Make x86-64 frame pointer unwinding stricter

src/processor/stackwalker_amd64.cc

 // Copyright (c) 2010 Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 146 matching lines @@
   // If the new stack pointer is at a lower address than the old, then
   // that's clearly incorrect. Treat this as end-of-stack to enforce
   // progress and avoid infinite loops.
   if (caller_rsp < callee_rsp) {
     return true;
   }
 
   return false;
 }
 
+// Returns true if `ptr` is not in x86-64 canonical form.
+// https://en.wikipedia.org/wiki/X86-64#Virtual_address_space_details
+static bool is_non_canonical(uint64_t ptr) {
+  return ptr > 0x7FFFFFFFFFFF && ptr < 0xFFFF800000000000;
+}
+
 StackFrameAMD64* StackwalkerAMD64::GetCallerByFramePointerRecovery(
     const vector<StackFrame*>& frames) {
   StackFrameAMD64* last_frame = static_cast<StackFrameAMD64*>(frames.back());
   uint64_t last_rsp = last_frame->context.rsp;
   uint64_t last_rbp = last_frame->context.rbp;
 
   // Assume the presence of a frame pointer. This is not mandated by the
   // AMD64 ABI, c.f. section 3.2.2 footnote 7, though it is typical for
   // compilers to still preserve the frame pointer and not treat %rbp as a
   // general purpose register.
   //
   // With this assumption, the CALL instruction pushes the return address
   // onto the stack and sets %rip to the procedure to enter. The procedure
   // then establishes the stack frame with a prologue that PUSHes the current
   // %rbp onto the stack, MOVes the current %rsp to %rbp, and then allocates
   // space for any local variables. Using this procedure linking information,
   // it is possible to locate frame information for the callee:
   //
   // %caller_rsp = *(%callee_rbp + 16)
   // %caller_rip = *(%callee_rbp + 8)
   // %caller_rbp = *(%callee_rbp)
 
+  // If rbp is not 8-byte aligned it can't be a frame pointer.
+  if (last_rbp % 8 != 0) {
+    return NULL;
+  }
+
   uint64_t caller_rip, caller_rbp;
   if (memory_->GetMemoryAtAddress(last_rbp + 8, &caller_rip) &&
       memory_->GetMemoryAtAddress(last_rbp, &caller_rbp)) {
     uint64_t caller_rsp = last_rbp + 16;
 
+    // If the recovered rip is not a canonical address it can't be
+    // the return address, so rbp must not have been a frame pointer.
+    if (is_non_canonical(caller_rip)) {
+      return NULL;
+    }
+
     // Simple sanity check that the stack is growing downwards as expected.
     if (IsEndOfStack(caller_rip, caller_rsp, last_rsp) ||
         caller_rbp < last_rbp) {
       // Reached end-of-stack or stack is not growing downwards.
       return NULL;
     }
 
     StackFrameAMD64* frame = new StackFrameAMD64();
     frame->trust = StackFrame::FRAME_TRUST_FP;
     frame->context = last_frame->context;
@@ skipping 110 matching lines @@
   // after the CALL that caused us to arrive at the callee. Set
   // new_frame->instruction to one less than that, so it points within the
   // CALL instruction. See StackFrame::instruction for details, and
   // StackFrameAMD64::ReturnAddress.
   new_frame->instruction = new_frame->context.rip - 1;
 
   return new_frame.release();
 }
 
 }  // namespace google_breakpad