SamplingProfiler's isValidFramePointer() should reject address at stack origin.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Dec 2018 01:21:07 +0000 (01:21 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Dec 2018 01:21:07 +0000 (01:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=192779
<rdar://problem/46775869>

Reviewed by Saam Barati.

JSTests:

* stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.

Source/JavaScriptCore:

isValidFramePointer() was previously treating the address at StackBounds::origin()
as valid stack memory.  This is not true.  StackBounds::origin() is actually the
first address beyond valid stack memory. This is now fixed.

* runtime/SamplingProfiler.cpp:
(JSC::FrameWalker::isValidFramePointer):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239304 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/SamplingProfiler.cpp

index f189894..60796af 100644 (file)
@@ -1,3 +1,13 @@
+2018-12-17  Mark Lam  <mark.lam@apple.com>
+
+        SamplingProfiler's isValidFramePointer() should reject address at stack origin.
+        https://bugs.webkit.org/show_bug.cgi?id=192779
+        <rdar://problem/46775869>
+
+        Reviewed by Saam Barati.
+
+        * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
+
 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
 
         Unreviewed test gardening, address a syntax error in a new test.
diff --git a/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js b/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js
new file mode 100644 (file)
index 0000000..9727486
--- /dev/null
@@ -0,0 +1,24 @@
+//@ requireOptions("--useSamplingProfiler=true", "--useProbeOSRExit=true", "--useObjectAllocationSinking=false", "--sampleInterval=10")
+
+function foo(ranges) {
+    const CHUNK_SIZE = 95;
+    for (const [start, end] of ranges) {
+        const codePoints = [];
+        for (let length = 0, codePoint = start; codePoint <= end; codePoint++) {
+            codePoints[length++] = codePoint;
+            if (length === CHUNK_SIZE) {
+                length = 0;
+                codePoints.length = 0;
+                String.fromCodePoint(...[]);
+            }
+        }
+        String.fromCodePoint(...codePoints);
+    }
+}
+
+for (let i=0; i<3; i++) {
+    let x = foo([
+        [ 0, 10000 ],
+        [ 68000, 1114111 ]
+    ]);
+}
index 715d0ad..762e387 100644 (file)
@@ -1,5 +1,20 @@
 2018-12-17  Mark Lam  <mark.lam@apple.com>
 
+        SamplingProfiler's isValidFramePointer() should reject address at stack origin.
+        https://bugs.webkit.org/show_bug.cgi?id=192779
+        <rdar://problem/46775869>
+
+        Reviewed by Saam Barati.
+
+        isValidFramePointer() was previously treating the address at StackBounds::origin()
+        as valid stack memory.  This is not true.  StackBounds::origin() is actually the
+        first address beyond valid stack memory. This is now fixed.
+
+        * runtime/SamplingProfiler.cpp:
+        (JSC::FrameWalker::isValidFramePointer):
+
+2018-12-17  Mark Lam  <mark.lam@apple.com>
+
         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
         https://bugs.webkit.org/show_bug.cgi?id=192776
         <rdar://problem/46772368>
index 551fe34..1752633 100644 (file)
@@ -172,7 +172,8 @@ protected:
             uint8_t* stackLimit = static_cast<uint8_t*>(thread->stack().end());
             RELEASE_ASSERT(stackBase);
             RELEASE_ASSERT(stackLimit);
-            if (fpCast <= stackBase && fpCast >= stackLimit)
+            RELEASE_ASSERT(stackLimit <= stackBase);
+            if (fpCast < stackBase && fpCast >= stackLimit)
                 return true;
         }
         return false;