[isolate] Increase allowed stack overflow for sanitizer builds

C++ frames can get quite big in sanitizer builds. In the linked bug it was an ASan debug build, which overflowed the stack by more than 8kB just from C++ frames (when entering the runtime, there was no overflow yet). Hence increase the allowed stack overflow a bit for sanitizer builds, from 8kB to 32kB. R=jkummerow@chromium.org Bug: chromium:1236560 Change-Id: I119fdb859f7ab5e6a0a4174cf79f0a16baa39432 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3078359 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#76142}
2021-08-06 18:09:46 +02:00 · 2021-08-06 18:09:46 +02:00 · d3b5b63d0f
commit d3b5b63d0f
parent 2656330f34
2 changed files with 17 additions and 0 deletions
--- a/src/execution/isolate.cc
+++ b/src/execution/isolate.cc
@ -1399,7 +1399,13 @@ Object Isolate::StackOverflow() {
  // frames until we reach this method.
  // If this DCHECK fails, one of the frames on the stack should be augmented by
  // an additional stack check.
+#if defined(V8_USE_ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER)
+  // Allow for a bit more overflow in sanitizer builds, because C++ frames take
+  // significantly more space there.
+  DCHECK_GE(GetCurrentStackPosition(), stack_guard()->real_climit() - 32 * KB);
+#else
  DCHECK_GE(GetCurrentStackPosition(), stack_guard()->real_climit() - 8 * KB);
+#endif

  if (FLAG_correctness_fuzzer_suppressions) {
    FATAL("Aborting on stack overflow");
--- a/test/mjsunit/regress/regress-1236560.js
+++ b/test/mjsunit/regress/regress-1236560.js
@ -0,0 +1,11 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let obj = {};
+let arr = new Uint8Array(3);
+function __f_0() {
+        arr[2] = obj;
+}
+obj.toString = __f_0;
+assertThrows(() => obj.toString(), RangeError);