<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - bmalloc: large aligned allocations will put 1 or 2 free object on free list without coalescing with their neighbors"
href="https://bugs.webkit.org/show_bug.cgi?id=154091">154091</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>bmalloc: large aligned allocations will put 1 or 2 free object on free list without coalescing with their neighbors
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>msaboff@apple.com
</td>
</tr></table>
<p>
<div>
<pre>In the aligned version of Heap::allocateLarge(), gets a free object from the free list that may or may not be aligned to the requested alignment. That object is large enough to create an aligned object splitting off an unused objected before and/or an unused object after the aligned object we'll return to the caller. These unused object need to be merged before putting them back into the free list.
There is a similar issue in the unaligned version of Heap::allocateLarge() in that it might get an object from the free list that is larger than needed. It splits off an unused object and puts in back on the free list without merging.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>