[isolate] Strengthen check for builtins results

The CHECK was checking that we return the exception sentinel if an exception is pending. The other way is actually equally important: If we return the exception sentinel, a pending exception must be scheduled. Since the CEntry stub assumes that all values returned from runtime functions are valid tagged values (pointing into the JS heap), do also check that. This check would have prevented the linked issue. Bug: chromium:1311960 R=jkummerow@chromium.org CC=cbruni@chromium.org Change-Id: I833d2968529e3b73f3009e0104b46182197c2d23 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3675098 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#81145}
2022-06-13 16:42:05 +02:00 · 2022-06-13 16:42:05 +02:00 · 0f4a62c04c
commit 0f4a62c04c
parent 9efa9e3c92
1 changed files with 24 additions and 4 deletions
--- a/src/execution/isolate-inl.h
+++ b/src/execution/isolate-inl.h
@ -16,6 +16,7 @@
 #include "src/objects/source-text-module-inl.h"

 #ifdef DEBUG
+#include "src/common/ptr-compr-inl.h"
 #include "src/runtime/runtime-utils.h"
 #endif

@ -108,17 +109,36 @@ bool Isolate::is_execution_terminating() {

 #ifdef DEBUG
 Object Isolate::VerifyBuiltinsResult(Object result) {
-  if (has_pending_exception()) {
-    CHECK_EQ(result, ReadOnlyRoots(this).exception());
+  DCHECK_EQ(has_pending_exception(), result == ReadOnlyRoots(this).exception());
+#ifdef V8_COMPRESS_POINTERS
+  // Check that the returned pointer is actually part of the current isolate,
+  // because that's the assumption in generated code (which might call this
+  // builtin).
+  if (!result.IsSmi()) {
+    DCHECK_EQ(result.ptr(), DecompressTaggedPointer(
+                                this, static_cast<Tagged_t>(result.ptr())));
  }
+#endif
  return result;
 }

 ObjectPair Isolate::VerifyBuiltinsResult(ObjectPair pair) {
 #ifdef V8_HOST_ARCH_64_BIT
-  if (has_pending_exception()) {
-    CHECK(pair.x == ReadOnlyRoots(this).exception().ptr());
+  DCHECK_EQ(has_pending_exception(),
+            pair.x == ReadOnlyRoots(this).exception().ptr());
+#ifdef V8_COMPRESS_POINTERS
+  // Check that the returned pointer is actually part of the current isolate,
+  // because that's the assumption in generated code (which might call this
+  // builtin).
+  if (!HAS_SMI_TAG(pair.x)) {
+    DCHECK_EQ(pair.x,
+              DecompressTaggedPointer(this, static_cast<Tagged_t>(pair.x)));
  }
+  if (!HAS_SMI_TAG(pair.y)) {
+    DCHECK_EQ(pair.y,
+              DecompressTaggedPointer(this, static_cast<Tagged_t>(pair.y)));
+  }
+#endif  // V8_COMPRESS_POINTERS
 #endif  // V8_HOST_ARCH_64_BIT
  return pair;
 }