WebKit Bugzilla
Attachment 357483 Details for
Bug 192779
: SamplingProfiler's isValidFramePointer() should reject address at stack origin.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-192779.patch (text/plain), 3.37 KB, created by
Mark Lam
on 2018-12-17 15:08:21 PST
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-12-17 15:08:21 PST
Size:
3.37 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 239291) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-12-17 Mark Lam <mark.lam@apple.com> >+ >+ SamplingProfiler's isValidFramePointer() should reject address at stack origin. >+ https://bugs.webkit.org/show_bug.cgi?id=192779 >+ <rdar://problem/46775869> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added. >+ > 2018-12-17 Mark Lam <mark.lam@apple.com> > > Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit(). >Index: JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js >=================================================================== >--- JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js (nonexistent) >+++ JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js (working copy) >@@ -0,0 +1,24 @@ >+//@ requireOptions("--useSamplingProfiler=true", "--useProbeOSRExit=true", "--useObjectAllocationSinking=false", "--sampleInterval=10") >+ >+function foo(ranges) { >+ const CHUNK_SIZE = 95; >+ for (const [start, end] of ranges) { >+ const codePoints = []; >+ for (let length = 0, codePoint = start; codePoint <= end; codePoint++) { >+ codePoints[length++] = codePoint; >+ if (length === CHUNK_SIZE) { >+ length = 0; >+ codePoints.length = 0; >+ String.fromCodePoint(...[]); >+ } >+ } >+ String.fromCodePoint(...codePoints); >+ } >+} >+ >+for (let i=0; i<3; i++) { >+ let x = foo([ >+ [ 0, 10000 ], >+ [ 68000, 1114111 ] >+ ]); >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 239290) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,18 @@ >+2018-12-17 Mark Lam <mark.lam@apple.com> >+ >+ SamplingProfiler's isValidFramePointer() should reject address at stack origin. >+ https://bugs.webkit.org/show_bug.cgi?id=192779 >+ <rdar://problem/46775869> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ isValidFramePointer() was previously treating the address at StackBounds::origin() >+ as valid stack memory. This is not true. StackBounds::origin() is actually the >+ first address beyond valid stack memory. This is now fixed. >+ >+ * runtime/SamplingProfiler.cpp: >+ (JSC::FrameWalker::isValidFramePointer): >+ > 2018-12-17 Mark Lam <mark.lam@apple.com> > > Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit(). >Index: Source/JavaScriptCore/runtime/SamplingProfiler.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/SamplingProfiler.cpp (revision 239290) >+++ Source/JavaScriptCore/runtime/SamplingProfiler.cpp (working copy) >@@ -172,7 +172,8 @@ protected: > uint8_t* stackLimit = static_cast<uint8_t*>(thread->stack().end()); > RELEASE_ASSERT(stackBase); > RELEASE_ASSERT(stackLimit); >- if (fpCast <= stackBase && fpCast >= stackLimit) >+ RELEASE_ASSERT(stackLimit <= stackBase); >+ if (fpCast < stackBase && fpCast >= stackLimit) > return true; > } > return false;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357483">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192779
: 357483