[Webkit-unassigned] [Bug 22974] New: Fix rounding / bounds / signed comparison bug in ExecutableAllocator.

Mon Dec 22 22:05:56 PST 2008

https://bugs.webkit.org/show_bug.cgi?id=22974

           Summary: Fix rounding / bounds / signed comparison bug in
                    ExecutableAllocator.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: barraclough at apple.com

ExecutableAllocator ::alloc assumed that m_freePtr would be aligned.  This was
not always true, since the first allocation from an additional pool would not
be rounded up.  Subsequent allocations would be unaligned, and too much memory
could be erroneously allocated from the pool, when the size requested was
available, but the size rounded up to word granularity was not available in the
pool.  This may result in the value of m_freePtr being greater than m_end.

Under these circumstances, the unsigned check for space will always pass,
resulting in pointers to memory outside of the arena being returned, and
ultimately segfaulty goodness when attempting to memcpy the hot freshly jitted
code from the AssemblerBuffer.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.