WebKit GIT trees - WebKit-https.git/commit

ArityFixup should adjust SP first
https://bugs.webkit.org/show_bug.cgi?id=167239

Reviewed by Michael Saboff.

JSTests:

Significantly large arity fixup reliably causes this crash.

* stress/arity-fixup-should-not-touch-stack-area-below-sp.js: Added.

Source/JavaScriptCore:

Arity fixup extends the stack and copy/fill the stack with
the values. At that time, we accidentally read/write stack
space below the stack pointer. As a result, we touch the area
of the stack space below the x64 red zone. These areas are unsafe.
OS may corrupt this space when constructing a signal stack.
The Linux kernel could not populate the pages for this space
and causes segmentation fault. This patch changes the stack
pointer before performing the arity fixup.

* jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@211479 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	utatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 1 Feb 2017 11:29:25 +0000 (11:29 +0000)
committer	utatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 1 Feb 2017 11:29:25 +0000 (11:29 +0000)
commit	f98e7b9058b5b5ed279f80ff476e6ed5af9f41a6
tree	3fc0058486d003c321878e938fbb4ad5fe0ad84a	tree \| snapshot
parent	8c421b45d9391edb019b993ae294c14217537216	commit \| diff

JSTests/ChangeLog		diff \| blob \| history
JSTests/stress/arity-fixup-should-not-touch-stack-area-below-sp.js	[new file with mode: 0644]	blob
Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/jit/ThunkGenerators.cpp		diff \| blob \| history
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm		diff \| blob \| history
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm		diff \| blob \| history