From ead8b4bea6f9d7d211722786dcb65212923fa35d Mon Sep 17 00:00:00 2001 From: "mikhail.naganov@gmail.com" Date: Wed, 1 Sep 2010 13:08:39 +0000 Subject: [PATCH] Fix memory overrun possibility during tick samples processing. This really can cause crash described in crbug/51919. BUG=51919 TEST=NONE Review URL: http://codereview.chromium.org/3334001 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5391 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/cpu-profiler.cc | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/cpu-profiler.cc b/src/cpu-profiler.cc index c0ed929..4248a64 100644 --- a/src/cpu-profiler.cc +++ b/src/cpu-profiler.cc @@ -235,8 +235,19 @@ bool ProfilerEventsProcessor::ProcessTicks(unsigned dequeue_order) { const TickSampleEventRecord* rec = TickSampleEventRecord::cast(ticks_buffer_.StartDequeue()); if (rec == NULL) return !ticks_from_vm_buffer_.IsEmpty(); - if (rec->order == dequeue_order) { - generator_->RecordTickSample(rec->sample); + // Make a local copy of tick sample record to ensure that it won't + // be modified as we are processing it. This is possible as the + // sampler writes w/o any sync to the queue, so if the processor + // will get far behind, a record may be modified right under its + // feet. + TickSampleEventRecord record = *rec; + if (record.order == dequeue_order) { + // A paranoid check to make sure that we don't get a memory overrun + // in case of frames_count having a wild value. + if (record.sample.frames_count < 0 + || record.sample.frames_count >= TickSample::kMaxFramesCount) + record.sample.frames_count = 0; + generator_->RecordTickSample(record.sample); ticks_buffer_.FinishDequeue(); } else { return true; -- 2.7.4