RESOLVED FIXED Bug 154091
bmalloc: large aligned allocations will put 1 or 2 free object on free list without merging with free neighbors 
https://bugs.webkit.org/show_bug.cgi?id=154091
Summary bmalloc: large aligned allocations will put 1 or 2 free object on free list w...
Michael Saboff
Reported 2016-02-10 14:54:14 PST
In the aligned version of Heap::allocateLarge(), gets a free object from the free list that may or may not be aligned to the requested alignment. That object is large enough to create an aligned object splitting off an unused objected before and/or an unused object after the aligned object we'll return to the caller. These unused object need to be merged before putting them back into the free list. There is a similar issue in the unaligned version of Heap::allocateLarge() in that it might get an object from the free list that is larger than needed. It splits off an unused object and puts in back on the free list without merging.
Attachments
Patch (4.74 KB, patch)
2016-02-10 15:35 PST, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
Patch for landing with corrections and suggested changes. (6.47 KB, patch)
2016-02-10 17:34 PST, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2016-02-10 14:54:54 PST
rdar://problem/24134885
Michael Saboff
Comment 2 2016-02-10 15:35:57 PST
Created attachment 271035 [details] Patch
Geoffrey Garen
Comment 3 2016-02-10 16:10:15 PST
Comment on attachment 271035 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=271035&action=review r=me with one change > Source/bmalloc/bmalloc/Heap.cpp:375 > + LargeObject merged = nextLargeObject.merge(); > + m_largeObjects.insert(merged); This is a weird thing to do. We know that we just split an orphan, whose neighbors are allocated, and then we try to merge it with its neighbors, which we know will fail. I don't think we should do this. Instead, I think we should assert that nextLargeObject's neighbors are allocated, and then insert().
Mark Lam
Comment 4 2016-02-10 16:10:47 PST
Comment on attachment 271035 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=271035&action=review > Source/bmalloc/ChangeLog:3 > + bmalloc: large aligned allocations will put 1 or 2 free object on free list without mergine with free neighbors typo: mergine ==> merging > Source/bmalloc/ChangeLog:8 > + If we split off any ununsed free object in either public Heap::allocateLarge(), we merge them with typo: ununsed ==> unused.
Geoffrey Garen
Comment 5 2016-02-10 16:12:46 PST
You should also add code to LargeObject::merge() that, after the fact, asserts that next and previous are in the allocated state.
Michael Saboff
Comment 6 2016-02-10 17:34:39 PST
Created attachment 271041 [details] Patch for landing with corrections and suggested changes.
WebKit Commit Bot
Comment 7 2016-02-11 08:01:57 PST
Comment on attachment 271041 [details] Patch for landing with corrections and suggested changes. Clearing flags on attachment: 271041 Committed r196421: <http://trac.webkit.org/changeset/196421>
WebKit Commit Bot
Comment 8 2016-02-11 08:02:00 PST
All reviewed patches have been landed. Closing bug.
David Kilzer (:ddkilzer)
Comment 9 2016-02-16 13:55:10 PST
(In reply to comment #7) > Comment on attachment 271041 [details] > Patch for landing with corrections and suggested changes. > > Clearing flags on attachment: 271041 > > Committed r196421: <http://trac.webkit.org/changeset/196421> Follow-up fix for Debug build assertions: Committed r196424: <http://trac.webkit.org/changeset/196424> Follow-on bug to fix more Debug assertions: Bug 154113: BASSERTs added in r196421 are causing debug test failures ​<https://bugs.webkit.org/show_bug.cgi?id=154113>
Note You need to log in before you can comment on or make changes to this bug.