Fix indirect fixup handling on aarch64 via frame-pointer-anchored scan#9803
Open
mszabo-wikia wants to merge 1 commit into
Open
Fix indirect fixup handling on aarch64 via frame-pointer-anchored scan#9803mszabo-wikia wants to merge 1 commit into
mszabo-wikia wants to merge 1 commit into
Conversation
Running `hhvm hphp/test/quick/dv.php` on aarch64 with HHVM compiled in release mode consistently segfaults while syncing the VM state prior to producing a backtrace for a Hack exception (see gist).[1] The crash happens because fixupWork assumes that aligned native frames directly follow one another as it traverses the chain of frame pointers while looking for the first VM frame, so it ends up using an incorrect CFA for the reconstructed VM frame. But since https://reviews.llvm.org/D65653, clang in release builds may decide to place locals above the frame record, breaking this assumption, as foretold in D29878492. I tried switching this logic to use the unwinder in D92892655 but that proved to be prohibitively unperformant. However, since we know that the target of the indirect fixup is associated with the first VM frame which is also the next frame, we can scan the stack upwards looking for the first ActRec whose `m_sfp` matches the stored FP for that frame and whose `m_savedRip` resolves to a valid non-indirect fixup. For unpadded frames this just stops on the first iteration step. [1] https://gist.github.com/mszabo-wikia/187833ee32cd5b6f4efa8bd987a66cd4
Contributor
|
This pull request has been imported. If you are a Meta employee, you can view this in D108886444. (Because this pull request was imported automatically, there will not be any future comments.) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Running
hhvm hphp/test/quick/dv.phpon aarch64 with HHVM compiled in release mode consistently segfaults while syncing the VM state prior to producing a backtrace for a Hack exception (see gist).[1]The crash happens because fixupWork assumes that aligned native frames directly follow one another as it traverses the chain of frame pointers while looking for the first VM frame, so it ends up using an incorrect CFA for the reconstructed VM frame. But since https://reviews.llvm.org/D65653, clang in release builds may decide to place locals above the frame record, breaking this assumption, as foretold in D29878492.
I tried switching this logic to use the unwinder in D92892655 but that proved to be prohibitively unperformant. However, since we know that the target of the indirect fixup is associated with the first VM frame which is also the next frame, we can scan the stack upwards looking for the first ActRec whose
m_sfpmatches the stored FP for that frame and whosem_savedRipresolves to a valid non-indirect fixup. For unpadded frames this just stops on the first iteration step.[1] https://gist.github.com/mszabo-wikia/187833ee32cd5b6f4efa8bd987a66cd4