Title: [239304] trunk
- Revision
- 239304
- Author
- mark....@apple.com
- Date
- 2018-12-17 17:21:07 -0800 (Mon, 17 Dec 2018)
Log Message
SamplingProfiler's isValidFramePointer() should reject address at stack origin.
https://bugs.webkit.org/show_bug.cgi?id=192779
<rdar://problem/46775869>
Reviewed by Saam Barati.
JSTests:
* stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
Source/_javascript_Core:
isValidFramePointer() was previously treating the address at StackBounds::origin()
as valid stack memory. This is not true. StackBounds::origin() is actually the
first address beyond valid stack memory. This is now fixed.
* runtime/SamplingProfiler.cpp:
(JSC::FrameWalker::isValidFramePointer):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (239303 => 239304)
--- trunk/JSTests/ChangeLog 2018-12-18 00:12:06 UTC (rev 239303)
+++ trunk/JSTests/ChangeLog 2018-12-18 01:21:07 UTC (rev 239304)
@@ -1,3 +1,13 @@
+2018-12-17 Mark Lam <mark....@apple.com>
+
+ SamplingProfiler's isValidFramePointer() should reject address at stack origin.
+ https://bugs.webkit.org/show_bug.cgi?id=192779
+ <rdar://problem/46775869>
+
+ Reviewed by Saam Barati.
+
+ * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
+
2018-12-17 Ryan Haddad <ryanhad...@apple.com>
Unreviewed test gardening, address a syntax error in a new test.
Added: trunk/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js (0 => 239304)
--- trunk/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js (rev 0)
+++ trunk/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js 2018-12-18 01:21:07 UTC (rev 239304)
@@ -0,0 +1,24 @@
+//@ requireOptions("--useSamplingProfiler=true", "--useProbeOSRExit=true", "--useObjectAllocationSinking=false", "--sampleInterval=10")
+
+function foo(ranges) {
+ const CHUNK_SIZE = 95;
+ for (const [start, end] of ranges) {
+ const codePoints = [];
+ for (let length = 0, codePoint = start; codePoint <= end; codePoint++) {
+ codePoints[length++] = codePoint;
+ if (length === CHUNK_SIZE) {
+ length = 0;
+ codePoints.length = 0;
+ String.fromCodePoint(...[]);
+ }
+ }
+ String.fromCodePoint(...codePoints);
+ }
+}
+
+for (let i=0; i<3; i++) {
+ let x = foo([
+ [ 0, 10000 ],
+ [ 68000, 1114111 ]
+ ]);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (239303 => 239304)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-18 00:12:06 UTC (rev 239303)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-18 01:21:07 UTC (rev 239304)
@@ -1,5 +1,20 @@
2018-12-17 Mark Lam <mark....@apple.com>
+ SamplingProfiler's isValidFramePointer() should reject address at stack origin.
+ https://bugs.webkit.org/show_bug.cgi?id=192779
+ <rdar://problem/46775869>
+
+ Reviewed by Saam Barati.
+
+ isValidFramePointer() was previously treating the address at StackBounds::origin()
+ as valid stack memory. This is not true. StackBounds::origin() is actually the
+ first address beyond valid stack memory. This is now fixed.
+
+ * runtime/SamplingProfiler.cpp:
+ (JSC::FrameWalker::isValidFramePointer):
+
+2018-12-17 Mark Lam <mark....@apple.com>
+
Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
https://bugs.webkit.org/show_bug.cgi?id=192776
<rdar://problem/46772368>
Modified: trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp (239303 => 239304)
--- trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp 2018-12-18 00:12:06 UTC (rev 239303)
+++ trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp 2018-12-18 01:21:07 UTC (rev 239304)
@@ -172,7 +172,8 @@
uint8_t* stackLimit = static_cast<uint8_t*>(thread->stack().end());
RELEASE_ASSERT(stackBase);
RELEASE_ASSERT(stackLimit);
- if (fpCast <= stackBase && fpCast >= stackLimit)
+ RELEASE_ASSERT(stackLimit <= stackBase);
+ if (fpCast < stackBase && fpCast >= stackLimit)
return true;
}
return false;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
