[v8-dev] Crash after closing a handle scope when blocks with handle scope data are in a specific memory alignment

Fri, 06 Dec 2019 04:41:00 -0800 

Currently it can happen so that two blocks with handle scope data in 
HandleScopeImplementer::blocks_ can be allocated so the end of the first 
one is with the same address as the start of the second.

If this happens in a situation when the thus aligned blocks are the last 
used block and the one before it, the following situation can happen:
- You close a HandleScope that is the only one kept in the last block and 
starts at the beginning of the last block
- CloseScope calls DeleteExtensions
- DeleteExtensions checks whether the last open scope after the current 
closed one is in the last block, or the last block should be freed
- If the end of the remaining open scope is at the end of the next to last 
block, DeleteExtensions decides that the handle scope is in the beginning 
of the last block as well and doesn't free it
Which results at least in an error in the invariant of HandleScope::Extend, 
which causes DCHECK_LT(limit - current->next, kHandleBlockSize)) to fail in 
debug and causes a crash in release.

I was able to fix this by changing the check inside DeleteExtensions from
if (reinterpret_cast<Address>(block_start) <= 
reinterpret_cast<Address>(prev_limit) 
&& reinterpret_cast<Address>(prev_limit) <= 
reinterpret_cast<Address>(block_limit)) 
{

to
if (reinterpret_cast<Address>(block_start) < 
reinterpret_cast<Address>(prev_limit) 
&& reinterpret_cast<Address>(prev_limit) <= 
reinterpret_cast<Address>(block_limit)) 
{

here - https://github.com/v8/v8/blob/master/src/api/api.h#L532


However, is it expected two blocks to be able to be aligned this way?
If yes, then this error should be fixed. If not - then maybe the allocation 
of blocks for handle scope data should be reiterated and modified.

I caught this on Linux, x64 arch.

-- 
-- 
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups 
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/v8-dev/9c911e70-2c1f-46fb-a3fa-807c51750e86%40googlegroups.com.

Reply via email to