[Webkit-unassigned] [Bug 113168] New: LayoutTests/fast/js/large-expressions.html Results in Crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Mar 24 20:00:39 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=113168
Summary: LayoutTests/fast/js/large-expressions.html Results in
Crash
Product: WebKit
Version: 528+ (Nightly build)
Platform: Android
URL: /LayoutTests/fast/js/large-expressions.html
OS/Version: Android
Status: UNCONFIRMED
Severity: Blocker
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: manjian2006 at gmail.com
LayoutTests/fast/js/large-expressions.html results in crash because buffer overflowed when JSC is running in non-main thread.
This is because the logic which StackBounds::initialize sets stack base parameter has bug.
No matter Linux's glibc or bionic(android's libc)'s implementation configures the newly-being-created thread's stack to having guarded pages in the stack bottom(or the begin of stack memory region).The following is the source from allocatestack.c in glibc:
mem = mmap (NULL, size, prot,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
...
char *guard = mem;
...
if (mprotect (guard, guardsize, PROT_NONE) != 0)
...
And the following is the source from pthread.c in bionic's implementation:
static void *mkstack(size_t size, size_t guard_size)
{
void * stack;
pthread_mutex_lock(&mmap_lock);
stack = mmap(NULL, size,
PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE,
-1, 0);
if(stack == MAP_FAILED) {
stack = NULL;
goto done;
}
if(mprotect(stack, guard_size, PROT_NONE)){
munmap(stack, size);
stack = NULL;
goto done;
}
It's clear that the bottom of a pthread's stack is pieces of guarded pages.My patch will fix this bug.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list