heap: Trace unsafe stack when building with safe-stack enabled.

Bug: 821951
Change-Id: I1ad389c5092411f72d636fbdd5060d99d1be6fac
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2023653
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/master@{#743022}

third_party/blink/renderer/platform/heap/thread_state.cc

@@ -379,7 +379,9 @@ void ThreadState::VisitAsanFakeStackForPointer(MarkingVisitor* visitor,
 NO_SANITIZE_ADDRESS
 NO_SANITIZE_HWADDRESS
 NO_SANITIZE_THREAD
-void ThreadState::VisitStack(MarkingVisitor* visitor, Address* end_of_stack) {
+void ThreadState::VisitStackImpl(MarkingVisitor* visitor,
+                                 Address* start_of_stack,
+                                 Address* end_of_stack) {
   DCHECK_EQ(current_gc_data_.stack_state, BlinkGC::kHeapPointersOnStack);
 
   // Ensure that current is aligned by address size otherwise the loop below
@@ -387,7 +389,7 @@ void ThreadState::VisitStack(MarkingVisitor* visitor, Address* end_of_stack) {
   Address* current = reinterpret_cast<Address*>(
       reinterpret_cast<intptr_t>(end_of_stack) & ~(sizeof(Address) - 1));
 
-  for (; current < start_of_stack_; ++current) {
+  for (; current < start_of_stack; ++current) {
     Address ptr = *current;
 #if defined(MEMORY_SANITIZER)
     // |ptr| may be uninitialized by design. Mark it as initialized to keep
@@ -398,10 +400,22 @@ void ThreadState::VisitStack(MarkingVisitor* visitor, Address* end_of_stack) {
     __msan_unpoison(&ptr, sizeof(ptr));
 #endif
     heap_->CheckAndMarkPointer(visitor, ptr);
-    VisitAsanFakeStackForPointer(visitor, ptr, start_of_stack_, end_of_stack);
+    VisitAsanFakeStackForPointer(visitor, ptr, start_of_stack, end_of_stack);
   }
 }
 
+void ThreadState::VisitStack(MarkingVisitor* visitor, Address* end_of_stack) {
+  VisitStackImpl(visitor, start_of_stack_, end_of_stack);
+}
+
+void ThreadState::VisitUnsafeStack(MarkingVisitor* visitor) {
+#if HAS_FEATURE(safe_stack)
+  VisitStackImpl(visitor,
+                 static_cast<Address*>(__builtin___get_unsafe_stack_top()),
+                 static_cast<Address*>(__builtin___get_unsafe_stack_ptr()));
+#endif  // HAS_FEATURE(safe_stack)
+}
+
 void ThreadState::VisitDOMWrappers(Visitor* visitor) {
   if (v8_trace_roots_) {
     ThreadHeapStatsCollector::Scope stats_scope(
@@ -1042,7 +1056,10 @@ void ThreadState::PushRegistersAndVisitStack() {
   DCHECK(CheckThread());
   DCHECK(IsGCForbidden());
   DCHECK_EQ(current_gc_data_.stack_state, BlinkGC::kHeapPointersOnStack);
+  // Visit registers, native stack, and asan fake stack.
   PushAllRegisters(this, ThreadState::VisitStackAfterPushingRegisters);
+  // For builds that use safe stack, also visit the unsafe stack.
+  VisitUnsafeStack(static_cast<MarkingVisitor*>(CurrentVisitor()));
 }
 
 void ThreadState::AddObserver(BlinkGCObserver* observer) {

third_party/blink/renderer/platform/heap/thread_state.h

@@ -478,7 +478,9 @@ class PLATFORM_EXPORT ThreadState final {
 
   // Visit local thread stack and trace all pointers conservatively. Never call
   // directly but always call through |PushRegistersAndVisitStack|.
+  void VisitStackImpl(MarkingVisitor*, Address*, Address*);
   void VisitStack(MarkingVisitor*, Address*);
+  void VisitUnsafeStack(MarkingVisitor*);
 
   // Visit the asan fake stack frame corresponding to a slot on the real machine
   // stack if there is one. Never call directly but always call through