|  | /* | 
|  | * Copyright (C) 2016 Apple Inc. All rights reserved. | 
|  | * | 
|  | * Redistribution and use in source and binary forms, with or without | 
|  | * modification, are permitted provided that the following conditions | 
|  | * are met: | 
|  | * 1. Redistributions of source code must retain the above copyright | 
|  | *    notice, this list of conditions and the following disclaimer. | 
|  | * 2. Redistributions in binary form must reproduce the above copyright | 
|  | *    notice, this list of conditions and the following disclaimer in the | 
|  | *    documentation and/or other materials provided with the distribution. | 
|  | * | 
|  | * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY | 
|  | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | 
|  | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | 
|  | * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR | 
|  | * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | 
|  | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | 
|  | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | 
|  | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY | 
|  | * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 
|  | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | 
|  | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 
|  | */ | 
|  |  | 
|  | #pragma once | 
|  |  | 
|  | #include "CallFrame.h" | 
|  | #include "JSCJSValue.h" | 
|  | #include <wtf/FastMalloc.h> | 
|  | #include <wtf/Noncopyable.h> | 
|  | #include <wtf/PrintStream.h> | 
|  | #include <wtf/StdLibExtras.h> | 
|  | #include <wtf/Vector.h> | 
|  |  | 
|  | namespace JSC { | 
|  |  | 
|  | class CallFrame; | 
|  | class CodeBlock; | 
|  | class JSArray; | 
|  | class JSObject; | 
|  | class JSScope; | 
|  | class LLIntOffsetsExtractor; | 
|  | class SlotVisitor; | 
|  | class VM; | 
|  |  | 
|  | // ShadowChicken is a log that can be used to produce a shadow stack of CHICKEN-style stack frames. | 
|  | // This enables the debugger to almost always see the tail-deleted stack frames, so long as we have | 
|  | // memory inside ShadowChicken to remember them. | 
|  | // | 
|  | // The ShadowChicken log comprises packets that have one of two shapes: | 
|  | // | 
|  | // Prologue Packet, which has: | 
|  | //     - Callee object. | 
|  | //     - Frame pointer. | 
|  | //     - Caller frame pointer. | 
|  | // | 
|  | // Tail Call Packet, which has just: | 
|  | //     - Frame pointer. | 
|  | // | 
|  | // Prologue Packets are placed into the log in any JS function's prologue. Tail Call Packets are | 
|  | // placed into the log just before making a proper tail call. We never log returns, since that would | 
|  | // require a lot of infrastructure (unwinding, multiple ways of returning, etc). We don't need to | 
|  | // see the returns because the prologue packets have a frame pointer. The tail call packets tell us | 
|  | // when there was a tail call, and record the FP *before* the tail call. | 
|  | // | 
|  | // At any time it is possible to construct a shadow stack from the log and the actual machine stack. | 
|  |  | 
|  | class ShadowChicken { | 
|  | WTF_MAKE_NONCOPYABLE(ShadowChicken); | 
|  | WTF_MAKE_FAST_ALLOCATED; | 
|  | public: | 
|  | struct Packet { | 
|  | Packet() | 
|  | { | 
|  | } | 
|  |  | 
|  | static constexpr unsigned unlikelyValue = 0x7a11; | 
|  |  | 
|  | static constexpr intptr_t tailMarkerValue = static_cast<intptr_t>(unlikelyValue); | 
|  | static JSObject* tailMarker() | 
|  | { | 
|  | return bitwise_cast<JSObject*>(tailMarkerValue); | 
|  | } | 
|  |  | 
|  | static JSObject* throwMarker() | 
|  | { | 
|  | return bitwise_cast<JSObject*>(static_cast<intptr_t>(unlikelyValue + 1)); | 
|  | } | 
|  |  | 
|  | static Packet prologue(JSObject* callee, CallFrame* frame, CallFrame* callerFrame, JSScope* scope) | 
|  | { | 
|  | Packet result; | 
|  | result.callee = callee; | 
|  | result.frame = frame; | 
|  | result.callerFrame = callerFrame; | 
|  | result.scope = scope; | 
|  | return result; | 
|  | } | 
|  |  | 
|  | static Packet tail(CallFrame* frame, JSValue thisValue, JSScope* scope, CodeBlock* codeBlock, CallSiteIndex callSiteIndex) | 
|  | { | 
|  | Packet result; | 
|  | result.callee = tailMarker(); | 
|  | result.frame = frame; | 
|  | result.thisValue = thisValue; | 
|  | result.scope = scope; | 
|  | result.codeBlock = codeBlock; | 
|  | result.callSiteIndex = callSiteIndex; | 
|  | return result; | 
|  | } | 
|  |  | 
|  | static Packet throwPacket() | 
|  | { | 
|  | Packet result; | 
|  | result.callee = throwMarker(); | 
|  | return result; | 
|  | } | 
|  |  | 
|  | explicit operator bool() const { return !!callee; } | 
|  |  | 
|  | bool isPrologue() const { return *this && callee != tailMarker() && callee != throwMarker(); } | 
|  | bool isTail() const { return *this && callee == tailMarker(); } | 
|  | bool isThrow() const { return *this && callee == throwMarker(); } | 
|  |  | 
|  | void dump(PrintStream&) const; | 
|  |  | 
|  | // Only tail packets have a valid thisValue, CodeBlock*, and CallSiteIndex. We grab 'this' and CodeBlock* from non tail-deleted frames from the machine frame. | 
|  | JSValue thisValue { JSValue() }; | 
|  | JSObject* callee { nullptr }; | 
|  | CallFrame* frame { nullptr }; | 
|  | CallFrame* callerFrame { nullptr }; | 
|  | JSScope* scope { nullptr }; | 
|  | CodeBlock* codeBlock { nullptr }; | 
|  | CallSiteIndex callSiteIndex; | 
|  | }; | 
|  |  | 
|  | struct Frame { | 
|  | Frame() | 
|  | { | 
|  | } | 
|  |  | 
|  | Frame(JSObject* callee, CallFrame* frame, bool isTailDeleted, JSValue thisValue = JSValue(), JSScope* scope = nullptr, CodeBlock* codeBlock = nullptr, CallSiteIndex callSiteIndex = CallSiteIndex()) | 
|  | : callee(callee) | 
|  | , frame(frame) | 
|  | , thisValue(thisValue) | 
|  | , scope(scope) | 
|  | , codeBlock(codeBlock) | 
|  | , callSiteIndex(callSiteIndex) | 
|  | , isTailDeleted(isTailDeleted) | 
|  | { | 
|  | } | 
|  |  | 
|  | bool operator==(const Frame& other) const | 
|  | { | 
|  | return callee == other.callee | 
|  | && frame == other.frame | 
|  | && thisValue == other.thisValue | 
|  | && scope == other.scope | 
|  | && codeBlock == other.codeBlock | 
|  | && callSiteIndex.bits() == other.callSiteIndex.bits() | 
|  | && isTailDeleted == other.isTailDeleted; | 
|  | } | 
|  |  | 
|  | bool operator!=(const Frame& other) const | 
|  | { | 
|  | return !(*this == other); | 
|  | } | 
|  |  | 
|  | void dump(PrintStream&) const; | 
|  |  | 
|  | // FIXME: This should be able to hold the moral equivalent of StackVisitor::Frame, so that | 
|  | // we can support inlining. | 
|  | // https://bugs.webkit.org/show_bug.cgi?id=155686 | 
|  | JSObject* callee { nullptr }; | 
|  | CallFrame* frame { nullptr }; | 
|  | JSValue thisValue { JSValue() }; | 
|  | JSScope* scope { nullptr }; | 
|  | CodeBlock* codeBlock { nullptr }; | 
|  | CallSiteIndex callSiteIndex; | 
|  | bool isTailDeleted { false }; | 
|  | }; | 
|  |  | 
|  | ShadowChicken(); | 
|  | ~ShadowChicken(); | 
|  |  | 
|  | void log(VM& vm, CallFrame*, const Packet&); | 
|  |  | 
|  | void update(VM&, CallFrame*); | 
|  |  | 
|  | // Expects this signature: (const Frame& frame) -> bool. Return true to keep iterating. Return false to stop iterating. | 
|  | // Note that this only works right with inlining disabled, but that's OK since for now we | 
|  | // disable inlining when the inspector is attached. It would be easy to make this work with | 
|  | // inlining, and would mostly require that we can request that StackVisitor doesn't skip tail | 
|  | // frames. | 
|  | template<typename Functor> | 
|  | void iterate(VM&, CallFrame*, const Functor&); | 
|  |  | 
|  | void visitChildren(SlotVisitor&); | 
|  | void reset(); | 
|  |  | 
|  | // JIT support. | 
|  | Packet* log() const { return m_log; } | 
|  | unsigned logSize() const { return m_logSize; } | 
|  | Packet** addressOfLogCursor() { return &m_logCursor; } | 
|  | Packet* logEnd() { return m_logEnd; } | 
|  |  | 
|  | void dump(PrintStream&) const; | 
|  |  | 
|  | JS_EXPORT_PRIVATE JSArray* functionsOnStack(JSGlobalObject*, CallFrame*); | 
|  |  | 
|  | private: | 
|  | friend class LLIntOffsetsExtractor; | 
|  |  | 
|  | Packet* m_log { nullptr }; | 
|  | unsigned m_logSize { 0 }; | 
|  | Packet* m_logCursor { nullptr }; | 
|  | Packet* m_logEnd { nullptr }; | 
|  |  | 
|  | Vector<Frame> m_stack; | 
|  | }; | 
|  |  | 
|  | } // namespace JSC | 
|  |  |