Bug 141406

Summary: REGRESSION: tryFastCalloc is no longer "try"
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: Web Template FrameworkAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cmarcelo, commit-queue, darin, ggaren, kling
Priority: P2 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed fix none

Description Alexey Proskuryakov 2015-02-09 15:24:05 PST 
tryFastCalloc just calls through to fastCalloc, which crashes when allocation fails.
Comment 1 Alexey Proskuryakov 2015-02-09 15:27:16 PST 
Created attachment 246297 [details]
proposed fix

I saw this cause crashes on fast/canvas/webgl/webgl-compressed-texture-size-limit.html
Comment 2 WebKit Commit Bot 2015-02-09 16:12:43 PST 
Comment on attachment 246297 [details]
proposed fix

Clearing flags on attachment: 246297

Committed r179855: <http://trac.webkit.org/changeset/179855>
Comment 3 WebKit Commit Bot 2015-02-09 16:12:47 PST 
All reviewed patches have been landed.  Closing bug.
Comment 4 Darin Adler 2015-02-10 08:34:50 PST 
Comment on attachment 246297 [details]
proposed fix

View in context: https://bugs.webkit.org/attachment.cgi?id=246297&action=review

> Source/WTF/wtf/FastMalloc.cpp:326
> +    return tryFastZeroedMalloc(numElements * elementSize);

Wait a second, what about overflow checking for the multiplication?
Comment 5 Darin Adler 2015-02-10 08:36:36 PST 
I think that both fastCalloc and tryFastCalloc are missing checking on overflow in the multiplication in the USE_BMALLOC case.
Comment 6 Alexey Proskuryakov 2015-02-10 09:33:48 PST 
Great catch, I copied the existing code mindlessly.

Darin has a fix in bug 141434.