How to intercept the context changing operation for JS code in v8

[Luo Wu]

Hi all,

I want to intercept and log the context changing event in v8. 

Say I have a script in main.html which invokes a function foo in the iframe.html. When the function foo is executed, the isolate->context() is changed to represent for iframe.html. But I cannot find where the v8 sets the corresponding context variable (isolate->set_context() is not invoked). My purpose is to immediately know that the context is changed, and log some information.

Please tell me how can I achieve this goal. Appreciate if there is any idea for that.

[Ben Noordhuis]

The short answer is that you can't, at least not easily.

The context is changed directly from the generated machine code, there
is no associated C++ function call that you can instrument. Grep
src/builtins/*/builtins-*.cc for IsolateAddressId::kContextAddress and
IsolateAddressId::kPendingHandlerContextAddress to find out how it
works.

It's possible to augment the generated code to call out to a C++
function but it's not exactly trivial. Grep the aforementioned files
for CallCFunction() and note how e.g.
Runtime::kUnwindAndFindExceptionHandler corresponds to
Runtime_UnwindAndFindExceptionHandler in
src/runtime/runtime-internal.cc. Good luck!

[Luo Wu]

Thanks for your reply. 

I checked the code related to IsolateAddressId::kContextAddress. In src/builtins/x64/builtins-x64.cc, it seems that the function Generate_JSEntryTrampolineHelper just loads the context but does not overwrites it. I also found that the context is overwrote in MacroAssembler::EnterExitFramePrologue. Is it the one I need to instrument? Or is there any misunderstanding on my part?

If i am right, are all JS function calls (including document.cookie etc) going through that function, or are they just cross-frame function calls?

Thank you.

在 2019年5月27日星期一 UTC+8下午4:28:14，Ben Noordhuis写道：

[Ben Noordhuis]

On Tue, May 28, 2019 at 11:20 AM Luo Wu <lwy...@pku.edu.cn> wrote:
>
> Thanks for your reply.
>
> I checked the code related to IsolateAddressId::kContextAddress. In src/builtins/x64/builtins-x64.cc, it seems that the function Generate_JSEntryTrampolineHelper just loads the context but does not overwrites it. I also found that the context is overwrote in MacroAssembler::EnterExitFramePrologue. Is it the one I need to instrument? Or is there any misunderstanding on my part?
>
> If i am right, are all JS function calls (including document.cookie etc) going through that function, or are they just cross-frame function calls?
>
> Thank you.

MacroAssembler::EnterExitFramePrologue() is one place but there's also
the microtask queue (used for things like promises), see
SetCurrentContext() in src/builtins/builtins-microtask-queue-gen.cc.
That file generates machine code ahead-of-time.

NB: You may not need to instrument the AOT code (which is even
trickier than instrumenting runtime generated code) because ultimately
it calls Builtins::Generate_CallFunction() and that function also
loads the context from JSFunction::kContextOffset.

[Luo Wu]

I'm trying to understand the connection between them. Can I say that all JS function calls will go through MacroAssembler::InvokeFunctionCode? And what I need to do is to instrument that function? Or maybe I can leverage the Runtime::kDebugOnFunctionCall?

Thank you. 

在 2019年5月28日星期二 UTC+8下午5:53:58，Ben Noordhuis写道：

[Ben Noordhuis]

On Tue, May 28, 2019 at 4:14 PM Luo Wu <lwy...@pku.edu.cn> wrote:
>
> I'm trying to understand the connection between them. Can I say that all JS function calls will go through MacroAssembler::InvokeFunctionCode? And what I need to do is to instrument that function? Or maybe I can leverage the Runtime::kDebugOnFunctionCall?
>
> Thank you.

Looking at the code, I'd say that, yes,
MacroAssembler::InvokeFunctionCode() is probably the method you want.