Skip to content

V
V8
Switch branch/tag
History Find file
  • Ben Smith's avatar
    [wasm] Fix crash serializing modules w/ big frames · fae1ab03
    Ben Smith authored 
    When a wasm function has a large stack frame, the x64 code generator
performs the stack overflow check before constructing the frame. This
requires using the `address_of_real_stack_limit` external reference, as
well as the `ThrowWasmStackOverflow` runtime function.

`ThrowWasmStackOverflow` is called via a generated trampoline, but it is
not a builtin, so the serializer adds it to the `stub_lookup_` map. This
map is encoded by using a monotonically increasing `stub_id` that starts
at 0.

When the function is serialized, a stub is differentiated from a builtin
by which half of the `i32` bits is used, upper or lower. A stub only
uses the lower 16 bits and a builtin only uses the upper 16 bits.

The deserializer checks whether the lower 16 bits are 0; if so, it is
determined to be a builtin. But if the `stub_id` is 0, then it will be
confused with builtin 0 (`RecordWrite`). Calling the builtin instead of
the stub causes a crash.

This CL starts all `stub_id`s at 1, which prevents the builtin/stub
confusion.

There is an additional bug that is not fixed by this CL:
`ThrowWasmStackOverflow` shouldn't be called at all. Currently it is
called because `address_of_real_stack_limit` is a thread-local value
that is not properly relocated.

Bug: chromium:808848
Change-Id: I06b3e650ea58ad717dcc47a3716443e16582e711
Reviewed-on: https://chromium-review.googlesource.com/981687Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52252}
    fae1ab03
Name
Last commit
 Last update
..
loop-stack-check.js Loading commit data...
regress-02256.js Loading commit data...
regress-02256b.js Loading commit data...
regress-02862.js Loading commit data...
regress-5531.js Loading commit data...
regress-5800.js Loading commit data...
regress-5860.js Loading commit data...
regress-5884.js Loading commit data...
regress-6054.js Loading commit data...
regress-6164.js Loading commit data...
regress-643595.js Loading commit data...
regress-644682.js Loading commit data...
regress-647649.js Loading commit data...
regress-648079.js Loading commit data...
regress-651961.js Loading commit data...
regress-654377.js Loading commit data...
regress-663994.js Loading commit data...
regress-666741.js Loading commit data...
regress-667745.js Loading commit data...
regress-670683.js Loading commit data...
regress-674447.js Loading commit data...
regress-680938.js Loading commit data...
regress-684858.js Loading commit data...
regress-688876.js Loading commit data...
regress-689450.js Loading commit data...
regress-6931.js Loading commit data...
regress-694433.js Loading commit data...
regress-698587.js Loading commit data...
regress-699485.js Loading commit data...
regress-702460.js Loading commit data...
regress-702839.js Loading commit data...
regress-7033.js Loading commit data...
regress-7035.js Loading commit data...
regress-703568.js Loading commit data...
regress-7049.js Loading commit data...
regress-708714.js Loading commit data...
regress-709684.js Loading commit data...
regress-710844.js Loading commit data...
regress-711203.js Loading commit data...
regress-712569.js Loading commit data...
regress-715216a.js Loading commit data...
regress-715216b.js Loading commit data...
regress-717056.js Loading commit data...
regress-717194.js Loading commit data...
regress-719175.js Loading commit data...
regress-722445.js Loading commit data...
regress-724846.js Loading commit data...
regress-724851.js Loading commit data...
regress-724972.js Loading commit data...
regress-727219.js Loading commit data...
regress-727222.js Loading commit data...
regress-727560.js Loading commit data...
regress-729991.js Loading commit data...
regress-731351.js Loading commit data...
regress-734108.js Loading commit data...
regress-734246.js Loading commit data...
regress-734345.js Loading commit data...
regress-7353.js Loading commit data...
regress-7364.js Loading commit data...
regress-736584.js Loading commit data...
regress-7366.js Loading commit data...
regress-737069.js Loading commit data...
regress-739768.js Loading commit data...
regress-7422.js Loading commit data...
regress-7499.js Loading commit data...
regress-7508.js Loading commit data...
regress-752423.js Loading commit data...
regress-753496.js Loading commit data...
regress-7565.js Loading commit data...
regress-757217.js Loading commit data...
regress-7579.js Loading commit data...
regress-7582.js Loading commit data...
regress-763439.js Loading commit data...
regress-763697.js Loading commit data...
regress-766003.js Loading commit data...
regress-769846.js Loading commit data...
regress-771243.js Loading commit data...
regress-772332.js Loading commit data...
regress-775366.js Loading commit data...
regress-775710.js Loading commit data...
regress-776677.js Loading commit data...
regress-778917.js Loading commit data...
regress-782280.js Loading commit data...
regress-784050.js Loading commit data...
regress-789952.js Loading commit data...
regress-791810.js Loading commit data...
regress-793551.js Loading commit data...
regress-797846.js Loading commit data...
regress-800756.js Loading commit data...
regress-801785.js Loading commit data...
regress-801850.js Loading commit data...
regress-802244.js Loading commit data...
regress-803427.js Loading commit data...
regress-803788.js Loading commit data...
regress-808012.js Loading commit data...
regress-808848.js Loading commit data...
regress-808980.js Loading commit data...
regress-810973.js Loading commit data...
regress-812005.js Loading commit data...
regress-816226.js Loading commit data...
regress-817380.js Loading commit data...
regress-819869.js Loading commit data...
regress-820802.js Loading commit data...
regress-824681.js Loading commit data...
regress-825087a.js Loading commit data...
regress-825087b.js Loading commit data...
regression-769637.js Loading commit data...