blob: 20d3f6ad5ce0ba964d73d187f96e7f3f58a25419 [file] [log] [blame]
/*
* Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "ShadowChicken.h"
#include "CodeBlock.h"
#include "JSCInlines.h"
#include "ShadowChickenInlines.h"
#include <wtf/ListDump.h>
namespace JSC {
namespace ShadowChickenInternal {
static constexpr bool verbose = false;
}
void ShadowChicken::Packet::dump(PrintStream& out) const
{
if (!*this) {
out.print("empty");
return;
}
if (isPrologue()) {
String name = "?"_s;
if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee)) {
name = function->name(callee->vm());
if (name.isEmpty())
name = "?"_s;
}
out.print(
"{callee = ", RawPointer(callee), ", frame = ", RawPointer(frame), ", callerFrame = ",
RawPointer(callerFrame), ", name = ", name, "}");
return;
}
if (isTail()) {
out.print("tail-packet:{frame = ", RawPointer(frame), "}");
return;
}
ASSERT(isThrow());
out.print("throw");
}
void ShadowChicken::Frame::dump(PrintStream& out) const
{
String name = "?"_s;
if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee)) {
name = function->name(callee->vm());
if (name.isEmpty())
name = "?"_s;
}
out.print(
"{callee = ", *callee, ", frame = ", RawPointer(frame), ", isTailDeleted = ",
isTailDeleted, ", name = ", name, "}");
}
ShadowChicken::ShadowChicken()
: m_logSize(Options::shadowChickenLogSize())
{
// Allow one additional packet beyond m_logEnd. This is useful for the moment we
// log a packet when the log is full and force an update. At that moment the packet
// that is being logged should be included in the update because it may be
// a critical prologue needed to rationalize the current machine stack with the
// shadow stack.
m_log = static_cast<Packet*>(fastZeroedMalloc(sizeof(Packet) * (m_logSize + 1)));
m_logCursor = m_log;
m_logEnd = m_log + m_logSize;
}
ShadowChicken::~ShadowChicken()
{
fastFree(m_log);
}
void ShadowChicken::log(VM& vm, ExecState* exec, const Packet& packet)
{
// This write is allowed because we construct the log with space for 1 additional packet.
*m_logCursor++ = packet;
update(vm, exec);
}
void ShadowChicken::update(VM& vm, ExecState* exec)
{
if (ShadowChickenInternal::verbose) {
dataLog("Running update on: ", *this, "\n");
WTFReportBacktrace();
}
const unsigned logCursorIndex = m_logCursor - m_log;
// We need to figure out how to reconcile the current machine stack with our shadow stack. We do
// that by figuring out how much of the shadow stack to pop. We apply three different rules. The
// precise rule relies on the log. The log contains caller frames, which means that we know
// where we bottomed out after making any call. If we bottomed out but made no calls then 'exec'
// will tell us. That's why "highestPointSinceLastTime" will go no lower than exec. The third
// rule, based on comparing to the current real stack, is executed in a later loop.
CallFrame* highestPointSinceLastTime = exec;
for (unsigned i = logCursorIndex; i--;) {
Packet packet = m_log[i];
if (packet.isPrologue()) {
CallFrame* watermark;
if (i && m_log[i - 1].isTail())
watermark = packet.frame;
else
watermark = packet.callerFrame;
highestPointSinceLastTime = std::max(highestPointSinceLastTime, watermark);
}
}
if (ShadowChickenInternal::verbose)
dataLog("Highest point since last time: ", RawPointer(highestPointSinceLastTime), "\n");
while (!m_stack.isEmpty() && (m_stack.last().frame < highestPointSinceLastTime || m_stack.last().isTailDeleted))
m_stack.removeLast();
if (ShadowChickenInternal::verbose)
dataLog(" Revised stack: ", listDump(m_stack), "\n");
// It's possible that the top of stack is now tail-deleted. The stack no longer contains any
// frames below the log's high watermark. That means that we just need to look for the first
// occurence of a tail packet for the current stack top.
if (!m_stack.isEmpty()) {
ASSERT(!m_stack.last().isTailDeleted);
for (unsigned i = 0; i < logCursorIndex; ++i) {
Packet& packet = m_log[i];
if (packet.isTail() && packet.frame == m_stack.last().frame) {
Frame& frame = m_stack.last();
frame.thisValue = packet.thisValue;
frame.scope = packet.scope;
frame.codeBlock = packet.codeBlock;
frame.callSiteIndex = packet.callSiteIndex;
frame.isTailDeleted = true;
break;
}
}
}
if (ShadowChickenInternal::verbose)
dataLog(" Revised stack: ", listDump(m_stack), "\n");
// The log-based and exec-based rules require that ShadowChicken was enabled. The point of
// ShadowChicken is to give sensible-looking results even if we had not logged. This means that
// we need to reconcile the shadow stack and the real stack by actually looking at the real
// stack. This reconciliation allows the shadow stack to have extra tail-deleted frames, but it
// forbids it from diverging from the real stack on normal frames.
if (!m_stack.isEmpty()) {
Vector<Frame> stackRightNow;
StackVisitor::visit(
exec, &vm, [&] (StackVisitor& visitor) -> StackVisitor::Status {
if (visitor->isInlinedFrame())
return StackVisitor::Continue;
if (visitor->isWasmFrame()) {
// FIXME: Make shadow chicken work with Wasm.
// https://bugs.webkit.org/show_bug.cgi?id=165441
return StackVisitor::Continue;
}
bool isTailDeleted = false;
// FIXME: Make shadow chicken work with Wasm.
// https://bugs.webkit.org/show_bug.cgi?id=165441
stackRightNow.append(Frame(jsCast<JSObject*>(visitor->callee().asCell()), visitor->callFrame(), isTailDeleted));
return StackVisitor::Continue;
});
stackRightNow.reverse();
if (ShadowChickenInternal::verbose)
dataLog(" Stack right now: ", listDump(stackRightNow), "\n");
unsigned shadowIndex = 0;
unsigned rightNowIndex = 0;
while (shadowIndex < m_stack.size() && rightNowIndex < stackRightNow.size()) {
if (m_stack[shadowIndex].isTailDeleted) {
shadowIndex++;
continue;
}
// We specifically don't use operator== here because we are using a less
// strict filter on equality of frames. For example, the scope pointer
// could change, but we wouldn't want to consider the frames different entities
// because of that because it's natural for the program to change scopes.
if (m_stack[shadowIndex].frame == stackRightNow[rightNowIndex].frame
&& m_stack[shadowIndex].callee == stackRightNow[rightNowIndex].callee) {
shadowIndex++;
rightNowIndex++;
continue;
}
break;
}
m_stack.resize(shadowIndex);
if (ShadowChickenInternal::verbose)
dataLog(" Revised stack: ", listDump(m_stack), "\n");
}
// It's possible that the top stack frame is actually lower than highestPointSinceLastTime.
// Account for that here.
highestPointSinceLastTime = nullptr;
for (unsigned i = m_stack.size(); i--;) {
if (!m_stack[i].isTailDeleted) {
highestPointSinceLastTime = m_stack[i].frame;
break;
}
}
if (ShadowChickenInternal::verbose)
dataLog(" Highest point since last time: ", RawPointer(highestPointSinceLastTime), "\n");
// Set everything up so that we know where the top frame is in the log.
unsigned indexInLog = logCursorIndex;
auto advanceIndexInLogTo = [&] (CallFrame* frame, JSObject* callee, CallFrame* callerFrame) -> bool {
if (ShadowChickenInternal::verbose)
dataLog(" Advancing to frame = ", RawPointer(frame), " from indexInLog = ", indexInLog, "\n");
if (indexInLog > logCursorIndex) {
if (ShadowChickenInternal::verbose)
dataLog(" Bailing.\n");
return false;
}
unsigned oldIndexInLog = indexInLog;
while (indexInLog--) {
Packet packet = m_log[indexInLog];
// If all callees opt into ShadowChicken, then this search will rapidly terminate when
// we find our frame. But if our frame's callee didn't emit a prologue packet because it
// didn't opt in, then we will keep looking backwards until we *might* find a different
// frame. If we've been given the callee and callerFrame as a filter, then it's unlikely
// that we will hit the wrong frame. But we don't always have that information.
//
// This means it's worth adding other filters. For example, we could track changes in
// stack size. Once we've seen a frame at some height, we're no longer interested in
// frames below that height. Also, we can break as soon as we see a frame higher than
// the one we're looking for.
// FIXME: Add more filters.
// https://bugs.webkit.org/show_bug.cgi?id=155685
if (packet.isPrologue() && packet.frame == frame
&& (!callee || packet.callee == callee)
&& (!callerFrame || packet.callerFrame == callerFrame)) {
if (ShadowChickenInternal::verbose)
dataLog(" Found at indexInLog = ", indexInLog, "\n");
return true;
}
}
// This is an interesting eventuality. We will see this if ShadowChicken was not
// consistently enabled. We have a choice between:
//
// - Leaving the log index at -1, which will prevent the log from being considered. This is
// the most conservative. It means that we will not be able to recover tail-deleted frames
// from anything that sits above a frame that didn't log a prologue packet. This means
// that everyone who creates prologues must log prologue packets.
//
// - Restoring the log index to what it was before. This prevents us from considering
// whether this frame has tail-deleted frames behind it, but that's about it. The problem
// with this approach is that it might recover tail-deleted frames that aren't relevant.
// I haven't thought about this too deeply, though.
//
// It seems like the latter option is less harmful, so that's what we do.
indexInLog = oldIndexInLog;
if (ShadowChickenInternal::verbose)
dataLog(" Didn't find it.\n");
return false;
};
Vector<Frame> toPush;
StackVisitor::visit(
exec, &vm, [&] (StackVisitor& visitor) -> StackVisitor::Status {
if (visitor->isInlinedFrame()) {
// FIXME: Handle inlining.
// https://bugs.webkit.org/show_bug.cgi?id=155686
return StackVisitor::Continue;
}
if (visitor->isWasmFrame()) {
// FIXME: Make shadow chicken work with Wasm.
return StackVisitor::Continue;
}
CallFrame* callFrame = visitor->callFrame();
if (ShadowChickenInternal::verbose) {
dataLog(" Examining callFrame:", RawPointer(callFrame), ", callee:", RawPointer(callFrame->jsCallee()), ", callerFrame:", RawPointer(callFrame->callerFrame()), "\n");
JSObject* callee = callFrame->jsCallee();
if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee))
dataLog(" Function = ", function->name(callee->vm()), "\n");
}
if (callFrame == highestPointSinceLastTime) {
if (ShadowChickenInternal::verbose)
dataLog(" Bailing at ", RawPointer(callFrame), " because it's the highest point since last time\n");
// FIXME: At this point the shadow stack may still have tail deleted frames
// that do not run into the current call frame but are left in the shadow stack.
// Those tail deleted frames should be validated somehow.
return StackVisitor::Done;
}
bool foundFrame = advanceIndexInLogTo(callFrame, callFrame->jsCallee(), callFrame->callerFrame());
bool isTailDeleted = false;
JSScope* scope = nullptr;
CodeBlock* codeBlock = callFrame->codeBlock();
JSValue scopeValue = callFrame->bytecodeOffset() && codeBlock && codeBlock->scopeRegister().isValid()
? callFrame->registers()[codeBlock->scopeRegister().offset()].jsValue()
: jsUndefined();
if (!scopeValue.isUndefined() && codeBlock->wasCompiledWithDebuggingOpcodes()) {
scope = jsCast<JSScope*>(scopeValue.asCell());
RELEASE_ASSERT(scope->inherits<JSScope>(vm));
} else if (foundFrame) {
scope = m_log[indexInLog].scope;
if (scope)
RELEASE_ASSERT(scope->inherits<JSScope>(vm));
}
toPush.append(Frame(jsCast<JSObject*>(visitor->callee().asCell()), callFrame, isTailDeleted, callFrame->thisValue(), scope, codeBlock, callFrame->callSiteIndex()));
if (indexInLog < logCursorIndex
// This condition protects us from the case where advanceIndexInLogTo didn't find
// anything.
&& m_log[indexInLog].frame == toPush.last().frame) {
if (ShadowChickenInternal::verbose)
dataLog(" Going to loop through to find tail deleted frames using ", RawPointer(callFrame), " with indexInLog = ", indexInLog, " and push-stack top = ", toPush.last(), "\n");
for (;;) {
ASSERT(m_log[indexInLog].frame == toPush.last().frame);
// Right now the index is pointing at a prologue packet of the last frame that
// we pushed. Peek behind that packet to see if there is a tail packet. If there
// is one then we know that there is a corresponding prologue packet that will
// tell us about a tail-deleted frame.
if (!indexInLog)
break;
Packet tailPacket = m_log[indexInLog - 1];
if (!tailPacket.isTail()) {
// Last frame that we recorded was not the outcome of a tail call. So, there
// will not be any more deleted frames.
// FIXME: We might want to have a filter here. Consider that this was a tail
// marker for a tail call to something that didn't log anything. It should
// be sufficient to give the tail marker a copy of the caller frame.
// https://bugs.webkit.org/show_bug.cgi?id=155687
break;
}
indexInLog--; // Skip over the tail packet.
// FIXME: After a few iterations the tail packet referenced frame may not be the
// same as the original callFrame for the real stack frame we started with.
// It is unclear when we should break.
if (!advanceIndexInLogTo(tailPacket.frame, nullptr, nullptr)) {
if (ShadowChickenInternal::verbose)
dataLog("Can't find prologue packet for tail: ", RawPointer(tailPacket.frame), "\n");
// We were unable to locate the prologue packet for this tail packet.
// This is rare but can happen in a situation like:
// function foo() {
// ... call some deeply tail-recursive function, causing a random number of log processings.
// return bar(); // tail call
// }
break;
}
Packet packet = m_log[indexInLog];
bool isTailDeleted = true;
RELEASE_ASSERT(tailPacket.scope->inherits<JSScope>(vm));
toPush.append(Frame(packet.callee, packet.frame, isTailDeleted, tailPacket.thisValue, tailPacket.scope, tailPacket.codeBlock, tailPacket.callSiteIndex));
}
}
return StackVisitor::Continue;
});
if (ShadowChickenInternal::verbose)
dataLog(" Pushing: ", listDump(toPush), "\n");
for (unsigned i = toPush.size(); i--;)
m_stack.append(toPush[i]);
// We want to reset the log. There is a fun corner-case: there could be a tail marker at the end
// of this log. We could make that work by setting isTailDeleted on the top of stack, but that
// would require more corner cases in the complicated reconciliation code above. That code
// already knows how to handle a tail packet at the beginning, so we just leverage that here.
if (logCursorIndex && m_log[logCursorIndex - 1].isTail()) {
m_log[0] = m_log[logCursorIndex - 1];
m_logCursor = m_log + 1;
} else
m_logCursor = m_log;
if (ShadowChickenInternal::verbose)
dataLog(" After pushing: ", listDump(m_stack), "\n");
// Remove tail frames until the number of tail deleted frames is small enough.
const unsigned maxTailDeletedFrames = Options::shadowChickenMaxTailDeletedFramesSize();
if (m_stack.size() > maxTailDeletedFrames) {
unsigned numberOfTailDeletedFrames = 0;
for (const Frame& frame : m_stack) {
if (frame.isTailDeleted)
numberOfTailDeletedFrames++;
}
if (numberOfTailDeletedFrames > maxTailDeletedFrames) {
unsigned dstIndex = 0;
unsigned srcIndex = 0;
while (srcIndex < m_stack.size()) {
Frame frame = m_stack[srcIndex++];
if (numberOfTailDeletedFrames > maxTailDeletedFrames && frame.isTailDeleted) {
numberOfTailDeletedFrames--;
continue;
}
m_stack[dstIndex++] = frame;
}
m_stack.shrink(dstIndex);
}
}
if (ShadowChickenInternal::verbose)
dataLog(" After clean-up: ", *this, "\n");
}
void ShadowChicken::visitChildren(SlotVisitor& visitor)
{
for (unsigned i = m_logCursor - m_log; i--;) {
JSObject* callee = m_log[i].callee;
if (callee != Packet::tailMarker() && callee != Packet::throwMarker())
visitor.appendUnbarriered(callee);
if (callee != Packet::throwMarker())
visitor.appendUnbarriered(m_log[i].scope);
if (callee == Packet::tailMarker()) {
visitor.appendUnbarriered(m_log[i].thisValue);
visitor.appendUnbarriered(m_log[i].codeBlock);
}
}
for (unsigned i = m_stack.size(); i--; ) {
Frame& frame = m_stack[i];
visitor.appendUnbarriered(frame.thisValue);
visitor.appendUnbarriered(frame.callee);
if (frame.scope)
visitor.appendUnbarriered(frame.scope);
if (frame.codeBlock)
visitor.appendUnbarriered(frame.codeBlock);
}
}
void ShadowChicken::reset()
{
m_logCursor = m_log;
m_stack.clear();
}
void ShadowChicken::dump(PrintStream& out) const
{
out.print("{stack = [", listDump(m_stack), "], log = [");
CommaPrinter comma;
unsigned limit = static_cast<unsigned>(m_logCursor - m_log);
out.print("\n");
for (unsigned i = 0; i < limit; ++i)
out.print("\t", comma, "[", i, "] ", m_log[i], "\n");
out.print("]}");
}
JSArray* ShadowChicken::functionsOnStack(ExecState* exec)
{
VM& vm = exec->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
JSArray* result = constructEmptyArray(exec, 0);
RETURN_IF_EXCEPTION(scope, nullptr);
iterate(
vm, exec,
[&] (const Frame& frame) -> bool {
result->push(exec, frame.callee);
scope.releaseAssertNoException(); // This function is only called from tests.
return true;
});
return result;
}
} // namespace JSC