82087 2012-03-23 13:58:23 -0700 tryReallocate could break the zero-ed memory invariant of CopiedBlocks 2012-03-24 10:25:49 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 mhahnenberg mhahnenberg fpizlo ggaren webkit.review.bot oldest_to_newest 586704 0 mhahnenberg 2012-03-23 13:58:23 -0700 When we call tryReallocate, it resets the offset in the CopiedAllocator if the things we're trying to reallocate was the last thing we allocated out of the block. It then tries to allocate the new larger size out of the CopiedAllocator as if it had never done the old allocation in the first place. This prevents us having to copy if we hit this case. If the new size is too big, however, we will just go on and allocate a new block by calling tryAllocate. This leaves the old dirty allocation in the block without resetting our current offset. tryAllocate, however, could cause a GC to occur. If the block that we just abandoned with dirty memory is pinned during the GC, we will keep it around and put it back into to-space after the collection. In fact, it could become the new "head" allocation block since pinned blocks are pushed onto the front of the new to-space after copying has completed (see CopiedSpace::doneCopying()). If this happens, we will use this dirty space for any new allocations out of the block. However, these allocations are supposed to be guaranteed that their memory is clear when they receive it. Thus, we could end up with bogus dirty memory at the tail end of whatever space we're allocating, which, if another GC runs, will cause us to crash by trying to access stale/possibly dead objects. The fix for this is simply to reset the offset in the CopiedAllocator back to where it started if we fail to allocate from the current block during our reallocate optimization. This way, if the block is pinned and makes it to the head of our new to-space after a collection, we will start off allocating from a known clean offset. 586721 1 133556 mhahnenberg 2012-03-23 14:10:42 -0700 Created attachment 133556 Patch 586805 2 133556 ggaren 2012-03-23 15:30:53 -0700 Comment on attachment 133556 Patch I think you can simplify this code, like so: if (m_allocator.wasLastAllocation(oldPtr, oldSize)) { size_t delta = newSize - oldSize; if (m_allocator.fitsInCurrentBlock(delta)) { m_allocator.allocate(delta)) return oldPtr; } } 586856 3 133586 mhahnenberg 2012-03-23 16:32:24 -0700 Created attachment 133586 Patch 586931 4 133602 mhahnenberg 2012-03-23 18:03:16 -0700 Created attachment 133602 Patch 586933 5 133602 fpizlo 2012-03-23 18:03:45 -0700 Comment on attachment 133602 Patch R=me. 586991 6 133602 webkit.review.bot 2012-03-23 20:12:04 -0700 Comment on attachment 133602 Patch Clearing flags on attachment: 133602 Committed r111973: <http://trac.webkit.org/changeset/111973> 586992 7 webkit.review.bot 2012-03-23 20:12:08 -0700 All reviewed patches have been landed. Closing bug. 587136 8 mhahnenberg 2012-03-24 10:25:49 -0700 <rdar://problem/10884040> 133556 2012-03-23 14:10:42 -0700 2012-03-23 16:32:21 -0700 Patch bug-82087-20120323141041.patch text/plain 1735 mhahnenberg U3VidmVyc2lvbiBSZXZpc2lvbjogMTExODc3CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA4 N2JmYzFhM2VlYWM0NDliNTM0ZjcyYmQ2ZjQwNGJlYTg2ODMwZjhjLi42YWNkMTZjOTBjNDVmNzBh ZWJkNGU1YjczMjJmYjhhOThkOTY2ZmNiIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs NSArMSwxOSBAQAogMjAxMi0wMy0yMyAgTWFyayBIYWhuZW5iZXJnICA8bWhhaG5lbmJlcmdAYXBw bGUuY29tPgogCisgICAgICAgIHRyeVJlYWxsb2NhdGUgY291bGQgYnJlYWsgdGhlIHplcm8tZWQg bWVtb3J5IGludmFyaWFudCBvZiBDb3BpZWRCbG9ja3MKKyAgICAgICAgaHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTgyMDg3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9C T0RZIChPT1BTISkuCisKKyAgICAgICAgUmVtb3ZpbmcgdGhpcyBvcHRpbWl6YXRpb24gdHVybmVk IG91dCB0byBiZSB+MSUgcmVncmVzc2lvbiBvbiBrcmFrZW4sIHNvIEkgc2ltcGx5IAorICAgICAg ICB1bmRpZCB0aGUgbW9kaWZpY2F0aW9uIHRvIHRoZSBjdXJyZW50IGJsb2NrIGlmIHdlIGZhaWwu CisKKyAgICAgICAgKiBoZWFwL0NvcGllZFNwYWNlLmNwcDoKKyAgICAgICAgKEpTQzo6Q29waWVk U3BhY2U6OnRyeVJlYWxsb2NhdGUpOiBVbmRpZCB0aGUgcmVzZXQgaW4gdGhlIENvcGllZEFsbG9j YXRvciBpZiB3ZSBmYWlsIAorICAgICAgICB0byByZWFsbG9jYXRlIGZyb20gdGhlIGN1cnJlbnQg YmxvY2suCisKKzIwMTItMDMtMjMgIE1hcmsgSGFobmVuYmVyZyAgPG1oYWhuZW5iZXJnQGFwcGxl LmNvbT4KKwogICAgICAgICBTaW1wbGlmeSBtZW1vcnkgdXNhZ2UgdHJhY2tpbmcgaW4gQ29waWVk U3BhY2UKICAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTgw NzA1CiAKZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9oZWFwL0NvcGllZFNwYWNl LmNwcCBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9oZWFwL0NvcGllZFNwYWNlLmNwcAppbmRleCA3 ODQ0MTk4YThkNWVmZGRmYTA2YTkxMzdlMmI1YTc2ZDFiOTgxNWVlLi43NTZhY2JkY2Q1ODcwZTI3 YzhjMTBlZGE0NzFlYjk0ZjJjN2QwMTdkIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvaGVhcC9Db3BpZWRTcGFjZS5jcHAKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2hlYXAv Q29waWVkU3BhY2UuY3BwCkBAIC0xMDMsNiArMTAzLDggQEAgQ2hlY2tlZEJvb2xlYW4gQ29waWVk U3BhY2U6OnRyeVJlYWxsb2NhdGUodm9pZCoqIHB0ciwgc2l6ZV90IG9sZFNpemUsIHNpemVfdCBu ZXcKICAgICAgICAgbV9hbGxvY2F0b3IucmVzZXRMYXN0QWxsb2NhdGlvbihvbGRQdHIpOwogICAg ICAgICBpZiAobV9hbGxvY2F0b3IuZml0c0luQ3VycmVudEJsb2NrKG5ld1NpemUpKQogICAgICAg ICAgICAgcmV0dXJuIG1fYWxsb2NhdG9yLmFsbG9jYXRlKG5ld1NpemUpOworICAgICAgICAvLyBX ZSByZWFsbG9jYXRlIGhlcmUgdG8gZ2V0IHRoZSBvZmZzZXQgYmFjayB0byB0aGUgcmlnaHQgcGxh Y2UuCisgICAgICAgICh2b2lkKW1fYWxsb2NhdG9yLmFsbG9jYXRlKG9sZFNpemUpOwogICAgIH0K IAogICAgIHZvaWQqIHJlc3VsdCA9IDA7Cg== 133586 2012-03-23 16:32:24 -0700 2012-03-23 18:03:13 -0700 Patch bug-82087-20120323163223.patch text/plain 1921 mhahnenberg U3VidmVyc2lvbiBSZXZpc2lvbjogMTExODc3CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA4 N2JmYzFhM2VlYWM0NDliNTM0ZjcyYmQ2ZjQwNGJlYTg2ODMwZjhjLi42YWNkMTZjOTBjNDVmNzBh ZWJkNGU1YjczMjJmYjhhOThkOTY2ZmNiIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs NSArMSwxOSBAQAogMjAxMi0wMy0yMyAgTWFyayBIYWhuZW5iZXJnICA8bWhhaG5lbmJlcmdAYXBw bGUuY29tPgogCisgICAgICAgIHRyeVJlYWxsb2NhdGUgY291bGQgYnJlYWsgdGhlIHplcm8tZWQg bWVtb3J5IGludmFyaWFudCBvZiBDb3BpZWRCbG9ja3MKKyAgICAgICAgaHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTgyMDg3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9C T0RZIChPT1BTISkuCisKKyAgICAgICAgUmVtb3ZpbmcgdGhpcyBvcHRpbWl6YXRpb24gdHVybmVk IG91dCB0byBiZSB+MSUgcmVncmVzc2lvbiBvbiBrcmFrZW4sIHNvIEkgc2ltcGx5IAorICAgICAg ICB1bmRpZCB0aGUgbW9kaWZpY2F0aW9uIHRvIHRoZSBjdXJyZW50IGJsb2NrIGlmIHdlIGZhaWwu CisKKyAgICAgICAgKiBoZWFwL0NvcGllZFNwYWNlLmNwcDoKKyAgICAgICAgKEpTQzo6Q29waWVk U3BhY2U6OnRyeVJlYWxsb2NhdGUpOiBVbmRpZCB0aGUgcmVzZXQgaW4gdGhlIENvcGllZEFsbG9j YXRvciBpZiB3ZSBmYWlsIAorICAgICAgICB0byByZWFsbG9jYXRlIGZyb20gdGhlIGN1cnJlbnQg YmxvY2suCisKKzIwMTItMDMtMjMgIE1hcmsgSGFobmVuYmVyZyAgPG1oYWhuZW5iZXJnQGFwcGxl LmNvbT4KKwogICAgICAgICBTaW1wbGlmeSBtZW1vcnkgdXNhZ2UgdHJhY2tpbmcgaW4gQ29waWVk U3BhY2UKICAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTgw NzA1CiAKZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9oZWFwL0NvcGllZFNwYWNl LmNwcCBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9oZWFwL0NvcGllZFNwYWNlLmNwcAppbmRleCA3 ODQ0MTk4YThkNWVmZGRmYTA2YTkxMzdlMmI1YTc2ZDFiOTgxNWVlLi45NDg4ZWNiZWYwNDAzZWUx OTU0MTBlYWRhNmQwNGIzZDZiMmZlYzYyIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvaGVhcC9Db3BpZWRTcGFjZS5jcHAKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2hlYXAv Q29waWVkU3BhY2UuY3BwCkBAIC0xMDAsOSArMTAwLDExIEBAIENoZWNrZWRCb29sZWFuIENvcGll ZFNwYWNlOjp0cnlSZWFsbG9jYXRlKHZvaWQqKiBwdHIsIHNpemVfdCBvbGRTaXplLCBzaXplX3Qg bmV3CiAgICAgICAgIHJldHVybiB0cnlSZWFsbG9jYXRlT3ZlcnNpemUocHRyLCBvbGRTaXplLCBu ZXdTaXplKTsKIAogICAgIGlmIChtX2FsbG9jYXRvci53YXNMYXN0QWxsb2NhdGlvbihvbGRQdHIs IG9sZFNpemUpKSB7Ci0gICAgICAgIG1fYWxsb2NhdG9yLnJlc2V0TGFzdEFsbG9jYXRpb24ob2xk UHRyKTsKLSAgICAgICAgaWYgKG1fYWxsb2NhdG9yLmZpdHNJbkN1cnJlbnRCbG9jayhuZXdTaXpl KSkKLSAgICAgICAgICAgIHJldHVybiBtX2FsbG9jYXRvci5hbGxvY2F0ZShuZXdTaXplKTsKKyAg ICAgICAgc2l6ZV90IGRlbHRhID0gbmV3U2l6ZSAtIG9sZFNpemU7CisgICAgICAgIGlmIChtX2Fs bG9jYXRvci5maXRzSW5DdXJyZW50QmxvY2soZGVsdGEpKSB7CisgICAgICAgICAgICAodm9pZClt X2FsbG9jYXRvci5hbGxvY2F0ZShkZWx0YSk7CisgICAgICAgICAgICByZXR1cm4gdHJ1ZTsKKyAg ICAgICAgfQogICAgIH0KIAogICAgIHZvaWQqIHJlc3VsdCA9IDA7Cg== 133602 2012-03-23 18:03:16 -0700 2012-03-23 20:12:04 -0700 Patch bug-82087-20120323180315.patch text/plain 2706 mhahnenberg U3VidmVyc2lvbiBSZXZpc2lvbjogMTExODc3CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA4 N2JmYzFhM2VlYWM0NDliNTM0ZjcyYmQ2ZjQwNGJlYTg2ODMwZjhjLi42YWNkMTZjOTBjNDVmNzBh ZWJkNGU1YjczMjJmYjhhOThkOTY2ZmNiIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs NSArMSwxOSBAQAogMjAxMi0wMy0yMyAgTWFyayBIYWhuZW5iZXJnICA8bWhhaG5lbmJlcmdAYXBw bGUuY29tPgogCisgICAgICAgIHRyeVJlYWxsb2NhdGUgY291bGQgYnJlYWsgdGhlIHplcm8tZWQg bWVtb3J5IGludmFyaWFudCBvZiBDb3BpZWRCbG9ja3MKKyAgICAgICAgaHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTgyMDg3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9C T0RZIChPT1BTISkuCisKKyAgICAgICAgUmVtb3ZpbmcgdGhpcyBvcHRpbWl6YXRpb24gdHVybmVk IG91dCB0byBiZSB+MSUgcmVncmVzc2lvbiBvbiBrcmFrZW4sIHNvIEkgc2ltcGx5IAorICAgICAg ICB1bmRpZCB0aGUgbW9kaWZpY2F0aW9uIHRvIHRoZSBjdXJyZW50IGJsb2NrIGlmIHdlIGZhaWwu CisKKyAgICAgICAgKiBoZWFwL0NvcGllZFNwYWNlLmNwcDoKKyAgICAgICAgKEpTQzo6Q29waWVk U3BhY2U6OnRyeVJlYWxsb2NhdGUpOiBVbmRpZCB0aGUgcmVzZXQgaW4gdGhlIENvcGllZEFsbG9j YXRvciBpZiB3ZSBmYWlsIAorICAgICAgICB0byByZWFsbG9jYXRlIGZyb20gdGhlIGN1cnJlbnQg YmxvY2suCisKKzIwMTItMDMtMjMgIE1hcmsgSGFobmVuYmVyZyAgPG1oYWhuZW5iZXJnQGFwcGxl LmNvbT4KKwogICAgICAgICBTaW1wbGlmeSBtZW1vcnkgdXNhZ2UgdHJhY2tpbmcgaW4gQ29waWVk U3BhY2UKICAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTgw NzA1CiAKZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9oZWFwL0NvcGllZEFsbG9j YXRvci5oIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2hlYXAvQ29waWVkQWxsb2NhdG9yLmgKaW5k ZXggZmIwYTAyODE0Mjc3YjViMGViY2JiNWIyYmU4YWM5OGE1MTgyZDRkMC4uNzQ1NWVjODE2YzYy NzQ5Yzc4MmY3OTk0ODIzNDliYjI1OTJjY2VlMCAxMDA2NDQKLS0tIGEvU291cmNlL0phdmFTY3Jp cHRDb3JlL2hlYXAvQ29waWVkQWxsb2NhdG9yLmgKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3Jl L2hlYXAvQ29waWVkQWxsb2NhdG9yLmgKQEAgLTM5LDcgKzM5LDYgQEAgcHVibGljOgogICAgIGJv b2wgd2FzTGFzdEFsbG9jYXRpb24odm9pZCosIHNpemVfdCk7CiAgICAgdm9pZCBzdGFydGVkQ29w eWluZygpOwogICAgIHZvaWQgcmVzZXRDdXJyZW50QmxvY2soQ29waWVkQmxvY2sqKTsKLSAgICB2 b2lkIHJlc2V0TGFzdEFsbG9jYXRpb24odm9pZCopOwogICAgIHNpemVfdCBjdXJyZW50Q2FwYWNp dHkoKTsKIAogcHJpdmF0ZToKQEAgLTk3LDExICs5Niw2IEBAIGlubGluZSBzaXplX3QgQ29waWVk QWxsb2NhdG9yOjpjdXJyZW50Q2FwYWNpdHkoKQogICAgIHJldHVybiBtX2N1cnJlbnRCbG9jay0+ Y2FwYWNpdHkoKTsKIH0KIAotaW5saW5lIHZvaWQgQ29waWVkQWxsb2NhdG9yOjpyZXNldExhc3RB bGxvY2F0aW9uKHZvaWQqIHB0cikKLXsKLSAgICBtX2N1cnJlbnRPZmZzZXQgPSBzdGF0aWNfY2Fz dDxjaGFyKj4ocHRyKTsKLX0KLQogfSAvLyBuYW1lc3BhY2UgSlNDCiAKICNlbmRpZgpkaWZmIC0t Z2l0IGEvU291cmNlL0phdmFTY3JpcHRDb3JlL2hlYXAvQ29waWVkU3BhY2UuY3BwIGIvU291cmNl L0phdmFTY3JpcHRDb3JlL2hlYXAvQ29waWVkU3BhY2UuY3BwCmluZGV4IDc4NDQxOThhOGQ1ZWZk ZGZhMDZhOTEzN2UyYjVhNzZkMWI5ODE1ZWUuLjk0ODhlY2JlZjA0MDNlZTE5NTQxMGVhZGE2ZDA0 YjNkNmIyZmVjNjIgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9oZWFwL0NvcGll ZFNwYWNlLmNwcAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvaGVhcC9Db3BpZWRTcGFjZS5j cHAKQEAgLTEwMCw5ICsxMDAsMTEgQEAgQ2hlY2tlZEJvb2xlYW4gQ29waWVkU3BhY2U6OnRyeVJl YWxsb2NhdGUodm9pZCoqIHB0ciwgc2l6ZV90IG9sZFNpemUsIHNpemVfdCBuZXcKICAgICAgICAg cmV0dXJuIHRyeVJlYWxsb2NhdGVPdmVyc2l6ZShwdHIsIG9sZFNpemUsIG5ld1NpemUpOwogCiAg ICAgaWYgKG1fYWxsb2NhdG9yLndhc0xhc3RBbGxvY2F0aW9uKG9sZFB0ciwgb2xkU2l6ZSkpIHsK LSAgICAgICAgbV9hbGxvY2F0b3IucmVzZXRMYXN0QWxsb2NhdGlvbihvbGRQdHIpOwotICAgICAg ICBpZiAobV9hbGxvY2F0b3IuZml0c0luQ3VycmVudEJsb2NrKG5ld1NpemUpKQotICAgICAgICAg ICAgcmV0dXJuIG1fYWxsb2NhdG9yLmFsbG9jYXRlKG5ld1NpemUpOworICAgICAgICBzaXplX3Qg ZGVsdGEgPSBuZXdTaXplIC0gb2xkU2l6ZTsKKyAgICAgICAgaWYgKG1fYWxsb2NhdG9yLmZpdHNJ bkN1cnJlbnRCbG9jayhkZWx0YSkpIHsKKyAgICAgICAgICAgICh2b2lkKW1fYWxsb2NhdG9yLmFs bG9jYXRlKGRlbHRhKTsKKyAgICAgICAgICAgIHJldHVybiB0cnVlOworICAgICAgICB9CiAgICAg fQogCiAgICAgdm9pZCogcmVzdWx0ID0gMDsK