[Webkit-unassigned] [Bug 121972] testapi test crashes on Windows in WTF::Vector<wchar_t, 64, WTF::UnsafeVectorOverflow>::size()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 3 13:45:14 PST 2013


--- Comment #13 from Mark Lam <mark.lam at apple.com>  2013-12-03 13:43:34 PST ---
(In reply to comment #9)
> The reason for the crash is that the wrong memory block is decommitted.
> This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
> In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
> If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
> if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.

Nice catch.  However, I think the better fix would be to make OSAllocator::decommit() handle a 0 size as one would expect i.e. do nothing.  The behavior of Window's VirtualFree() in terms of its interpretation of what a 0 size means is not intuitive.  I'll look into fixing this in  separate patch + bug.  Fixing the interpretation of size 0 in OSAllocator will also help avoid future surprises like this from manifesting.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list