleeSaveRegisterAtOffsetList());
+ });
+ m_proc.code().setPrologueForEntrypoint(0, WTF::move(mainPrologueGenerator));
JIT exception edge에서의 stack pointer 상태 불일치: SP를 대칭적으로 되돌리지 않은 채 prologue를 지나친 지점에서 out-of-line thunk에 도달한 패턴.
원래 코드에는 이 commit이 닫는 bug 번호를 직접 가리키는 FIXME 주석이 남아 있었습니다. 작성자 스스로 stack check가 Air prologue에 위치해야 한다는 것과, late-path의 emitRestore가 임시방편에 불과했다는 사실을 인식하고 있었던 셈입니다.
a Aaa Aaaaa Aaa Aa Aa Aaa Aa Aaaaa Aaaaaaaaa Aaa Aaaa Aaaa Aa Aaaa Aaaa Aaaaaa Aaaaa Aaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaa Aaaa Aaaaa Aaa Aaaa Aaaaa Aa Aaaaaaaa Aaaaa Aaaaa Aaaa Aa Aaa Aaa Aaa Aaa Aaaa Aaaaaa
a Aaaa Aaaaaaaaa Aaaaa Aaa Aaaa Aa Aaaa Aaaaaaa Aaa Aaa Aaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaa Aaa Aa Aaa Aaaaaaaa
🔒The stack-pointer state at JIT exception edges, and what an off-by-one prologue invariant means for the throw path
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaaaaaaaaaaa Aaaaaa Aaaa Aaaaaaaaaaa Aaa Aaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aa Aaaaaaaaaaaaaa Aaaaa Aaaaaaaaaaaa Aaa Aa Aaaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaaaaaa Aa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaa Aaa Aaaaa Aa Aa Aaaa Aaaaa Aaaaaa Aaaaa Aaaaaa
a Aaaaaaa Aaaaaaaaaa Aaa Aaa Aaaaa Aaaaaaaa Aaaaaaaa Aaaa Aaaaaaaaa Aaaa Aaaaaaa a Aa Aaa Aaaaaa Aaaaa Aaaaa Aaaaaaaa Aaa Aaaaa Aaaaa Aaa Aaa Aaaaaa
a Aaaaaaa Aa Aaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa a Aaa Aaaa Aaa Aaaaaa Aaaaaa
🔒Several reusable audit patterns identified for late-path/thunk symmetry across JIT tiers, with concrete starting points for variant discovery
더 확인하려면 구독해 주세요