Revert "[wasm] Add more unit tests for trap handler"

This reverts commit 4644b32e02.

Reason for revert: Link errors on win64: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Win64%20-%20debug/25950

Original change's description:
> [wasm] Add more unit tests for trap handler
> 
> The unittests test if the trap handler only handles those traps it
> is supposed to handle:
> * Only handle traps when the thread-in-wasm flag is set.
> * Only handle traps of the right type, i.e. memory access violations.
> * Only handle traps at recorded instructions.
> 
> The tests also test the consistency of the thread-in-wasm flag. I made
> one change in the trap handler where that consistency could be
> violated.
> 
> All tests are executed with the default trap handler provided by V8,
> and with the trap handler callback installed in a test signal/exception
> handler.
> 
> Change-Id: I03904bb6effd2e8694d3f4d1fbf62bc38002646e
> Reviewed-on: https://chromium-review.googlesource.com/c/1340246
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#57858}

TBR=mstarzinger@chromium.org,ahaas@chromium.org,mark@chromium.org

Change-Id: Iac2f20c73744226885ea1810813863a21c5faf8c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/1351021
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57861}
This commit is contained in:
Clemens Hammacher 2018-11-27 10:26:31 +00:00 committed by Commit Bot
parent 2cdd38e57a
commit 2fd073764f
7 changed files with 10 additions and 523 deletions

View File

@ -72,17 +72,6 @@ class SigUnmaskStack {
};
bool TryHandleSignal(int signum, siginfo_t* info, void* context) {
// Ensure the faulting thread was actually running Wasm code. This should be
// the first check in the trap handler to guarantee that the IsThreadInWasm
// flag is only set in wasm code. Otherwise a later signal handler is executed
// with the flag set.
if (!IsThreadInWasm()) {
return false;
}
// Clear g_thread_in_wasm_code, primarily to protect against nested faults.
g_thread_in_wasm_code = false;
// Bail out early in case we got called for the wrong kind of signal.
if (signum != kOobSignal) {
@ -94,6 +83,14 @@ bool TryHandleSignal(int signum, siginfo_t* info, void* context) {
return false;
}
// Ensure the faulting thread was actually running Wasm code.
if (!IsThreadInWasm()) {
return false;
}
// Clear g_thread_in_wasm_code, primarily to protect against nested faults.
g_thread_in_wasm_code = false;
// Begin signal mask scope. We need to be sure to restore the signal mask
// before we restore the g_thread_in_wasm_code flag.
{

View File

@ -154,20 +154,6 @@ WasmMemoryTracker::~WasmMemoryTracker() {
DCHECK_EQ(allocated_address_space_, 0u);
}
void* WasmMemoryTracker::TryAllocateBackingStoreForTesting(
Heap* heap, size_t size, void** allocation_base,
size_t* allocation_length) {
return TryAllocateBackingStore(this, heap, size, allocation_base,
allocation_length);
}
void WasmMemoryTracker::FreeBackingStoreForTesting(base::AddressRegion memory,
void* buffer_start) {
ReleaseAllocation(nullptr, buffer_start);
CHECK(FreePages(GetPlatformPageAllocator(),
reinterpret_cast<void*>(memory.begin()), memory.size()));
}
bool WasmMemoryTracker::ReserveAddressSpace(size_t num_bytes,
ReservationLimit limit) {
size_t reservation_limit =

View File

@ -66,18 +66,6 @@ class WasmMemoryTracker {
friend WasmMemoryTracker;
};
// Allow tests to allocate a backing store the same way as we do it for
// WebAssembly memory. This is used in unit tests for trap handler to
// generate the same signals/exceptions for invalid memory accesses as
// we would get with WebAssembly memory.
void* TryAllocateBackingStoreForTesting(Heap* heap, size_t size,
void** allocation_base,
size_t* allocation_length);
// Free memory allocated with TryAllocateBackingStoreForTesting.
void FreeBackingStoreForTesting(base::AddressRegion memory,
void* buffer_start);
// Decreases the amount of reserved address space.
void ReleaseReservation(size_t num_bytes);

View File

@ -209,7 +209,8 @@ static void InitializeVM() {
__ Ret(); \
__ GetCode(masm.isolate(), nullptr);
#define TEARDOWN() FreeAssemblerBuffer(buf, allocated);
#define TEARDOWN() \
CHECK(v8::internal::FreePages(GetPlatformPageAllocator(), buf, allocated));
#endif // ifdef USE_SIMULATOR.

View File

@ -23,10 +23,6 @@ static inline uint8_t* AllocateAssemblerBuffer(
return static_cast<uint8_t*>(result);
}
static inline void FreeAssemblerBuffer(uint8_t* buffer, size_t size) {
CHECK(FreePages(GetPlatformPageAllocator(), buffer, size));
}
static inline void MakeAssemblerBufferExecutable(uint8_t* buffer,
size_t allocated) {
// Flush the instruction cache as part of making the buffer executable.

View File

@ -254,7 +254,6 @@ v8_source_set("unittests_sources") {
sources += [
"assembler/turbo-assembler-x64-unittest.cc",
"compiler/x64/instruction-selector-x64-unittest.cc",
"wasm/trap-handler-x64-unittest.cc",
]
} else if (v8_current_cpu == "ppc" || v8_current_cpu == "ppc64") {
sources += [

View File

@ -1,480 +0,0 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "include/v8config.h"
#if V8_OS_LINUX
#include <signal.h>
#include <ucontext.h>
#elif V8_OS_MACOSX
#include <signal.h>
#include <sys/ucontext.h>
#elif V8_OS_WIN
#include <windows.h>
#endif
#include "testing/gtest/include/gtest/gtest.h"
#if V8_OS_POSIX
#include "include/v8-wasm-trap-handler-posix.h"
#elif V8_OS_WIN
#include "include/v8-wasm-trap-handler-win.h"
#endif
#include "src/allocation.h"
#include "src/assembler-inl.h"
#include "src/base/page-allocator.h"
#include "src/macro-assembler-inl.h"
#include "src/simulator.h"
#include "src/trap-handler/trap-handler.h"
#include "src/vector.h"
#include "src/wasm/wasm-engine.h"
#include "src/wasm/wasm-memory.h"
#include "test/common/assembler-tester.h"
#include "test/unittests/test-utils.h"
namespace v8 {
namespace internal {
namespace wasm {
namespace {
constexpr Register scratch = r10;
bool g_test_handler_executed = false;
#if V8_OS_LINUX || V8_OS_MACOSX
struct sigaction g_old_segv_action;
struct sigaction g_old_fpe_action;
struct sigaction g_old_bus_action; // We get SIGBUS on Mac sometimes.
#elif V8_OS_WIN
void* g_registered_handler = nullptr;
#endif
// The recovery address allows us to recover from an intentional crash.
Address g_recovery_address;
// Flag to indicate if the test handler should call the trap handler as a first
// chance handler.
bool g_use_as_first_chance_handler = false;
} // namespace
#define __ masm.
enum TrapHandlerStyle : int {
// The test uses the default trap handler of V8.
kDefault = 0,
// The test installs the trap handler callback in its own test handler.
kCallback = 1
};
std::string PrintTrapHandlerTestParam(
::testing::TestParamInfo<TrapHandlerStyle> info) {
switch (info.param) {
case kDefault:
return "DefaultTrapHandler";
case kCallback:
return "Callback";
}
UNREACHABLE();
}
class TrapHandlerTest : public TestWithIsolate,
public ::testing::WithParamInterface<TrapHandlerStyle> {
protected:
void SetUp() override {
void* base = nullptr;
size_t length = 0;
accessible_memory_start_ =
i_isolate()
->wasm_engine()
->memory_tracker()
->TryAllocateBackingStoreForTesting(
i_isolate()->heap(), 1 * kWasmPageSize, &base, &length);
memory_buffer_ =
base::AddressRegion(reinterpret_cast<Address>(base), length);
// The allocated memory buffer ends with a guard page.
crash_address_ = memory_buffer_.end() - 32;
// Allocate a buffer for the generated code.
size_t buffer_size;
byte* buffer = AllocateAssemblerBuffer(
&buffer_size, AssemblerBase::kMinimalBufferSize, GetRandomMmapAddr());
buffer_ = Vector<byte>(buffer, buffer_size);
InitRecoveryCode();
#if V8_OS_LINUX || V8_OS_MACOSX
// Set up a signal handler to recover from the expected crash.
struct sigaction action;
action.sa_sigaction = SignalHandler;
sigemptyset(&action.sa_mask);
action.sa_flags = SA_SIGINFO;
// SIGSEGV happens for wasm oob memory accesses on Linux.
CHECK_EQ(0, sigaction(SIGSEGV, &action, &g_old_segv_action));
// SIGBUS happens for wasm oob memory accesses on macOS.
CHECK_EQ(0, sigaction(SIGBUS, &action, &g_old_bus_action));
// SIGFPE to simulate crashes which are not handled by the trap handler.
CHECK_EQ(0, sigaction(SIGFPE, &action, &g_old_fpe_action));
#elif V8_OS_WIN
g_registered_handler =
AddVectoredExceptionHandler(/*first=*/0, TestHandler);
#endif
}
void TearDown() override {
// We should always have left wasm code.
CHECK(!GetThreadInWasmFlag());
FreeAssemblerBuffer(buffer_.start(), buffer_.size());
FreeAssemblerBuffer(recovery_buffer_.start(), recovery_buffer_.size());
// Free the allocated backing store.
i_isolate()->wasm_engine()->memory_tracker()->FreeBackingStoreForTesting(
memory_buffer_, accessible_memory_start_);
// Clean up the trap handler
trap_handler::RemoveTrapHandler();
if (!g_test_handler_executed) {
#if V8_OS_LINUX || V8_OS_MACOSX
// The test handler cleans up the signal handler setup in the test. If the
// test handler was not called, we have to do the cleanup ourselves.
CHECK_EQ(0, sigaction(SIGSEGV, &g_old_segv_action, nullptr));
CHECK_EQ(0, sigaction(SIGFPE, &g_old_fpe_action, nullptr));
CHECK_EQ(0, sigaction(SIGBUS, &g_old_bus_action, nullptr));
#elif V8_OS_WIN
RemoveVectoredExceptionHandler(g_registered_handler);
g_registered_handler = nullptr;
#endif
}
}
void InitRecoveryCode() {
// Create a code snippet where we can jump to to recover from a signal or
// exception. The code snippet only consists of a return statement.
size_t buffer_size;
byte* buffer = AllocateAssemblerBuffer(
&buffer_size, AssemblerBase::kMinimalBufferSize, GetRandomMmapAddr());
recovery_buffer_ = Vector<byte>(buffer, buffer_size);
MacroAssembler masm(nullptr, AssemblerOptions{}, recovery_buffer_.start(),
recovery_buffer_.length(), CodeObjectRequired::kNo);
int recovery_offset = __ pc_offset();
__ Pop(scratch);
__ Ret();
CodeDesc desc;
masm.GetCode(nullptr, &desc);
MakeAssemblerBufferExecutable(recovery_buffer_.start(),
recovery_buffer_.size());
g_recovery_address =
reinterpret_cast<Address>(desc.buffer + recovery_offset);
}
#if V8_OS_LINUX || V8_OS_MACOSX
static void SignalHandler(int signal, siginfo_t* info, void* context) {
if (g_use_as_first_chance_handler) {
if (v8::TryHandleWebAssemblyTrapPosix(signal, info, context)) {
return;
}
}
// Reset the signal handler, to avoid that this signal handler is called
// repeatedly.
sigaction(SIGSEGV, &g_old_segv_action, nullptr);
sigaction(SIGFPE, &g_old_fpe_action, nullptr);
sigaction(SIGBUS, &g_old_bus_action, nullptr);
g_test_handler_executed = true;
// Set the $rip to the recovery code.
ucontext_t* uc = reinterpret_cast<ucontext_t*>(context);
#if V8_OS_LINUX
uc->uc_mcontext.gregs[REG_RIP] = g_recovery_address;
#else // V8_OS_MACOSX
uc->uc_mcontext->__ss.__rip = g_recovery_address;
#endif
}
#endif
#if V8_OS_WIN
static LONG WINAPI TestHandler(EXCEPTION_POINTERS* exception) {
if (g_use_as_first_chance_handler) {
if (v8::TryHandleWebAssemblyTrapWindows(exception)) {
return EXCEPTION_CONTINUE_EXECUTION;
}
}
RemoveVectoredExceptionHandler(g_registered_handler);
g_registered_handler = nullptr;
g_test_handler_executed = true;
exception->ContextRecord->Rip = g_recovery_address;
return EXCEPTION_CONTINUE_EXECUTION;
}
#endif
public:
void SetupTrapHandler(TrapHandlerStyle style) {
bool use_default_handler = style == kDefault;
g_use_as_first_chance_handler = !use_default_handler;
CHECK(v8::V8::EnableWebAssemblyTrapHandler(use_default_handler));
}
void GenerateSetThreadInWasmFlagCode(MacroAssembler* masm) {
masm->Move(scratch,
ExternalReference::wasm_thread_in_wasm_flag_address_address(
i_isolate()));
masm->movp(scratch, MemOperand(scratch, 0));
masm->movl(MemOperand(scratch, 0), Immediate(1));
}
void GenerateResetThreadInWasmFlagCode(MacroAssembler* masm) {
masm->Move(scratch,
ExternalReference::wasm_thread_in_wasm_flag_address_address(
i_isolate()));
masm->movp(scratch, MemOperand(scratch, 0));
masm->movl(MemOperand(scratch, 0), Immediate(0));
}
bool GetThreadInWasmFlag() {
return *reinterpret_cast<int*>(
trap_handler::GetThreadInWasmThreadLocalAddress());
}
// Execute the code in buffer.
void ExecuteBuffer(Vector<byte> buffer) {
MakeAssemblerBufferExecutable(buffer.start(), buffer.size());
GeneratedCode<void>::FromAddress(i_isolate(),
reinterpret_cast<Address>(buffer.start()))
.Call();
}
// Execute the code in buffer. We expect a crash which we recover from in the
// test handler.
void ExecuteExpectCrash(Vector<byte> buffer, bool check_wasm_flag = true) {
CHECK(!g_test_handler_executed);
ExecuteBuffer(buffer);
CHECK(g_test_handler_executed);
g_test_handler_executed = false;
if (check_wasm_flag) CHECK(!GetThreadInWasmFlag());
}
bool test_handler_executed() { return g_test_handler_executed; }
// Allocated memory which corresponds to wasm memory with guard regions.
base::AddressRegion memory_buffer_;
// Address within the guard region of the wasm memory. Accessing this memory
// address causes a signal or exception.
Address crash_address_;
// The start of the accessible region in the allocated memory. This pointer is
// needed to de-register the memory from the wasm memory tracker again.
void* accessible_memory_start_;
// Buffer for generated code.
Vector<byte> buffer_;
// Buffer for the code for the landing pad of the test handler.
Vector<byte> recovery_buffer_;
};
TEST_P(TrapHandlerTest, TestTrapHandlerRecovery) {
// Test that the wasm trap handler can recover a memory access violation in
// wasm code (we fake the wasm code and the access violation).
MacroAssembler masm(nullptr, AssemblerOptions{}, buffer_.start(),
buffer_.length(), CodeObjectRequired::kNo);
__ Push(scratch);
GenerateSetThreadInWasmFlagCode(&masm);
__ Move(scratch, crash_address_, RelocInfo::NONE);
int crash_offset = __ pc_offset();
__ testl(MemOperand(scratch, 0), Immediate(1));
int recovery_offset = __ pc_offset();
GenerateResetThreadInWasmFlagCode(&masm);
__ Pop(scratch);
__ Ret();
CodeDesc desc;
masm.GetCode(nullptr, &desc);
SetupTrapHandler(GetParam());
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
recovery_offset};
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
desc.instr_size, 1, &protected_instruction);
ExecuteBuffer(buffer_);
}
TEST_P(TrapHandlerTest, TestReleaseHandlerData) {
// Test that after we release handler data in the trap handler, it cannot
// recover from the specific memory access violation anymore.
MacroAssembler masm(nullptr, AssemblerOptions{}, buffer_.start(),
buffer_.length(), CodeObjectRequired::kNo);
__ Push(scratch);
GenerateSetThreadInWasmFlagCode(&masm);
__ Move(scratch, crash_address_, RelocInfo::NONE);
int crash_offset = __ pc_offset();
__ testl(MemOperand(scratch, 0), Immediate(1));
int recovery_offset = __ pc_offset();
GenerateResetThreadInWasmFlagCode(&masm);
__ Pop(scratch);
__ Ret();
CodeDesc desc;
masm.GetCode(nullptr, &desc);
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
recovery_offset};
int handler_id = trap_handler::RegisterHandlerData(
reinterpret_cast<Address>(desc.buffer), desc.instr_size, 1,
&protected_instruction);
SetupTrapHandler(GetParam());
ExecuteBuffer(buffer_);
// Deregister from the trap handler. The trap handler should not do the
// recovery now.
trap_handler::ReleaseHandlerData(handler_id);
ExecuteExpectCrash(buffer_);
}
TEST_P(TrapHandlerTest, TestNoThreadInWasmFlag) {
// That that if the thread_in_wasm flag is not set, the trap handler does not
// get active.
MacroAssembler masm(nullptr, AssemblerOptions{}, buffer_.start(),
buffer_.length(), CodeObjectRequired::kNo);
__ Push(scratch);
__ Move(scratch, crash_address_, RelocInfo::NONE);
int crash_offset = __ pc_offset();
__ testl(MemOperand(scratch, 0), Immediate(1));
int recovery_offset = __ pc_offset();
__ Pop(scratch);
__ Ret();
CodeDesc desc;
masm.GetCode(nullptr, &desc);
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
recovery_offset};
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
desc.instr_size, 1, &protected_instruction);
SetupTrapHandler(GetParam());
ExecuteExpectCrash(buffer_);
}
TEST_P(TrapHandlerTest, TestCrashInWasmNoProtectedInstruction) {
// Test that if the crash in wasm happened at an instruction which is not
// protected, then the trap handler does not handle it.
MacroAssembler masm(nullptr, AssemblerOptions{}, buffer_.start(),
buffer_.length(), CodeObjectRequired::kNo);
__ Push(scratch);
GenerateSetThreadInWasmFlagCode(&masm);
int no_crash_offset = __ pc_offset();
__ Move(scratch, crash_address_, RelocInfo::NONE);
__ testl(MemOperand(scratch, 0), Immediate(1));
// Offset where the crash is not happening.
int recovery_offset = __ pc_offset();
GenerateResetThreadInWasmFlagCode(&masm);
__ Pop(scratch);
__ Ret();
CodeDesc desc;
masm.GetCode(nullptr, &desc);
trap_handler::ProtectedInstructionData protected_instruction{no_crash_offset,
recovery_offset};
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
desc.instr_size, 1, &protected_instruction);
SetupTrapHandler(GetParam());
ExecuteExpectCrash(buffer_);
}
TEST_P(TrapHandlerTest, TestCrashInWasmWrongCrashType) {
// Test that if the crash reason is not a memory access violation, then the
// wasm trap handler does not handle it.
MacroAssembler masm(nullptr, AssemblerOptions{}, buffer_.start(),
buffer_.length(), CodeObjectRequired::kNo);
__ Push(scratch);
GenerateSetThreadInWasmFlagCode(&masm);
__ xorq(scratch, scratch);
int crash_offset = __ pc_offset();
__ divq(scratch);
// Offset where the crash is not happening.
int recovery_offset = __ pc_offset();
GenerateResetThreadInWasmFlagCode(&masm);
__ Pop(scratch);
__ Ret();
CodeDesc desc;
masm.GetCode(nullptr, &desc);
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
recovery_offset};
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
desc.instr_size, 1, &protected_instruction);
SetupTrapHandler(GetParam());
#if V8_OS_POSIX
// The V8 default trap handler does not register for SIGFPE, therefore the
// thread-in-wasm flag is never reset in this test. We therefore do not check
// the value of this flag.
bool check_wasm_flag = GetParam() != kDefault;
#else
bool check_wasm_flag = true;
#endif
ExecuteExpectCrash(buffer_, check_wasm_flag);
if (!check_wasm_flag) {
// Reset the thread-in-wasm flag because it was probably not reset in the
// trap handler.
*trap_handler::GetThreadInWasmThreadLocalAddress() = 0;
}
}
class CodeRunner : public v8::base::Thread {
public:
CodeRunner(TrapHandlerTest* test, Vector<byte> buffer)
: Thread(Options("CodeRunner")), test_(test), buffer_(buffer) {}
void Run() override { test_->ExecuteExpectCrash(buffer_); }
private:
TrapHandlerTest* test_;
Vector<byte> buffer_;
};
TEST_P(TrapHandlerTest, TestCrashInOtherThread) {
// Test setup:
// The current thread enters wasm land (sets the thread_in_wasm flag)
// A second thread crashes at a protected instruction without having the flag
// set.
MacroAssembler masm(nullptr, AssemblerOptions{}, buffer_.start(),
buffer_.length(), CodeObjectRequired::kNo);
__ Push(scratch);
__ Move(scratch, crash_address_, RelocInfo::NONE);
int crash_offset = __ pc_offset();
__ testl(MemOperand(scratch, 0), Immediate(1));
int recovery_offset = __ pc_offset();
__ Pop(scratch);
__ Ret();
CodeDesc desc;
masm.GetCode(nullptr, &desc);
trap_handler::ProtectedInstructionData protected_instruction{crash_offset,
recovery_offset};
trap_handler::RegisterHandlerData(reinterpret_cast<Address>(desc.buffer),
desc.instr_size, 1, &protected_instruction);
SetupTrapHandler(GetParam());
CodeRunner runner(this, buffer_);
CHECK(!GetThreadInWasmFlag());
// Set the thread-in-wasm flag manually in this thread.
*trap_handler::GetThreadInWasmThreadLocalAddress() = 1;
runner.Start();
runner.Join();
CHECK(GetThreadInWasmFlag());
// Reset the thread-in-wasm flag.
*trap_handler::GetThreadInWasmThreadLocalAddress() = 0;
}
INSTANTIATE_TEST_CASE_P(/* no prefix */, TrapHandlerTest,
::testing::Values(kDefault, kCallback),
PrintTrapHandlerTestParam);
#undef __
} // namespace wasm
} // namespace internal
} // namespace v8