We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Nov 2017 09:05:33 +0000 (09:05 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Nov 2017 09:05:33 +0000 (09:05 +0000)
commitddab6e3600b59af370a758168ad69334f2da52ae
treed369e1c6ece695cb039752d9e0d3cfdd53e01ed2
parent8ecc8c9cb10f7b84fb7b81034b82da58b7cdfaca
We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
https://bugs.webkit.org/show_bug.cgi?id=179639
<rdar://problem/35513018>

Reviewed by JF Bastien.

JSTests:

* wasm/function-tests/grow-memory-cause-gc.js: Added.
(escape):
(i.func):

Source/JavaScriptCore:

Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
walk the stack for ShadowChicken (and maybe other things). We weren't updating
topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
this bug by giving Wasm::Instance a lambda that is called when we need to store
the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
Currently, JSWebAssemblyInstance passes in a lambda that stores to
VM.topCallFrame.

* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addGrowMemory):
* wasm/WasmInstance.cpp:
(JSC::Wasm::Instance::Instance):
(JSC::Wasm::Instance::create):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::storeTopCallFrame):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJSException):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::instantiate):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224810 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/wasm/function-tests/grow-memory-cause-gc.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
Source/JavaScriptCore/wasm/WasmInstance.cpp
Source/JavaScriptCore/wasm/WasmInstance.h
Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
Source/JavaScriptCore/wasm/js/WasmToJS.cpp
Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp
Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp