cppgc: Handle low-address stack in write barrier.

Windows can allocate the stack at low addresses. A low-address on-stack slot (e.g. backing store reference for Blink's on-heap collections) with a null value would make TryGetCagedHeap falsely think that the slot resides in a caged heap that starts at a null address. We will still crash for low-address on-stack slots with non-null on-stack value, since these cases are not considered valid and should not happen. The null value check is added only to Windows. It is not an issue on other OSes where the stack always resides at high addresses and we prefer to keep the write barrier as cheap as possible. Bug: chromium:1230794, chromium:1056170 Change-Id: I07e2d178cd95edba57015d6bc6eb127a443b0589 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3069146 Commit-Queue: Omer Katz <omerkatz@chromium.org> Reviewed-by: Anton Bikineev <bikineev@chromium.org> Cr-Commit-Position: refs/heads/master@{#76069}

cppgc: Handle low-address stack in write barrier.
Windows can allocate the stack at low addresses. A low-address on-stack slot (e.g. backing store reference for Blink's on-heap collections) with a null value would make TryGetCagedHeap falsely think that the slot resides in a caged heap that starts at a null address. We will still crash for low-address on-stack slots with non-null on-stack value, since these cases are not considered valid and should not happen. The null value check is added only to Windows. It is not an issue on other OSes where the stack always resides at high addresses and we prefer to keep the write barrier as cheap as possible. Bug: chromium:1230794, chromium:1056170 Change-Id: I07e2d178cd95edba57015d6bc6eb127a443b0589 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3069146 Commit-Queue: Omer Katz <omerkatz@chromium.org> Reviewed-by: Anton Bikineev <bikineev@chromium.org> Cr-Commit-Position: refs/heads/master@{#76069}
649d3c10 · Omer Katz · V8 LUCI CQ · 8fbf1e7d · 649d3c10
Commit 649d3c10 authored Aug 03, 2021 by Omer Katz Committed by V8 LUCI CQ Aug 03, 2021
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

write-barrier.h include/cppgc/internal/write-barrier.h +11 -0

No files found.
--- a/include/cppgc/internal/write-barrier.h
+++ b/include/cppgc/internal/write-barrier.h
@@ -167,6 +167,17 @@ class V8_EXPORT WriteBarrierTypeForCagedHeapPolicy final {

  static V8_INLINE bool TryGetCagedHeap(const void* slot, const void* value,
                                        WriteBarrier::Params& params) {
+#if defined(V8_OS_WIN)
+    // This method assumes that the stack is allocated in high
+    // addresses. That is not guaranteed on Windows. Having a low-address
+    // (below api_constants::kCagedHeapReservationSize) on-stack slot with a
+    // nullptr value would cause this method to erroneously return that the slot
+    // resides in a caged heap that starts at a null address.
+    // This check is applied only on Windows because it is not an issue on other
+    // OSes where the stack resides in higher adderesses, and to keep the write
+    // barrier as cheap as possible.
+    if (!value) return false;
+#endif  // V8_OS_WIN
    params.start = reinterpret_cast<uintptr_t>(value) &
                   ~(api_constants::kCagedHeapReservationAlignment - 1);
    const uintptr_t slot_offset =