726220 - IonMonkey: ContainsCodeAddress has an off by 1 error

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Marty Rosenberg [:mjrosenb]]

Attachment: /home/mrosenberg/patches/fixFunctionCheck-r0.patch

we call containsCodeAddress with a pointer that is the return address from a function.
For the most part, this works, but in some cases, when we know a call isn't going to return, no code is placed after the call, so the return address is not technically part of the function, and this makes walking up the stack *quite* sad.

Comment 1

[Sean Stangl [:sstangl]]

Comment on attachment 596214 [details] [diff] [review]
/home/mrosenberg/patches/fixFunctionCheck-r0.patch

Review of attachment 596214 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonCode.h
@@ +286,5 @@
> +        // however, when the code for exceptions is generated, there is no code
> +        // after the call.  If that was the last instruction in the function,
> +        // then the return address would be exactly at the upper bound of the
> +        // function, so it has been changed to <=
> +        return method()->raw() <= addr && addr <= method()->raw() + method()->instructionsSize();

This change causes containsCodeAddress() to lie for the purpose of appeasing exceptions. Instead of having this function lie, could we solve the problem locally in the exception generators by inserting NOPs into the code stream, with commentary?

Comment 2

[Marty Rosenberg [:mjrosenb]]

Attachment: /home/mrosenberg/patches/fixFunctionCheck-r1.patch