From cac651b720514dbb283409687614620c346389d4 Mon Sep 17 00:00:00 2001 From: Jakob Gruber Date: Mon, 11 Nov 2019 14:34:07 +0100 Subject: [Backport] Security bug 1020031 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/1903440: [interpreter] Move function-entry stack check to start of bytecode array The function-entry stack check should dominate all other instructions in a function. Prior to this CL it was possible to create paths not including a stack check due to SwitchOnGeneratorState: the generator-creation branch had a stack check, while generator-resume branches did not. 0 : af fb 00 01 SwitchOnGeneratorState r0, [0], [1] { 0: @22 } 4 : 27 fe fa Mov , r1 7 : 27 02 f9 Mov , r2 10 : 64 0a fa 02 InvokeIntrinsic [_CreateJSGeneratorObject], r1-r2 14 : 26 fb Star r0 16 : a7 StackCheck 17 : b0 fb fb 01 00 SuspendGenerator r0, r0-r0, [0] 22 : b1 fb fb 01 ResumeGenerator r0, r0-r0 [... no stack check here ...] This CL moves the stack check to the beginning of the bytecode array, i.e. before SwitchOnGeneratorState. Bug: chromium:1020031 Change-Id: I07ba6fdfa207309c2cc64b9c6e8a9cf171c84fb5 Reviewed-by: Jüri Valdmann --- chromium/v8/src/interpreter/bytecode-generator.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/chromium/v8/src/interpreter/bytecode-generator.cc b/chromium/v8/src/interpreter/bytecode-generator.cc index d3b27b4375f..da06bf6e393 100644 --- a/chromium/v8/src/interpreter/bytecode-generator.cc +++ b/chromium/v8/src/interpreter/bytecode-generator.cc @@ -1131,6 +1131,9 @@ void BytecodeGenerator::GenerateBytecode(uintptr_t stack_limit) { AllocateTopLevelRegisters(); + // Perform a stack-check before the body. + builder()->StackCheck(info()->literal()->start_position()); + if (info()->literal()->CanSuspend()) { BuildGeneratorPrologue(); } @@ -1195,9 +1198,6 @@ void BytecodeGenerator::GenerateBytecodeBody() { // Emit initializing assignments for module namespace imports (if any). VisitModuleNamespaceImports(); - // Perform a stack-check before the body. - builder()->StackCheck(literal->start_position()); - // The derived constructor case is handled in VisitCallSuper. if (IsBaseConstructor(function_kind())) { if (literal->requires_brand_initialization()) { -- cgit v1.2.1