Add recursion limit for VM (#2737)

This patch adds posibility to supervise the VM call stack to avoid aborts/crashes due to the recursion calls.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu

jerry-core/CMakeLists.txt

@@ -40,6 +40,7 @@ set(FEATURE_VALGRIND           OFF     CACHE BOOL   "Enable Valgrind support?")
 set(FEATURE_VM_EXEC_STOP       OFF     CACHE BOOL   "Enable VM execution stopping?")
 set(MEM_HEAP_SIZE_KB           "512"   CACHE STRING "Size of memory heap, in kilobytes")
 set(REGEXP_RECURSION_LIMIT     "0"     CACHE STRING "Limit of regexp recursion depth")
+set(VM_RECURSION_LIMIT         "0"     CACHE STRING "Limit of VM recursion depth")
 
 # Option overrides
 if(USING_MSVC)
@@ -96,6 +97,7 @@ message(STATUS "FEATURE_VALGRIND            " ${FEATURE_VALGRIND})
 message(STATUS "FEATURE_VM_EXEC_STOP        " ${FEATURE_VM_EXEC_STOP})
 message(STATUS "MEM_HEAP_SIZE_KB            " ${MEM_HEAP_SIZE_KB})
 message(STATUS "REGEXP_RECURSION_LIMIT      " ${REGEXP_RECURSION_LIMIT})
+message(STATUS "VM_RECURSION_LIMIT          " ${VM_RECURSION_LIMIT})
 
 # Include directories
 set(INCLUDE_CORE_PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/include")
@@ -235,6 +237,11 @@ if(REGEXP_RECURSION_LIMIT)
   set(DEFINES_JERRY ${DEFINES_JERRY} REGEXP_RECURSION_LIMIT=${REGEXP_RECURSION_LIMIT})
 endif()
 
+# VM recursion depth limit
+if(VM_RECURSION_LIMIT)
+  set(DEFINES_JERRY ${DEFINES_JERRY} VM_RECURSION_LIMIT=${VM_RECURSION_LIMIT})
+endif()
+
 # RegExp byte-code dumps
 if(FEATURE_REGEXP_DUMP)
   set(DEFINES_JERRY ${DEFINES_JERRY} REGEXP_DUMP_BYTE_CODE)

jerry-core/ecma/base/ecma-init-finalize.c

@@ -44,6 +44,10 @@ ecma_init (void)
   JERRY_CONTEXT (status_flags) &= (uint32_t) ~ECMA_STATUS_HIGH_SEV_GC;
 #endif /* !CONFIG_ECMA_PROPERTY_HASHMAP_DISABLE */
 
+#ifdef VM_RECURSION_LIMIT
+  JERRY_CONTEXT (vm_recursion_counter) = VM_RECURSION_LIMIT;
+#endif /* VM_RECURSION_LIMIT */
+
 #ifndef CONFIG_DISABLE_ES2015_PROMISE_BUILTIN
   ecma_job_queue_init ();
 #endif /* CONFIG_DISABLE_ES2015_PROMISE_BUILTIN */

jerry-core/jcontext/jcontext.h

@@ -136,6 +136,10 @@ struct jerry_context_t
                                                  *   ECMAScript execution should be stopped */
 #endif /* JERRY_VM_EXEC_STOP */
 
+#ifdef VM_RECURSION_LIMIT
+  uint32_t vm_recursion_counter;  /**< VM recursion counter */
+#endif /* VM_RECURSION_LIMIT */
+
 #ifdef JERRY_DEBUGGER
   uint8_t debugger_send_buffer[JERRY_DEBUGGER_TRANSPORT_MAX_BUFFER_SIZE]; /**< buffer for sending messages */
   uint8_t debugger_receive_buffer[JERRY_DEBUGGER_TRANSPORT_MAX_BUFFER_SIZE]; /**< buffer for receiving messages */

jerry-core/vm/vm.c

@@ -42,6 +42,13 @@
  * @{
  */
 
+/*
+ * Check VM recursion depth limit
+ */
+#ifdef VM_RECURSION_LIMIT
+JERRY_STATIC_ASSERT (VM_RECURSION_LIMIT > 0, vm_recursion_limit_must_be_greater_than_zero);
+#endif /* VM_RECURSION_LIMIT */
+
 /**
  * Get the value of object[property].
  *
@@ -3515,6 +3522,10 @@ vm_execute (vm_frame_ctx_t *frame_ctx_p, /**< frame context */
         }
 #endif /* JERRY_DEBUGGER */
 
+#ifdef VM_RECURSION_LIMIT
+        JERRY_CONTEXT (vm_recursion_counter)++;
+#endif /* VM_RECURSION_LIMIT */
+
         JERRY_CONTEXT (vm_top_context_p) = frame_ctx_p->prev_context_p;
         return completion_value;
       }
@@ -3535,6 +3546,17 @@ vm_run (const ecma_compiled_code_t *bytecode_header_p, /**< byte-code data heade
         const ecma_value_t *arg_list_p, /**< arguments list */
         ecma_length_t arg_list_len) /**< length of arguments list */
 {
+#ifdef VM_RECURSION_LIMIT
+  if (JERRY_UNLIKELY (JERRY_CONTEXT (vm_recursion_counter) == 0))
+  {
+    return ecma_raise_range_error (ECMA_ERR_MSG ("VM recursion limit is exceeded."));
+  }
+  else
+  {
+    JERRY_CONTEXT (vm_recursion_counter)--;
+  }
+#endif /* VM_RECURSION_LIMIT */
+
   ecma_value_t *literal_p;
   vm_frame_ctx_t frame_ctx;
   uint32_t call_stack_size;