[Webkit-unassigned] [Bug 232165] JITReservation initializeJITPageReservation() overwrites g_wtfConfig with USE_SYSTEM_MALLOC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 22 12:34:44 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=232165

--- Comment #1 from Pascal Abresch <nep-webkit at packageloss.eu> ---
Full patch

>From 9207543134385c8fb52e1e5fc48b491d377d9c2e Mon Sep 17 00:00:00 2001
From: waddlesplash <waddlesplash at gmail.com>
Date: Fri, 22 Oct 2021 14:27:12 -0400
Subject: [PATCH] ExecutableAllocator: Do not store things in g_config when
 USE(SYSTEM_MALLOC).

Following 41bdcb765f0f1e658c943b2bbf778e8b33fb783b, two additional slots were added
to g_config in order to store these pointers for use in bmalloc and Gigacage. However, when
USE(SYSTEM_MALLOC) is enabled, there are no slots reserved for Gigacage, and so this collided
with g_wtfConfig and overwrote data there instead.

This should fix crashes seen on Haiku, which enables USE(SYSTEM_MALLOC).
---
 Source/JavaScriptCore/jit/ExecutableAllocator.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/JavaScriptCore/jit/ExecutableAllocator.cpp b/Source/JavaScriptCore/jit/ExecutableAllocator.cpp
index 31476313ba..387c890818 100644
--- a/Source/JavaScriptCore/jit/ExecutableAllocator.cpp
+++ b/Source/JavaScriptCore/jit/ExecutableAllocator.cpp
@@ -403,7 +403,7 @@ static ALWAYS_INLINE JITReservation initializeJITPageReservation()
         g_jscConfig.startExecutableMemory = tagCodePtr<ExecutableMemoryPtrTag>(reservation.base);
         g_jscConfig.endExecutableMemory = tagCodePtr<ExecutableMemoryPtrTag>(reservationEnd);

-#if ENABLE(UNIFIED_AND_FREEZABLE_CONFIG_RECORD)
+#if !USE(SYSTEM_MALLOC) && ENABLE(UNIFIED_AND_FREEZABLE_CONFIG_RECORD)
         WebConfig::g_config[0] = bitwise_cast<uintptr_t>(reservation.base);
         WebConfig::g_config[1] = bitwise_cast<uintptr_t>(reservationEnd);
 #endif
-- 
2.30.2

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211022/c66a1199/attachment.htm>

More information about the webkit-unassigned mailing list