Bug 22974 - Fix rounding / bounds / signed comparison bug in ExecutableAllocator.
Summary: Fix rounding / bounds / signed comparison bug in ExecutableAllocator.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P2 Normal
Assignee: Gavin Barraclough
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-22 22:05 PST by Gavin Barraclough
Modified: 2008-12-22 23:09 PST (History)
0 users

See Also:

Attachments
The patch (4.01 KB, patch)
2008-12-22 22:11 PST, Gavin Barraclough 		oliver: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gavin Barraclough 2008-12-22 22:05:56 PST 
ExecutableAllocator ::alloc assumed that m_freePtr would be aligned.  This was not always true, since the first allocation from an additional pool would not be rounded up.  Subsequent allocations would be unaligned, and too much memory could be erroneously allocated from the pool, when the size requested was available, but the size rounded up to word granularity was not available in the pool.  This may result in the value of m_freePtr being greater than m_end.

Under these circumstances, the unsigned check for space will always pass, resulting in pointers to memory outside of the arena being returned, and ultimately segfaulty goodness when attempting to memcpy the hot freshly jitted code from the AssemblerBuffer.
Comment 1 Gavin Barraclough 2008-12-22 22:11:44 PST 
Created attachment 26224 [details]
The patch
Comment 2 Oliver Hunt 2008-12-22 22:18:19 PST 
Comment on attachment 26224 [details]
The patch

ASSERT(m_freePtr < m_end); should be ASSERT(m_freePtr <= m_end);
Comment 3 Gavin Barraclough 2008-12-22 23:09:18 PST 
Sending        JavaScriptCore/ChangeLog
Sending        JavaScriptCore/jit/ExecutableAllocator.h
Transmitting file data ..
Committed revision 39450.