[25] [JSC] Don't advance bytecode when reifying inline frames at a checkpoint
Severity: Medium | Component: JSC DFG JIT | 4e802a1
Rated Medium because the diff fixes incorrect exception-handler dispatch metadata: the CallSiteIndex written into reified baseline frames during OSR exit was the bytecode AFTER the checkpoint, so a throw from the re-executed checkpoint instruction matched the wrong HandlerInfo try-range.
reifyInlinedCallFrames used bytecodeIndexForExit(...) which normalizes a checkpoint-bearing index to the bytecode position after the checkpoint — correct for resumption (kept in a separate sidestate), wrong for unwinding.
Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
- BytecodeIndex exitIndex = baselineCodeBlock->bytecodeIndexForExit(codeOrigin->bytecodeIndex());
+ BytecodeIndex exitIndex(codeOrigin->bytecodeIndex().offset());
Off-by-one between the bytecode-index used for resumption and the bytecode-index used for exception-handler lookup when reifying inlined frames at a checkpoint.
Aaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaa Aaaaaaaaaa Aa Aaa Aaaaaaaaaa Aaaa Aaaaaaaa Aaaaa Aaa Aaaaa Aaaaaa Aaaaaaaaaa Aaaaa Aaaa Aaaaaaaa Aaaaa Aaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaa Aaaaa Aa Aaa Aaaaaaaaa Aaaaa Aaa Aaaaaaaa Aaaa Aaa Aaaaaaaa Aaaaaaaaaaaaaaa a Aaaaaaaa Aaaaa Aaa Aaaaaaa Aaa Aaaaaaa Aaaa a Aaaaaa Aaaaaaaaaa Aaa Aaaaaaaaa Aaaaaa Aa Aaaaaaaaaa Aaaaa Aaaaaaaaa Aaaa Aa Aaaaaaaa Aaaaaa a Aaaaaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaa Aaaaa Aa Aaaaaaaaaaaaa Aaa a Aaaaaaaaa Aaaaaa Aaa Aaaa Aaaa a Aaaaaaaaa Aaaaaa Aa Aaa Aaaaa Aaaaa Aaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaa Aa Aaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaa Aaa Aaaaaaaaa Aa Aaaaa Aaaaaaaaaa Aaaaaaa Aaaaaaaa Aaa Aaa Aaaaaaaaa Aaa Aaaaaaa Aaaaaa Aaa Aaaaaaaa Aaaaaaa Aaaa Aaaaa Aaaaa Aaaaaaaa
🔒How an off-by-one in a JIT bookkeeping helper rewrites the JavaScript exception-handling contract, and how far that semantic divergence might be pushed.
Subscribe to read more
Audit directions
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaa Aaaa Aa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaa Aaaaa Aa Aaaaaaaaaaaaa Aa Aaaaaaaaaaaa Aaaa Aaaaaaaaaaaa Aaaaaaa
a Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaa Aaa Aaaaa Aaaa Aaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaa
a Aaaaaa Aaaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaaaa a Aaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaa Aa Aaaaaaaaaaaaa a Aaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaa Aaa Aaa Aaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaa
🔒Three reusable patterns for finding similar checkpoint/index-normalization mismatches across JSC's OSR exit, unwind, and inline-cache paths.
Subscribe to read more