268713 2024-02-04 03:27:11 -0800 OSAllocator::tryReserveUncommittedAligned() does not detect mmap failures 2024-02-06 13:34:25 -0800 1 1 1 Unclassified WebKit Platform WebKit Nightly Build Other Other RESOLVED FIXED InRadar P2 Normal --- 1 e2lahav keith_miller webkit-bug-importer oldest_to_newest 2010477 0 e2lahav 2024-02-04 03:27:11 -0800 The code for allocating an aligned region in the absence of a dedicated API, first calls mmap() to allocate a large range, and then munmap() for trimming it. If mmap() fails (which is quite possible given the initial large value) then tryReserveCommitted() returns nullptr. However, tryReserveUncommittedAligned() does not catch that, and proceeds to call munmap() on a large range it never mapped (4G,4G). On QNX this ended up unmapping most of the shared libraries from under the process. 2010704 1 ap 2024-02-05 09:26:25 -0800 From reading the code, iOS open source builds also take this code path. Surprisingly, we don't seem to have seen any bad consequences. 2010714 2 e2lahav 2024-02-05 09:39:00 -0800 There are a couple of preconditions before you can observe something bad happening: 1. The mmap() call needs to fail. I don't know what flavour of mmap() is used in the iOS version, but if it is lazy it may never fail. In QNX, with the existing code, it is asking for 8GB of fully-allocated memory. 2. The munmap() call needs to hit something that is already allocated. 2010743 3 webkit-bug-importer 2024-02-05 11:18:32 -0800 <rdar://problem/122325706> 2010745 4 keith_miller 2024-02-05 11:22:44 -0800 Pull request: https://github.com/WebKit/WebKit/pull/23875 2011141 5 ews-feeder 2024-02-06 13:33:52 -0800 Committed 274171@main (c4f8b92246b4): <https://commits.webkit.org/274171@main> Reviewed commits have been landed. Closing PR #23831 and removing active labels.