2018-11-27 13:58:18 +00:00
|
|
|
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
|
|
// found in the LICENSE file.
|
|
|
|
|
|
|
|
#include "include/v8config.h"
|
|
|
|
|
|
|
|
#if V8_OS_LINUX
|
|
|
|
#include <signal.h>
|
|
|
|
#include <ucontext.h>
|
|
|
|
#elif V8_OS_MACOSX
|
|
|
|
#include <signal.h>
|
|
|
|
#include <sys/ucontext.h>
|
|
|
|
#elif V8_OS_WIN
|
|
|
|
#include <windows.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include "testing/gtest/include/gtest/gtest.h"
|
|
|
|
|
|
|
|
#if V8_OS_POSIX
|
|
|
|
#include "include/v8-wasm-trap-handler-posix.h"
|
|
|
|
#elif V8_OS_WIN
|
|
|
|
#include "include/v8-wasm-trap-handler-win.h"
|
|
|
|
#endif
|
|
|
|
#include "src/base/page-allocator.h"
|
2019-05-21 09:30:15 +00:00
|
|
|
#include "src/codegen/assembler-inl.h"
|
|
|
|
#include "src/codegen/macro-assembler-inl.h"
|
2019-05-22 07:55:37 +00:00
|
|
|
#include "src/execution/simulator.h"
|
2018-11-27 13:58:18 +00:00
|
|
|
#include "src/trap-handler/trap-handler.h"
|
2019-05-23 13:27:57 +00:00
|
|
|
#include "src/utils/allocation.h"
|
|
|
|
#include "src/utils/vector.h"
|
2018-11-27 13:58:18 +00:00
|
|
|
#include "src/wasm/wasm-engine.h"
|
Revert "[arraybuffer] Rearchitect backing store ownership"
This reverts commit 31cd5d83d34ece8d1917082236b76bfeb09f038b.
Reason for revert: It breaks my heart to revert this, but it fails differently on several bots, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/26671.
Original change's description:
> [arraybuffer] Rearchitect backing store ownership
>
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
>
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
>
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.
>
> R=mlippautz@chromium.org
> BUG=v8:9380,v8:9221
>
> Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62572}
TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org
Change-Id: Ib35788ba8c31192d90cbc72df3dbc41030f109de
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9380, v8:9221
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691034
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62578}
2019-07-08 17:20:38 +00:00
|
|
|
#include "src/wasm/wasm-memory.h"
|
2018-11-27 13:58:18 +00:00
|
|
|
|
|
|
|
#include "test/common/assembler-tester.h"
|
|
|
|
#include "test/unittests/test-utils.h"
|
|
|
|
|
|
|
|
namespace v8 {
|
|
|
|
namespace internal {
|
|
|
|
namespace wasm {
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
constexpr Register scratch = r10;
|
|
|
|
bool g_test_handler_executed = false;
|
|
|
|
#if V8_OS_LINUX || V8_OS_MACOSX
|
|
|
|
struct sigaction g_old_segv_action;
|
|
|
|
struct sigaction g_old_fpe_action;
|
|
|
|
struct sigaction g_old_bus_action; // We get SIGBUS on Mac sometimes.
|
|
|
|
#elif V8_OS_WIN
|
|
|
|
void* g_registered_handler = nullptr;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
// The recovery address allows us to recover from an intentional crash.
|
|
|
|
Address g_recovery_address;
|
|
|
|
// Flag to indicate if the test handler should call the trap handler as a first
|
|
|
|
// chance handler.
|
|
|
|
bool g_use_as_first_chance_handler = false;
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
#define __ masm.
|
|
|
|
|
|
|
|
enum TrapHandlerStyle : int {
|
|
|
|
// The test uses the default trap handler of V8.
|
|
|
|
kDefault = 0,
|
|
|
|
// The test installs the trap handler callback in its own test handler.
|
|
|
|
kCallback = 1
|
|
|
|
};
|
|
|
|
|
|
|
|
std::string PrintTrapHandlerTestParam(
|
|
|
|
::testing::TestParamInfo<TrapHandlerStyle> info) {
|
|
|
|
switch (info.param) {
|
|
|
|
case kDefault:
|
|
|
|
return "DefaultTrapHandler";
|
|
|
|
case kCallback:
|
|
|
|
return "Callback";
|
|
|
|
}
|
|
|
|
UNREACHABLE();
|
|
|
|
}
|
|
|
|
|
|
|
|
class TrapHandlerTest : public TestWithIsolate,
|
|
|
|
public ::testing::WithParamInterface<TrapHandlerStyle> {
|
|
|
|
protected:
|
|
|
|
void SetUp() override {
|
Revert "[arraybuffer] Rearchitect backing store ownership"
This reverts commit 31cd5d83d34ece8d1917082236b76bfeb09f038b.
Reason for revert: It breaks my heart to revert this, but it fails differently on several bots, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/26671.
Original change's description:
> [arraybuffer] Rearchitect backing store ownership
>
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
>
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
>
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.
>
> R=mlippautz@chromium.org
> BUG=v8:9380,v8:9221
>
> Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62572}
TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org
Change-Id: Ib35788ba8c31192d90cbc72df3dbc41030f109de
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9380, v8:9221
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691034
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62578}
2019-07-08 17:20:38 +00:00
|
|
|
void* base = nullptr;
|
|
|
|
size_t length = 0;
|
|
|
|
accessible_memory_start_ =
|
|
|
|
i_isolate()
|
|
|
|
->wasm_engine()
|
|
|
|
->memory_tracker()
|
|
|
|
->TryAllocateBackingStoreForTesting(
|
|
|
|
i_isolate()->heap(), 1 * kWasmPageSize, &base, &length);
|
|
|
|
memory_buffer_ =
|
|
|
|
base::AddressRegion(reinterpret_cast<Address>(base), length);
|
|
|
|
|
|
|
|
// The allocated memory buffer ends with a guard page.
|
|
|
|
crash_address_ = memory_buffer_.end() - 32;
|
2018-11-27 13:58:18 +00:00
|
|
|
// Allocate a buffer for the generated code.
|
2019-01-17 10:23:16 +00:00
|
|
|
buffer_ = AllocateAssemblerBuffer(AssemblerBase::kMinimalBufferSize,
|
|
|
|
GetRandomMmapAddr());
|
2018-11-27 13:58:18 +00:00
|
|
|
|
|
|
|
InitRecoveryCode();
|
|
|
|
|
|
|
|
#if V8_OS_LINUX || V8_OS_MACOSX
|
|
|
|
// Set up a signal handler to recover from the expected crash.
|
|
|
|
struct sigaction action;
|
|
|
|
action.sa_sigaction = SignalHandler;
|
|
|
|
sigemptyset(&action.sa_mask);
|
|
|
|
action.sa_flags = SA_SIGINFO;
|
|
|
|
// SIGSEGV happens for wasm oob memory accesses on Linux.
|
|
|
|
CHECK_EQ(0, sigaction(SIGSEGV, &action, &g_old_segv_action));
|
|
|
|
// SIGBUS happens for wasm oob memory accesses on macOS.
|
|
|
|
CHECK_EQ(0, sigaction(SIGBUS, &action, &g_old_bus_action));
|
|
|
|
// SIGFPE to simulate crashes which are not handled by the trap handler.
|
|
|
|
CHECK_EQ(0, sigaction(SIGFPE, &action, &g_old_fpe_action));
|
|
|
|
#elif V8_OS_WIN
|
|
|
|
g_registered_handler =
|
|
|
|
AddVectoredExceptionHandler(/*first=*/0, TestHandler);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
void TearDown() override {
|
|
|
|
// We should always have left wasm code.
|
|
|
|
CHECK(!GetThreadInWasmFlag());
|
2019-01-17 10:23:16 +00:00
|
|
|
buffer_.reset();
|
|
|
|
recovery_buffer_.reset();
|
Revert "[arraybuffer] Rearchitect backing store ownership"
This reverts commit 31cd5d83d34ece8d1917082236b76bfeb09f038b.
Reason for revert: It breaks my heart to revert this, but it fails differently on several bots, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/26671.
Original change's description:
> [arraybuffer] Rearchitect backing store ownership
>
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
>
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
>
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.
>
> R=mlippautz@chromium.org
> BUG=v8:9380,v8:9221
>
> Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62572}
TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org
Change-Id: Ib35788ba8c31192d90cbc72df3dbc41030f109de
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9380, v8:9221
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691034
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62578}
2019-07-08 17:20:38 +00:00
|
|
|
|
|
|
|
// Free the allocated backing store.
|
|
|
|
i_isolate()->wasm_engine()->memory_tracker()->FreeBackingStoreForTesting(
|
|
|
|
memory_buffer_, accessible_memory_start_);
|
2018-11-27 13:58:18 +00:00
|
|
|
|
|
|
|
// Clean up the trap handler
|
|
|
|
trap_handler::RemoveTrapHandler();
|
|
|
|
if (!g_test_handler_executed) {
|
|
|
|
#if V8_OS_LINUX || V8_OS_MACOSX
|
|
|
|
// The test handler cleans up the signal handler setup in the test. If the
|
|
|
|
// test handler was not called, we have to do the cleanup ourselves.
|
|
|
|
CHECK_EQ(0, sigaction(SIGSEGV, &g_old_segv_action, nullptr));
|
|
|
|
CHECK_EQ(0, sigaction(SIGFPE, &g_old_fpe_action, nullptr));
|
|
|
|
CHECK_EQ(0, sigaction(SIGBUS, &g_old_bus_action, nullptr));
|
|
|
|
#elif V8_OS_WIN
|
|
|
|
RemoveVectoredExceptionHandler(g_registered_handler);
|
|
|
|
g_registered_handler = nullptr;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void InitRecoveryCode() {
|
|
|
|
// Create a code snippet where we can jump to to recover from a signal or
|
|
|
|
// exception. The code snippet only consists of a return statement.
|
2019-01-17 10:23:16 +00:00
|
|
|
recovery_buffer_ = AllocateAssemblerBuffer(
|
|
|
|
AssemblerBase::kMinimalBufferSize, GetRandomMmapAddr());
|
2018-11-27 13:58:18 +00:00
|
|
|
|
2019-01-17 10:23:16 +00:00
|
|
|
MacroAssembler masm(nullptr, AssemblerOptions{}, CodeObjectRequired::kNo,
|
|
|
|
recovery_buffer_->CreateView());
|
2018-11-27 13:58:18 +00:00
|
|
|
int recovery_offset = __ pc_offset();
|
|
|
|
__ Pop(scratch);
|
|
|
|
__ Ret();
|
|
|
|
CodeDesc desc;
|
|
|
|
masm.GetCode(nullptr, &desc);
|
2019-01-17 10:23:16 +00:00
|
|
|
recovery_buffer_->MakeExecutable();
|
2018-11-27 13:58:18 +00:00
|
|
|
g_recovery_address =
|
|
|
|
reinterpret_cast<Address>(desc.buffer + recovery_offset);
|
|
|
|
}
|
|
|
|
|
|
|
|
#if V8_OS_LINUX || V8_OS_MACOSX
|
|
|
|
static void SignalHandler(int signal, siginfo_t* info, void* context) {
|
|
|
|
if (g_use_as_first_chance_handler) {
|
|
|
|
if (v8::TryHandleWebAssemblyTrapPosix(signal, info, context)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Reset the signal handler, to avoid that this signal handler is called
|
|
|
|
// repeatedly.
|
|
|
|
sigaction(SIGSEGV, &g_old_segv_action, nullptr);
|
|
|
|
sigaction(SIGFPE, &g_old_fpe_action, nullptr);
|
|
|
|
sigaction(SIGBUS, &g_old_bus_action, nullptr);
|
|
|
|
|
|
|
|
g_test_handler_executed = true;
|
|
|
|
// Set the $rip to the recovery code.
|
|
|
|
ucontext_t* uc = reinterpret_cast<ucontext_t*>(context);
|
|
|
|
#if V8_OS_LINUX
|
|
|
|
uc->uc_mcontext.gregs[REG_RIP] = g_recovery_address;
|
|
|
|
#else // V8_OS_MACOSX
|
|
|
|
uc->uc_mcontext->__ss.__rip = g_recovery_address;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if V8_OS_WIN
|
|
|
|
static LONG WINAPI TestHandler(EXCEPTION_POINTERS* exception) {
|
|
|
|
if (g_use_as_first_chance_handler) {
|
|
|
|
if (v8::TryHandleWebAssemblyTrapWindows(exception)) {
|
|
|
|
return EXCEPTION_CONTINUE_EXECUTION;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
RemoveVectoredExceptionHandler(g_registered_handler);
|
|
|
|
g_registered_handler = nullptr;
|
|
|
|
g_test_handler_executed = true;
|
|
|
|
exception->ContextRecord->Rip = g_recovery_address;
|
|
|
|
return EXCEPTION_CONTINUE_EXECUTION;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
public:
|
|
|
|
void SetupTrapHandler(TrapHandlerStyle style) {
|
|
|
|
bool use_default_handler = style == kDefault;
|
|
|
|
g_use_as_first_chance_handler = !use_default_handler;
|
|
|
|
CHECK(v8::V8::EnableWebAssemblyTrapHandler(use_default_handler));
|
|
|
|
}
|
|
|
|
|
|
|
|
void GenerateSetThreadInWasmFlagCode(MacroAssembler* masm) {
|
|
|
|
masm->Move(scratch,
|
2018-12-05 13:52:50 +00:00
|
|
|
i_isolate()->thread_local_top()->thread_in_wasm_flag_address_,
|
|
|
|
RelocInfo::NONE);
|
2018-11-27 13:58:18 +00:00
|
|
|
masm->movl(MemOperand(scratch, 0), Immediate(1));
|
|
|
|
}
|
|
|
|
|
|
|
|
void GenerateResetThreadInWasmFlagCode(MacroAssembler* masm) {
|
|
|
|
masm->Move(scratch,
|
2018-12-05 13:52:50 +00:00
|
|
|
i_isolate()->thread_local_top()->thread_in_wasm_flag_address_,
|
|
|
|
RelocInfo::NONE);
|
2018-11-27 13:58:18 +00:00
|
|
|
masm->movl(MemOperand(scratch, 0), Immediate(0));
|
|
|
|
}
|
|
|
|
|
|
|
|
bool GetThreadInWasmFlag() {
|
|
|
|
return *reinterpret_cast<int*>(
|
|
|
|
trap_handler::GetThreadInWasmThreadLocalAddress());
|
|
|
|
}
|
|
|
|
|
|
|
|
// Execute the code in buffer.
|
2019-01-17 10:23:16 +00:00
|
|
|
void ExecuteBuffer() {
|
|
|
|
buffer_->MakeExecutable();
|
|
|
|
GeneratedCode<void>::FromAddress(
|
|
|
|
i_isolate(), reinterpret_cast<Address>(buffer_->start()))
|
2018-11-27 13:58:18 +00:00
|
|
|
.Call();
|
2018-12-05 13:52:50 +00:00
|
|
|
CHECK(!g_test_handler_executed);
|
2018-11-27 13:58:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Execute the code in buffer. We expect a crash which we recover from in the
|
|
|
|
// test handler.
|
2019-01-17 10:23:16 +00:00
|
|
|
void ExecuteExpectCrash(TestingAssemblerBuffer* buffer,
|
|
|
|
bool check_wasm_flag = true) {
|
2018-11-27 13:58:18 +00:00
|
|
|
CHECK(!g_test_handler_executed);
|
2019-01-17 10:23:16 +00:00
|
|
|
buffer->MakeExecutable();
|
2018-12-05 13:52:50 +00:00
|
|
|
GeneratedCode<void>::FromAddress(i_isolate(),
|
2019-01-17 10:23:16 +00:00
|
|
|
reinterpret_cast<Address>(buffer->start()))
|
2018-12-05 13:52:50 +00:00
|
|
|
.Call();
|
2018-11-27 13:58:18 +00:00
|
|
|
CHECK(g_test_handler_executed);
|
|
|
|
g_test_handler_executed = false;
|
|
|
|
if (check_wasm_flag) CHECK(!GetThreadInWasmFlag());
|
|
|
|
}
|
|
|
|
|
|
|
|
bool test_handler_executed() { return g_test_handler_executed; }
|
|
|
|
|
Revert "[arraybuffer] Rearchitect backing store ownership"
This reverts commit 31cd5d83d34ece8d1917082236b76bfeb09f038b.
Reason for revert: It breaks my heart to revert this, but it fails differently on several bots, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/26671.
Original change's description:
> [arraybuffer] Rearchitect backing store ownership
>
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
>
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
>
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.
>
> R=mlippautz@chromium.org
> BUG=v8:9380,v8:9221
>
> Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62572}
TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org
Change-Id: Ib35788ba8c31192d90cbc72df3dbc41030f109de
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9380, v8:9221
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691034
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62578}
2019-07-08 17:20:38 +00:00
|
|
|
// Allocated memory which corresponds to wasm memory with guard regions.
|
|
|
|
base::AddressRegion memory_buffer_;
|
2018-11-27 13:58:18 +00:00
|
|
|
// Address within the guard region of the wasm memory. Accessing this memory
|
|
|
|
// address causes a signal or exception.
|
|
|
|
Address crash_address_;
|
Revert "[arraybuffer] Rearchitect backing store ownership"
This reverts commit 31cd5d83d34ece8d1917082236b76bfeb09f038b.
Reason for revert: It breaks my heart to revert this, but it fails differently on several bots, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20debug/26671.
Original change's description:
> [arraybuffer] Rearchitect backing store ownership
>
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
>
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
>
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.
>
> R=mlippautz@chromium.org
> BUG=v8:9380,v8:9221
>
> Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62572}
TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org
Change-Id: Ib35788ba8c31192d90cbc72df3dbc41030f109de
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9380, v8:9221
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691034
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62578}
2019-07-08 17:20:38 +00:00
|
|
|
// The start of the accessible region in the allocated memory. This pointer is
|
|
|
|
// needed to de-register the memory from the wasm memory tracker again.
|
|
|
|
void* accessible_memory_start_;
|
2018-11-27 13:58:18 +00:00
|
|
|
|
|
|
|
// Buffer for generated code.
|
2019-01-17 10:23:16 +00:00
|
|
|
std::unique_ptr<TestingAssemblerBuffer> buffer_;
|
2018-11-27 13:58:18 +00:00
|
|
|
// Buffer for the code for the landing pad of the test handler.
|
2019-01-17 10:23:16 +00:00
|
|
|
std::unique_ptr<TestingAssemblerBuffer> recovery_buffer_;
|
2018-11-27 13:58:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
TEST_P(TrapHandlerTest, TestTrapHandlerRecovery) {
|
|
|
|
// Test that the wasm trap handler can recover a memory access violation in
|
|
|
|
// wasm code (we fake the wasm code and the access violation).
|
2019-01-17 10:23:16 +00:00
|
|
|
MacroAssembler masm(nullptr, AssemblerOptions{}, CodeObjectRequired::kNo,
|
|
|
|
buffer_->CreateView());
|
2018-11-27 13:58:18 +00:00
|
|
|
__ Push(scratch);
|
|
|
|
GenerateSetThreadInWasmFlagCode(&masm);
|
|
|
|
__ Move(scratch, crash_address_, RelocInfo::NONE);
|
|
|
|
int crash_offset = __ pc_offset();
|
|
|
|
__ testl(MemOperand(scratch, 0), Immediate(1));
|
|
|
|
int recovery_offset = __ pc_offset();
|
|
|
|
GenerateResetThreadInWasmFlagCode(&masm);
|
|
|
|
__ Pop(scratch);
|
|
|
|
__ Ret();
|
|
|
|
CodeDesc desc;
|
|
|
|
masm.GetCode(nullptr, &desc);
|
|
|
|
|
|
|
|
SetupTrapHandler(GetParam());
|
|
|
|
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
|
|
|
|
recovery_offset};
|
|
|
|
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
|
|
|
|
desc.instr_size, 1, &protected_instruction);
|
|
|
|
|
2019-01-17 10:23:16 +00:00
|
|
|
ExecuteBuffer();
|
2018-11-27 13:58:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
TEST_P(TrapHandlerTest, TestReleaseHandlerData) {
|
|
|
|
// Test that after we release handler data in the trap handler, it cannot
|
|
|
|
// recover from the specific memory access violation anymore.
|
2019-01-17 10:23:16 +00:00
|
|
|
MacroAssembler masm(nullptr, AssemblerOptions{}, CodeObjectRequired::kNo,
|
|
|
|
buffer_->CreateView());
|
2018-11-27 13:58:18 +00:00
|
|
|
__ Push(scratch);
|
|
|
|
GenerateSetThreadInWasmFlagCode(&masm);
|
|
|
|
__ Move(scratch, crash_address_, RelocInfo::NONE);
|
|
|
|
int crash_offset = __ pc_offset();
|
|
|
|
__ testl(MemOperand(scratch, 0), Immediate(1));
|
|
|
|
int recovery_offset = __ pc_offset();
|
|
|
|
GenerateResetThreadInWasmFlagCode(&masm);
|
|
|
|
__ Pop(scratch);
|
|
|
|
__ Ret();
|
|
|
|
CodeDesc desc;
|
|
|
|
masm.GetCode(nullptr, &desc);
|
|
|
|
|
|
|
|
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
|
|
|
|
recovery_offset};
|
|
|
|
int handler_id = trap_handler::RegisterHandlerData(
|
|
|
|
reinterpret_cast<Address>(desc.buffer), desc.instr_size, 1,
|
|
|
|
&protected_instruction);
|
|
|
|
|
|
|
|
SetupTrapHandler(GetParam());
|
|
|
|
|
2019-01-17 10:23:16 +00:00
|
|
|
ExecuteBuffer();
|
2018-11-27 13:58:18 +00:00
|
|
|
|
|
|
|
// Deregister from the trap handler. The trap handler should not do the
|
|
|
|
// recovery now.
|
|
|
|
trap_handler::ReleaseHandlerData(handler_id);
|
|
|
|
|
2019-01-17 10:23:16 +00:00
|
|
|
ExecuteExpectCrash(buffer_.get());
|
2018-11-27 13:58:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
TEST_P(TrapHandlerTest, TestNoThreadInWasmFlag) {
|
|
|
|
// That that if the thread_in_wasm flag is not set, the trap handler does not
|
|
|
|
// get active.
|
2019-01-17 10:23:16 +00:00
|
|
|
MacroAssembler masm(nullptr, AssemblerOptions{}, CodeObjectRequired::kNo,
|
|
|
|
buffer_->CreateView());
|
2018-11-27 13:58:18 +00:00
|
|
|
__ Push(scratch);
|
|
|
|
__ Move(scratch, crash_address_, RelocInfo::NONE);
|
|
|
|
int crash_offset = __ pc_offset();
|
|
|
|
__ testl(MemOperand(scratch, 0), Immediate(1));
|
|
|
|
int recovery_offset = __ pc_offset();
|
|
|
|
__ Pop(scratch);
|
|
|
|
__ Ret();
|
|
|
|
CodeDesc desc;
|
|
|
|
masm.GetCode(nullptr, &desc);
|
|
|
|
|
|
|
|
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
|
|
|
|
recovery_offset};
|
|
|
|
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
|
|
|
|
desc.instr_size, 1, &protected_instruction);
|
|
|
|
|
|
|
|
SetupTrapHandler(GetParam());
|
|
|
|
|
2019-01-17 10:23:16 +00:00
|
|
|
ExecuteExpectCrash(buffer_.get());
|
2018-11-27 13:58:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
TEST_P(TrapHandlerTest, TestCrashInWasmNoProtectedInstruction) {
|
|
|
|
// Test that if the crash in wasm happened at an instruction which is not
|
|
|
|
// protected, then the trap handler does not handle it.
|
2019-01-17 10:23:16 +00:00
|
|
|
MacroAssembler masm(nullptr, AssemblerOptions{}, CodeObjectRequired::kNo,
|
|
|
|
buffer_->CreateView());
|
2018-11-27 13:58:18 +00:00
|
|
|
__ Push(scratch);
|
|
|
|
GenerateSetThreadInWasmFlagCode(&masm);
|
|
|
|
int no_crash_offset = __ pc_offset();
|
|
|
|
__ Move(scratch, crash_address_, RelocInfo::NONE);
|
|
|
|
__ testl(MemOperand(scratch, 0), Immediate(1));
|
|
|
|
// Offset where the crash is not happening.
|
|
|
|
int recovery_offset = __ pc_offset();
|
|
|
|
GenerateResetThreadInWasmFlagCode(&masm);
|
|
|
|
__ Pop(scratch);
|
|
|
|
__ Ret();
|
|
|
|
CodeDesc desc;
|
|
|
|
masm.GetCode(nullptr, &desc);
|
|
|
|
|
|
|
|
trap_handler::ProtectedInstructionData protected_instruction{no_crash_offset,
|
|
|
|
recovery_offset};
|
|
|
|
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
|
|
|
|
desc.instr_size, 1, &protected_instruction);
|
|
|
|
|
|
|
|
SetupTrapHandler(GetParam());
|
|
|
|
|
2019-01-17 10:23:16 +00:00
|
|
|
ExecuteExpectCrash(buffer_.get());
|
2018-11-27 13:58:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
TEST_P(TrapHandlerTest, TestCrashInWasmWrongCrashType) {
|
|
|
|
// Test that if the crash reason is not a memory access violation, then the
|
|
|
|
// wasm trap handler does not handle it.
|
2019-01-17 10:23:16 +00:00
|
|
|
MacroAssembler masm(nullptr, AssemblerOptions{}, CodeObjectRequired::kNo,
|
|
|
|
buffer_->CreateView());
|
2018-11-27 13:58:18 +00:00
|
|
|
__ Push(scratch);
|
|
|
|
GenerateSetThreadInWasmFlagCode(&masm);
|
|
|
|
__ xorq(scratch, scratch);
|
|
|
|
int crash_offset = __ pc_offset();
|
|
|
|
__ divq(scratch);
|
|
|
|
// Offset where the crash is not happening.
|
|
|
|
int recovery_offset = __ pc_offset();
|
|
|
|
GenerateResetThreadInWasmFlagCode(&masm);
|
|
|
|
__ Pop(scratch);
|
|
|
|
__ Ret();
|
|
|
|
CodeDesc desc;
|
|
|
|
masm.GetCode(nullptr, &desc);
|
|
|
|
|
|
|
|
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
|
|
|
|
recovery_offset};
|
|
|
|
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
|
|
|
|
desc.instr_size, 1, &protected_instruction);
|
|
|
|
|
|
|
|
SetupTrapHandler(GetParam());
|
|
|
|
|
|
|
|
#if V8_OS_POSIX
|
2019-03-22 19:23:09 +00:00
|
|
|
// On Posix, the V8 default trap handler does not register for SIGFPE,
|
|
|
|
// therefore the thread-in-wasm flag is never reset in this test. We
|
|
|
|
// therefore do not check the value of this flag.
|
2018-11-27 13:58:18 +00:00
|
|
|
bool check_wasm_flag = GetParam() != kDefault;
|
2019-03-22 19:23:09 +00:00
|
|
|
#elif V8_OS_WIN
|
|
|
|
// On Windows, the trap handler returns immediately if not an exception of
|
|
|
|
// interest.
|
|
|
|
bool check_wasm_flag = false;
|
2018-11-27 13:58:18 +00:00
|
|
|
#else
|
|
|
|
bool check_wasm_flag = true;
|
|
|
|
#endif
|
2019-01-17 10:23:16 +00:00
|
|
|
ExecuteExpectCrash(buffer_.get(), check_wasm_flag);
|
2018-11-27 13:58:18 +00:00
|
|
|
if (!check_wasm_flag) {
|
|
|
|
// Reset the thread-in-wasm flag because it was probably not reset in the
|
|
|
|
// trap handler.
|
|
|
|
*trap_handler::GetThreadInWasmThreadLocalAddress() = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
class CodeRunner : public v8::base::Thread {
|
|
|
|
public:
|
2019-01-17 10:23:16 +00:00
|
|
|
CodeRunner(TrapHandlerTest* test, TestingAssemblerBuffer* buffer)
|
2018-11-27 13:58:18 +00:00
|
|
|
: Thread(Options("CodeRunner")), test_(test), buffer_(buffer) {}
|
|
|
|
|
|
|
|
void Run() override { test_->ExecuteExpectCrash(buffer_); }
|
|
|
|
|
|
|
|
private:
|
|
|
|
TrapHandlerTest* test_;
|
2019-01-17 10:23:16 +00:00
|
|
|
TestingAssemblerBuffer* buffer_;
|
2018-11-27 13:58:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
TEST_P(TrapHandlerTest, TestCrashInOtherThread) {
|
|
|
|
// Test setup:
|
|
|
|
// The current thread enters wasm land (sets the thread_in_wasm flag)
|
|
|
|
// A second thread crashes at a protected instruction without having the flag
|
|
|
|
// set.
|
2019-01-17 10:23:16 +00:00
|
|
|
MacroAssembler masm(nullptr, AssemblerOptions{}, CodeObjectRequired::kNo,
|
|
|
|
buffer_->CreateView());
|
2018-11-27 13:58:18 +00:00
|
|
|
__ Push(scratch);
|
|
|
|
__ Move(scratch, crash_address_, RelocInfo::NONE);
|
|
|
|
int crash_offset = __ pc_offset();
|
|
|
|
__ testl(MemOperand(scratch, 0), Immediate(1));
|
|
|
|
int recovery_offset = __ pc_offset();
|
|
|
|
__ Pop(scratch);
|
|
|
|
__ Ret();
|
|
|
|
CodeDesc desc;
|
|
|
|
masm.GetCode(nullptr, &desc);
|
|
|
|
|
|
|
|
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
|
|
|
|
recovery_offset};
|
|
|
|
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
|
|
|
|
desc.instr_size, 1, &protected_instruction);
|
|
|
|
|
|
|
|
SetupTrapHandler(GetParam());
|
|
|
|
|
2019-01-17 10:23:16 +00:00
|
|
|
CodeRunner runner(this, buffer_.get());
|
2018-11-27 13:58:18 +00:00
|
|
|
CHECK(!GetThreadInWasmFlag());
|
|
|
|
// Set the thread-in-wasm flag manually in this thread.
|
|
|
|
*trap_handler::GetThreadInWasmThreadLocalAddress() = 1;
|
|
|
|
runner.Start();
|
|
|
|
runner.Join();
|
|
|
|
CHECK(GetThreadInWasmFlag());
|
|
|
|
// Reset the thread-in-wasm flag.
|
|
|
|
*trap_handler::GetThreadInWasmThreadLocalAddress() = 0;
|
|
|
|
}
|
|
|
|
|
2019-02-15 16:53:29 +00:00
|
|
|
INSTANTIATE_TEST_SUITE_P(/* no prefix */, TrapHandlerTest,
|
|
|
|
::testing::Values(kDefault, kCallback),
|
|
|
|
PrintTrapHandlerTestParam);
|
2018-11-27 13:58:18 +00:00
|
|
|
|
|
|
|
#undef __
|
|
|
|
} // namespace wasm
|
|
|
|
} // namespace internal
|
|
|
|
} // namespace v8
|