Bug 268713
| Summary: | OSAllocator::tryReserveUncommittedAligned() does not detect mmap failures | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Elad Lahav <e2lahav> |
| Component: | Platform | Assignee: | Keith Miller <keith_miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Other | ||
| OS: | Other | ||
Elad Lahav
The code for allocating an aligned region in the absence of a dedicated API, first calls mmap() to allocate a large range, and then munmap() for trimming it. If mmap() fails (which is quite possible given the initial large value) then tryReserveCommitted() returns nullptr. However, tryReserveUncommittedAligned() does not catch that, and proceeds to call munmap() on a large range it never mapped (4G,4G). On QNX this ended up unmapping most of the shared libraries from under the process.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
From reading the code, iOS open source builds also take this code path. Surprisingly, we don't seem to have seen any bad consequences.
Elad Lahav
There are a couple of preconditions before you can observe something bad happening:
1. The mmap() call needs to fail. I don't know what flavour of mmap() is used in the iOS version, but if it is lazy it may never fail. In QNX, with the existing code, it is asking for 8GB of fully-allocated memory.
2. The munmap() call needs to hit something that is already allocated.
Radar WebKit Bug Importer
<rdar://problem/122325706>
Keith Miller
Pull request: https://github.com/WebKit/WebKit/pull/23875
EWS
Committed 274171@main (c4f8b92246b4): <https://commits.webkit.org/274171@main>
Reviewed commits have been landed. Closing PR #23831 and removing active labels.