RESOLVED FIXED268713
OSAllocator::tryReserveUncommittedAligned() does not detect mmap failures 
https://bugs.webkit.org/show_bug.cgi?id=268713
Summary OSAllocator::tryReserveUncommittedAligned() does not detect mmap failures
Elad Lahav
Reported 2024-02-04 03:27:11 PST
The code for allocating an aligned region in the absence of a dedicated API, first calls mmap() to allocate a large range, and then munmap() for trimming it. If mmap() fails (which is quite possible given the initial large value) then tryReserveCommitted() returns nullptr. However, tryReserveUncommittedAligned() does not catch that, and proceeds to call munmap() on a large range it never mapped (4G,4G). On QNX this ended up unmapping most of the shared libraries from under the process.
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2024-02-05 09:26:25 PST
From reading the code, iOS open source builds also take this code path. Surprisingly, we don't seem to have seen any bad consequences.
Elad Lahav
Comment 2 2024-02-05 09:39:00 PST
There are a couple of preconditions before you can observe something bad happening: 1. The mmap() call needs to fail. I don't know what flavour of mmap() is used in the iOS version, but if it is lazy it may never fail. In QNX, with the existing code, it is asking for 8GB of fully-allocated memory. 2. The munmap() call needs to hit something that is already allocated.
Radar WebKit Bug Importer
Comment 3 2024-02-05 11:18:32 PST
<rdar://problem/122325706>
Keith Miller
Comment 4 2024-02-05 11:22:44 PST
Pull request: https://github.com/WebKit/WebKit/pull/23875
EWS
Comment 5 2024-02-06 13:33:52 PST
Committed 274171@main (c4f8b92246b4): <https://commits.webkit.org/274171@main> Reviewed commits have been landed. Closing PR #23831 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.