[heap] Remove DCHECKs when clearning on-stack handles

The DCHECKs ensured that all on-stack handles removed when the embedder notifies V8 of an empty stack are indeed below the current stack limit. This is brittle, as the calls that are guaranteed to have no stack above, e.g., non-nestable tasks executing GC, sometimes have larger stack depth then previously registered on-stack handles. Resetting the slot to avoid UAF is not possible/needed as it is guaranteed in such cases that the stack is indeed different from the stack that was used when registering an on-stack handle. This CL removes the DCHECKs and trust the embedder on such calls, similar to when the embedder tells V8 that there's no interesting C++ stack on top of a call to avoid conservative stack scanning. Bug: chromium:1040038 Change-Id: I2e8c77d8080f2d888f773984646998bede59e19c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000753Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#65786}

[heap] Remove DCHECKs when clearning on-stack handles
The DCHECKs ensured that all on-stack handles removed when the embedder notifies V8 of an empty stack are indeed below the current stack limit. This is brittle, as the calls that are guaranteed to have no stack above, e.g., non-nestable tasks executing GC, sometimes have larger stack depth then previously registered on-stack handles. Resetting the slot to avoid UAF is not possible/needed as it is guaranteed in such cases that the stack is indeed different from the stack that was used when registering an on-stack handle. This CL removes the DCHECKs and trust the embedder on such calls, similar to when the embedder tells V8 that there's no interesting C++ stack on top of a call to avoid conservative stack scanning. Bug: chromium:1040038 Change-Id: I2e8c77d8080f2d888f773984646998bede59e19c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000753Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#65786}
e3b27b4a · Michael Lippautz · Commit Bot · 8364fc74 · e3b27b4a
Commit e3b27b4a authored Jan 15, 2020 by Michael Lippautz Committed by Commit Bot Jan 15, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 6 deletions

global-handles.cc src/handles/global-handles.cc +0 -6

No files found.
--- a/src/handles/global-handles.cc
+++ b/src/handles/global-handles.cc
@@ -789,12 +789,6 @@ uintptr_t GlobalHandles::OnStackTracedNodeSpace::GetStackAddressForSlot(
 }

 void GlobalHandles::OnStackTracedNodeSpace::NotifyEmptyEmbedderStack() {
-#ifdef DEBUG
-  uintptr_t current = GetCurrentStackPosition();
-  for (const auto it : on_stack_nodes_) {
-    DCHECK_LT(current, it.first);
-  }
-#endif  // DEBUG
  on_stack_nodes_.clear();
 }