[tor-commits] [sandboxed-tor-browser/master] Bug 25154: Fix a content process crash on JS heavy pages.

Fri Mar 23 03:01:06 UTC 2018

commit bec4340f2083dcc5779859cee26d6809f7def083
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Fri Mar 23 02:56:54 2018 +0000

    Bug 25154: Fix a content process crash on JS heavy pages.
    
    This fixes ln5's test case.  Couldn't reproduce arma's, but I'll admit I
    didn't try very hard since the other page was consistently crashing.
---
 ChangeLog               |  1 +
 src/tbb_stub/tbb_stub.c | 30 +++++++++++++++++++++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 204f13b..c62066d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 Changes in version 0.0.17 - UNRELEASED:
+ * Bug 25154: Fix a content process crash on JS heavy pages.
  * dynlib: Search the system library path(s) as the last resort.
 
 Changes in version 0.0.16 - 2017-11-24:
diff --git a/src/tbb_stub/tbb_stub.c b/src/tbb_stub/tbb_stub.c
index 01528fe..7b57cbb 100644
--- a/src/tbb_stub/tbb_stub.c
+++ b/src/tbb_stub/tbb_stub.c
@@ -42,6 +42,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <inttypes.h>
 
 static int (*real_connect)(int, const struct sockaddr *, socklen_t) = NULL;
 static int (*real_socket)(int, int, int) = NULL;
@@ -49,7 +50,7 @@ static void *(*real_dlopen)(const char *, int) = NULL;
 static int (*real_pthread_attr_getstack)(const pthread_attr_t *, void **, size_t *);
 static struct sockaddr_un socks_addr;
 static struct sockaddr_un control_addr;
-
+extern char **environ;
 
 #define SYSTEM_SOCKS_PORT 9050
 #define SYSTEM_CONTROL_PORT 9051
@@ -234,7 +235,7 @@ pthread_attr_getstack(const pthread_attr_t *attr, void **stackaddr, size_t *stac
 
 #if 0
   fprintf(stderr, "tbb_stub: pthread_attr_getstack(%p, %p, %p) = %d\n", attr, stackaddr, stacksize, ret);
-  fprintf(stderr, "tbb_stub:  stackaddr: %p\n", stackaddr);
+  fprintf(stderr, "tbb_stub:  stackaddr: %p\n", *stackaddr);
   fprintf(stderr, "tbb_stub:  stacksize: %ld\n", *stacksize);
 #endif
 
@@ -275,8 +276,31 @@ pthread_attr_getstack(const pthread_attr_t *attr, void **stackaddr, size_t *stac
     *stacksize = rl.rlim_cur;
   }
 
+  /* There is no easy way to derive this information, so do it the hard way. */
+  if (*stackaddr == NULL) {
+    /* WARNING: The arguments/env vars live on the stack, and are not
+     * separate, so the result will be incorrect if more than a page
+     * will be consumed, by up to 31 pages.
+     */
+    uintptr_t estimated_stackaddr = (uintptr_t)environ;
+    estimated_stackaddr &= ~(4096-1);
+    estimated_stackaddr += 4096;
+    estimated_stackaddr -= *stacksize;
+
+    /* And check to see if the derived value is sane.  In the case of
+     * Firefox, it's total garbage and insanity for the main process,
+     * but correct for the content processes, which is where the crash
+     * will happen.
+     */
+    uintptr_t p = (uintptr_t)&estimated_stackaddr;
+    if (p > estimated_stackaddr && p < estimated_stackaddr+*stacksize) {
+      *stackaddr = (void*)estimated_stackaddr;
+    }
+  }
+
 #if 0
-  fprintf(stderr, "tbb_stub: Fallback stacksize: %ld\n", *stacksize);
+  fprintf(stderr, "tbb_stub: fallback stackaddr: %p\n", *stackaddr);
+  fprintf(stderr, "tbb_stub: fallback stacksize: %ld\n", *stacksize);
 #endif
 
   return ret;

