[Webkit-unassigned] [Bug 19946] New: Possible misalignment in RenderArena when compiled for debug
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 8 09:09:25 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=19946
Summary: Possible misalignment in RenderArena when compiled for
debug
Product: WebKit
Version: 526+ (Nightly build)
Platform: PC
OS/Version: Linux
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: New Bugs
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: dominik.roettsches at access-company.com
RenderArena::allocate falls back to using malloc when compiled for DEBUG. In
addition, it introduces a debug header called RenderArenaDebugHeader which is
prefixed for every allocated cell. The pointer arithmetics in
RenderArena::allocate
(http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderArena.cpp#L73)
lead to returning a possibly misaligned pointer - depending on the size of
RenderArenaDebugHeader and the data types that are placed into the allocated
cell.
For example, in HTMLInputElement::createRenderer a new text control renderer is
created ( "return new (arena) RenderTextControl(this, false);" )- this
RenderTextControl will contain a Timer, which will in turn have a TimerBase
which has members of type double. Accessing those doubles on XScale when the
initial base address returned by the Arena allocator was not 8byte aligned
leads to a misaligned access, causing a crash.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list