22974 2008-12-22 22:05:56 -0800 Fix rounding / bounds / signed comparison bug in ExecutableAllocator. 2008-12-22 23:09:18 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED P2 Normal --- 1 barraclough barraclough oldest_to_newest 103271 0 barraclough 2008-12-22 22:05:56 -0800 ExecutableAllocator ::alloc assumed that m_freePtr would be aligned. This was not always true, since the first allocation from an additional pool would not be rounded up. Subsequent allocations would be unaligned, and too much memory could be erroneously allocated from the pool, when the size requested was available, but the size rounded up to word granularity was not available in the pool. This may result in the value of m_freePtr being greater than m_end. Under these circumstances, the unsigned check for space will always pass, resulting in pointers to memory outside of the arena being returned, and ultimately segfaulty goodness when attempting to memcpy the hot freshly jitted code from the AssemblerBuffer. 103272 1 26224 barraclough 2008-12-22 22:11:44 -0800 Created attachment 26224 The patch 103273 2 26224 oliver 2008-12-22 22:18:19 -0800 Comment on attachment 26224 The patch ASSERT(m_freePtr < m_end); should be ASSERT(m_freePtr <= m_end); 103274 3 barraclough 2008-12-22 23:09:18 -0800 Sending JavaScriptCore/ChangeLog Sending JavaScriptCore/jit/ExecutableAllocator.h Transmitting file data .. Committed revision 39450. 26224 2008-12-22 22:11:44 -0800 2008-12-22 22:18:19 -0800 The patch patch.allocfix.txt text/plain 4103 barraclough SW5kZXg6IGppdC9FeGVjdXRhYmxlQWxsb2NhdG9yLmgKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gaml0L0V4ZWN1 dGFibGVBbGxvY2F0b3IuaAkocmV2aXNpb24gMzk0MjEpCisrKyBqaXQvRXhlY3V0YWJsZUFsbG9j YXRvci5oCSh3b3JraW5nIGNvcHkpCkBAIC0zNSw3ICszNSw3IEBACiAKICNpbmNsdWRlIDxsaW1p dHM+CiAKLSNkZWZpbmUgSklUX0FMTE9DQVRPUl9QQUdFX01BU0sgKEV4ZWN1dGFibGVBbGxvY2F0 b3I6OnBhZ2VTaXplIC0gMSkKKyNkZWZpbmUgSklUX0FMTE9DQVRPUl9QQUdFX1NJWkUgKEV4ZWN1 dGFibGVBbGxvY2F0b3I6OnBhZ2VTaXplKQogI2RlZmluZSBKSVRfQUxMT0NBVE9SX0xBUkdFX0FM TE9DX1NJWkUgKEV4ZWN1dGFibGVBbGxvY2F0b3I6OnBhZ2VTaXplICogNCkKIAogbmFtZXNwYWNl IEpTQyB7CkBAIC01NiwxMCArNTYsMTUgQEAgcHVibGljOgogCiAgICAgdm9pZCogYWxsb2Moc2l6 ZV90IG4pCiAgICAgewotICAgICAgICBpZiAobiA8IHN0YXRpY19jYXN0PHNpemVfdD4obV9lbmQg LSBtX2ZyZWVQdHIpKSB7Ci0gICAgICAgICAgICBjaGFyKiByZXN1bHQgPSBtX2ZyZWVQdHI7Ci0g ICAgICAgICAgICAvLyBlbnN1cmUgbV9mcmVlUHRyIGlzIHdvcmQgYWxpZ25lZC4KLSAgICAgICAg ICAgIG1fZnJlZVB0ciArPSBuICsgKHNpemVvZih2b2lkKikgLSBuICYgKHNpemVvZih2b2lkKikg LSAxKSk7CisgICAgICAgIEFTU0VSVChtX2ZyZWVQdHIgPCBtX2VuZCk7CisKKyAgICAgICAgLy8g Um91bmQgJ24nIHVwIHRvIGEgbXVsdGlwbGUgb2Ygd29yZCBzaXplOyBpZiBhbGwgYWxsb2NhdGlv bnMgYXJlIG9mCisgICAgICAgIC8vIHdvcmQgc2l6ZWQgcXVhbnRpdGllcywgdGhlbiBhbGwgc3Vi c2VxdWVudCBhbGxvY2F0aW9ucyB3aWxsIGJlIGFsaWduZWQuCisgICAgICAgIG4gPSByb3VuZFVw QWxsb2NhdGlvblNpemUobiwgc2l6ZW9mKHZvaWQqKSk7CisKKyAgICAgICAgaWYgKHN0YXRpY19j YXN0PHB0cmRpZmZfdD4obikgPCAobV9lbmQgLSBtX2ZyZWVQdHIpKSB7CisgICAgICAgICAgICB2 b2lkKiByZXN1bHQgPSBtX2ZyZWVQdHI7CisgICAgICAgICAgICBtX2ZyZWVQdHIgKz0gbjsKICAg ICAgICAgICAgIHJldHVybiByZXN1bHQ7CiAgICAgICAgIH0KIApAQCAtODEsMzcgKzg2LDIxIEBA IHByaXZhdGU6CiAgICAgc3RhdGljIEFsbG9jYXRpb24gc3lzdGVtQWxsb2Moc2l6ZV90IG4pOwog ICAgIHN0YXRpYyB2b2lkIHN5c3RlbVJlbGVhc2UoY29uc3QgQWxsb2NhdGlvbiYgYWxsb2MpOwog Ci0gICAgRXhlY3V0YWJsZVBvb2woc2l6ZV90IG4pCisgICAgaW5saW5lIHNpemVfdCByb3VuZFVw QWxsb2NhdGlvblNpemUoc2l6ZV90IHJlcXVlc3QsIHNpemVfdCBncmFudWxhcml0eSkKICAgICB7 Ci0gICAgICAgIHNpemVfdCBhbGxvY1NpemUgPSBzaXplRm9yQWxsb2NhdGlvbihuKTsKLSAgICAg ICAgQWxsb2NhdGlvbiBtZW0gPSBzeXN0ZW1BbGxvYyhhbGxvY1NpemUpOwotICAgICAgICBtX3Bv b2xzLmFwcGVuZChtZW0pOwotICAgICAgICBtX2ZyZWVQdHIgPSBtZW0ucGFnZXM7Ci0gICAgICAg IGlmICghbV9mcmVlUHRyKQotICAgICAgICAgICAgQ1JBU0goKTsgLy8gRmFpbGVkIHRvIGFsbG9j YXRlCi0gICAgICAgIG1fZW5kID0gbV9mcmVlUHRyICsgYWxsb2NTaXplOworICAgICAgICBpZiAo KHN0ZDo6bnVtZXJpY19saW1pdHM8c2l6ZV90Pjo6bWF4KCkgLSBncmFudWxhcml0eSkgPD0gcmVx dWVzdCkKKyAgICAgICAgICAgIENSQVNIKCk7IC8vIEFsbG9jYXRpb24gaXMgdG9vIGxhcmdlCisg ICAgICAgIAorICAgICAgICAvLyBSb3VuZCB1cCB0byBuZXh0IHBhZ2UgYm91bmRhcnkKKyAgICAg ICAgc2l6ZV90IHNpemUgPSByZXF1ZXN0ICsgKGdyYW51bGFyaXR5IC0gMSk7CisgICAgICAgIHNp emUgPSBzaXplICYgfihncmFudWxhcml0eSAtIDEpOworICAgICAgICBBU1NFUlQoc2l6ZSA+PSBy ZXF1ZXN0KTsKKyAgICAgICAgcmV0dXJuIHNpemU7CiAgICAgfQogCi0gICAgc3RhdGljIGlubGlu ZSBzaXplX3Qgc2l6ZUZvckFsbG9jYXRpb24oc2l6ZV90IHJlcXVlc3QpOwotCi0gICAgdm9pZCog cG9vbEFsbG9jYXRlKHNpemVfdCBuKQotICAgIHsKLSAgICAgICAgc2l6ZV90IGFsbG9jU2l6ZSA9 IHNpemVGb3JBbGxvY2F0aW9uKG4pOwotICAgICAgICAKLSAgICAgICAgQWxsb2NhdGlvbiByZXN1 bHQgPSBzeXN0ZW1BbGxvYyhhbGxvY1NpemUpOwotICAgICAgICBpZiAoIXJlc3VsdC5wYWdlcykK LSAgICAgICAgICAgIENSQVNIKCk7IC8vIEZhaWxlZCB0byBhbGxvY2F0ZQotICAgICAgICAKLSAg ICAgICAgQVNTRVJUKG1fZW5kID49IG1fZnJlZVB0cik7Ci0gICAgICAgIGlmICgoYWxsb2NTaXpl IC0gbikgPiBzdGF0aWNfY2FzdDxzaXplX3Q+KG1fZW5kIC0gbV9mcmVlUHRyKSkgewotICAgICAg ICAgICAgLy8gUmVwbGFjZSBhbGxvY2F0aW9uIHBvb2wKLSAgICAgICAgICAgIG1fZnJlZVB0ciA9 IHJlc3VsdC5wYWdlcyArIG47Ci0gICAgICAgICAgICBtX2VuZCA9IHJlc3VsdC5wYWdlcyArIGFs bG9jU2l6ZTsKLSAgICAgICAgfQorICAgIEV4ZWN1dGFibGVQb29sKHNpemVfdCBuKTsKIAotICAg ICAgICBtX3Bvb2xzLmFwcGVuZChyZXN1bHQpOwotICAgICAgICByZXR1cm4gcmVzdWx0LnBhZ2Vz OwotICAgIH0KKyAgICB2b2lkKiBwb29sQWxsb2NhdGUoc2l6ZV90IG4pOwogCiAgICAgY2hhciog bV9mcmVlUHRyOwogICAgIGNoYXIqIG1fZW5kOwpAQCAtMTUzLDE2ICsxNDIsMzQgQEAgcHJpdmF0 ZToKICAgICBzdGF0aWMgdm9pZCBpbnRpYWxpemVQYWdlU2l6ZSgpOwogfTsKIAotaW5saW5lIHNp emVfdCBFeGVjdXRhYmxlUG9vbDo6c2l6ZUZvckFsbG9jYXRpb24oc2l6ZV90IHJlcXVlc3QpCitp bmxpbmUgRXhlY3V0YWJsZVBvb2w6OkV4ZWN1dGFibGVQb29sKHNpemVfdCBuKQoreworICAgIHNp emVfdCBhbGxvY1NpemUgPSByb3VuZFVwQWxsb2NhdGlvblNpemUobiwgSklUX0FMTE9DQVRPUl9Q QUdFX1NJWkUpOworICAgIEFsbG9jYXRpb24gbWVtID0gc3lzdGVtQWxsb2MoYWxsb2NTaXplKTsK KyAgICBtX3Bvb2xzLmFwcGVuZChtZW0pOworICAgIG1fZnJlZVB0ciA9IG1lbS5wYWdlczsKKyAg ICBpZiAoIW1fZnJlZVB0cikKKyAgICAgICAgQ1JBU0goKTsgLy8gRmFpbGVkIHRvIGFsbG9jYXRl CisgICAgbV9lbmQgPSBtX2ZyZWVQdHIgKyBhbGxvY1NpemU7Cit9CisKK2lubGluZSB2b2lkKiBF eGVjdXRhYmxlUG9vbDo6cG9vbEFsbG9jYXRlKHNpemVfdCBuKQogewotICAgIGlmICgoc3RkOjpu dW1lcmljX2xpbWl0czxzaXplX3Q+OjptYXgoKSAtIEV4ZWN1dGFibGVBbGxvY2F0b3I6OnBhZ2VT aXplKSA8PSByZXF1ZXN0KQotICAgICAgICBDUkFTSCgpOyAvLyBBbGxvY2F0aW9uIGlzIHRvbyBs YXJnZQorICAgIHNpemVfdCBhbGxvY1NpemUgPSByb3VuZFVwQWxsb2NhdGlvblNpemUobiwgSklU X0FMTE9DQVRPUl9QQUdFX1NJWkUpOwogICAgIAotICAgIC8vIFJvdW5kIHVwIHRvIG5leHQgcGFn ZSBib3VuZGFyeQotICAgIHNpemVfdCBzaXplID0gcmVxdWVzdCArIEpJVF9BTExPQ0FUT1JfUEFH RV9NQVNLOwotICAgIHNpemUgPSBzaXplICYgfkpJVF9BTExPQ0FUT1JfUEFHRV9NQVNLOwotICAg IEFTU0VSVChzaXplID49IHJlcXVlc3QpOwotICAgIHJldHVybiBzaXplOworICAgIEFsbG9jYXRp b24gcmVzdWx0ID0gc3lzdGVtQWxsb2MoYWxsb2NTaXplKTsKKyAgICBpZiAoIXJlc3VsdC5wYWdl cykKKyAgICAgICAgQ1JBU0goKTsgLy8gRmFpbGVkIHRvIGFsbG9jYXRlCisgICAgCisgICAgQVNT RVJUKG1fZW5kID49IG1fZnJlZVB0cik7CisgICAgaWYgKChhbGxvY1NpemUgLSBuKSA+IHN0YXRp Y19jYXN0PHNpemVfdD4obV9lbmQgLSBtX2ZyZWVQdHIpKSB7CisgICAgICAgIC8vIFJlcGxhY2Ug YWxsb2NhdGlvbiBwb29sCisgICAgICAgIG1fZnJlZVB0ciA9IHJlc3VsdC5wYWdlcyArIG47Cisg ICAgICAgIG1fZW5kID0gcmVzdWx0LnBhZ2VzICsgYWxsb2NTaXplOworICAgIH0KKworICAgIG1f cG9vbHMuYXBwZW5kKHJlc3VsdCk7CisgICAgcmV0dXJuIHJlc3VsdC5wYWdlczsKIH0KIAogfQo=