[Webkit-unassigned] [Bug 19946] New: Possible misalignment in RenderArena when compiled for debug

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=19946

           Summary: Possible misalignment in RenderArena when compiled for
                    debug
           Product: WebKit
           Version: 526+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dominik.roettsches at access-company.com


RenderArena::allocate falls back to using malloc when compiled for DEBUG. In
addition, it introduces a debug header called RenderArenaDebugHeader which is
prefixed for every allocated cell. The pointer arithmetics in
RenderArena::allocate
(http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderArena.cpp#L73)
lead to returning a possibly misaligned pointer - depending on the size of
RenderArenaDebugHeader and the data types that are placed into the allocated
cell.

For example, in HTMLInputElement::createRenderer a new text control renderer is
created ( "return new (arena) RenderTextControl(this, false);" )- this
RenderTextControl will contain a Timer, which will in turn have a TimerBase
which has members of type double. Accessing those doubles on XScale when the
initial base address returned by the Arena allocator was not 8byte aligned
leads to a misaligned access, causing a crash.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.