ArityFixup should adjust SP first
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 1 Feb 2017 11:29:25 +0000 (11:29 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 1 Feb 2017 11:29:25 +0000 (11:29 +0000)
commitf98e7b9058b5b5ed279f80ff476e6ed5af9f41a6
tree3fc0058486d003c321878e938fbb4ad5fe0ad84a
parent8c421b45d9391edb019b993ae294c14217537216
ArityFixup should adjust SP first
https://bugs.webkit.org/show_bug.cgi?id=167239

Reviewed by Michael Saboff.

JSTests:

Significantly large arity fixup reliably causes this crash.

* stress/arity-fixup-should-not-touch-stack-area-below-sp.js: Added.

Source/JavaScriptCore:

Arity fixup extends the stack and copy/fill the stack with
the values. At that time, we accidentally read/write stack
space below the stack pointer. As a result, we touch the area
of the stack space below the x64 red zone. These areas are unsafe.
OS may corrupt this space when constructing a signal stack.
The Linux kernel could not populate the pages for this space
and causes segmentation fault. This patch changes the stack
pointer before performing the arity fixup.

* jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@211479 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/arity-fixup-should-not-touch-stack-area-below-sp.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/ThunkGenerators.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm