[25] [JSC] Don't advance bytecode when reifying inline frames at a checkpoint
Severity: Medium | Component: JSC DFG JIT | 4e802a1
Medium severity로 분류됩니다. diff는 잘못된 exception-handler dispatch metadata를 수정합니다. OSR exit 중 reified baseline frame에 기록되는 CallSiteIndex가 checkpoint 이후의 bytecode 위치를 가리키고 있어, re-executed checkpoint instruction에서 throw가 발생하면 잘못된 HandlerInfo try-range로 매핑됩니다.
reifyInlinedCallFrames는 bytecodeIndexForExit(...)를 사용했습니다. 이 함수는 checkpoint가 포함된 index를 checkpoint 이후의 bytecode 위치로 정규화합니다. 재개(resumption) 목적으로는 올바른 동작이지만, unwinding 시에는 잘못된 위치를 참조하게 됩니다.
Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
- BytecodeIndex exitIndex = baselineCodeBlock->bytecodeIndexForExit(codeOrigin->bytecodeIndex());
+ BytecodeIndex exitIndex(codeOrigin->bytecodeIndex().offset());
Checkpoint에서 inline frame을 reify할 때, resumption에 사용되는 bytecode index와 exception-handler 조회에 사용되는 bytecode index 간의 off-by-one.
Aaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaa Aaa Aaa Aaa Aaaa Aaa Aaaaaaaa Aaaaaaaa Aa Aa Aa Aaaaaaaaaaaa Aaaaaaaaaaa Aaaa Aaaaaa Aa Aaaaaa Aaa Aaaaaaaaaa Aa Aaaa Aaa Aaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaa Aaaaaa a Aaaaaa Aaa Aaaaaaaaa Aaaa Aaaa Aaaa Aa Aaa Aaa Aaa Aaaaaa
Aa Aaa Aaaaa a Aa Aaa Aaaaa Aaaa Aa Aaaa Aaaa Aaa Aa Aa Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaa Aaaa Aa Aaaaaaaaaaaa a Aaaaaa Aaaa Aaa Aa Aaa Aaaaaaaaaa Aaa Aaaa a a Aaa Aaaa Aaaaaaaaaa Aaa Aaaaa Aaaa Aaaaaa
a Aaaaaaaaaaaaaa Aaaaaaaa Aaa Aa Aaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaa Aaa Aaaaaaaaa Aaa Aa Aaaaa Aaaa Aaa Aa Aaaaaaa Aaaaaaa Aa Aaaa Aaa Aa Aaa Aaaa Aaaaa
🔒How an off-by-one in a JIT bookkeeping helper rewrites the JavaScript exception-handling contract, and how far that semantic divergence might be pushed.
더 확인하려면 구독해 주세요
Audit directions
a Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaa a Aa Aaa a Aa Aaa Aaaa Aaaa Aa Aaaaaaaa Aaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaa Aaa Aaaaa Aaaaaaaaaaaa Aaa Aaaaaa Aaaaa Aaaaaa
a Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaa Aaa Aaaaa Aaaa Aaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaa Aaaa Aaaa Aaaa
a Aaaaaa Aaaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaaaa a Aaaaaaaaaaa Aaaaaaaa Aaaa Aaaaaa Aa Aaaaaaaaaaaaa a Aaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaa Aaa Aaa a Aaaaaaaaaaaaa a Aaaaaaa Aaaaaaaaaa Aaaaaaaaa a Aaaa Aaaaaaa Aaa Aa Aaa Aaaaa Aaaaaa Aaa Aaa Aaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaa Aa Aaaa Aaaa
🔒Three reusable patterns for finding similar checkpoint/index-normalization mismatches across JSC's OSR exit, unwind, and inline-cache paths.
더 확인하려면 구독해 주세요