[Webkit-unassigned] [Bug 80615] New: CopiedSpace::tryAllocateOversize assumes system page size

Thu Mar 8 11:13:55 PST 2012

https://bugs.webkit.org/show_bug.cgi?id=80615

           Summary: CopiedSpace::tryAllocateOversize assumes system page
                    size
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mmaxfield at google.com
                CC: mhahnenberg at apple.com

Crash in CopiedSpace::tryAllocateOversize:

1. CopiedSpace::tryAllocateOversize is called with a number of bytes, and a pointer to set (See the end of this email for a stack trace).
2. In order to get the block size, this function calls WTF::roundUpToMultipleOf<s_pageSize>(sizeof(CopiedBlock) + bytes); which attempts to round its argument up to a multiple of s_pageSize. This s_pageSize refers to JSC::CopiedSpace::s_pageSize, declared as a static const in JavaScriptCore/heap/CopiedSpace.h as 4 * KB, or 4096.
3. CopiedSpace::tryAllocateOversize then passes this block size to WTF::PageAllocationAligned::allocate, which immediately checks that this parameter, size, is page-aligned via a call to WTF::isPageAligned(size)
4. WTF::isPageAligned queries the system page size with WTF::pageSize(), which returns WTF::s_pageSize, which has been initialized to the system page size with a call to getpagesize(). On our system, this returns 16384.
5. WTF::isPageAligned returns false because the value that is divisible by 4096 is not divisible by 16384.
6. The assert in WTF::PageAllocationAligned::allocate fails.

Eliminating CopiedSpace::s_pageSize in favor of using WTF::s_pageSize would probably be the preferable route.

Stack trace:
std::size_t                     WTF::pageSize()
bool                            WTF::isPageAligned(unsigned int)
void                            WTF::PageAllocationAligned::allocate(unsigned int,unsigned int,WTF::OSAllocator::Usage,bool,bool)
void                            JSC::CopiedSpace::tryAllocateOversize(unsigned int,void**)
void                            JSC::CopiedSpace::tryReallocateOversize(void**,unsigned int,unsigned int)
void                            JSC::CopiedSpace::tryReallocate(void**,unsigned int,unsigned int)
void                            JSC::Heap::tryReallocateStorage(void**,unsigned int,unsigned int)
bool                            JSC::JSArray::increaseVectorLength(JSC::JSGlobalData&,unsigned int)
void                            JSC::JSArray::putByIndexBeyondVectorLength(JSC::ExecState*,unsigned int,JSC::JSValue)
void                            JSC::JSArray::putByIndex(JSC::JSCell*,JSC::ExecState*,unsigned int,JSC::JSValue)
JSC::EncodedJSValue             JSC::arrayProtoFuncPush(JSC::ExecState*)
JSC::JSValue                    JSC::Interpreter::privateExecute(JSC::Interpreter::ExecutionFlag,JSC::RegisterFile*,JSC::ExecState*)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.