Changeset 160004 in webkit


Ignore:
Timestamp:
Dec 3, 2013 9:09:54 AM (10 years ago)
Author:
commit-queue@webkit.org
Message:

testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
https://bugs.webkit.org/show_bug.cgi?id=121972

Patch by peavo@outlook.com <peavo@outlook.com> on 2013-12-03
Reviewed by Michael Saboff.

The reason for the crash is that the wrong memory block is decommitted.
This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.

  • interpreter/JSStack.cpp:

(JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r160003 r160004  
     12013-12-03  peavo@outlook.com  <peavo@outlook.com>
     2
     3        testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
     4        https://bugs.webkit.org/show_bug.cgi?id=121972
     5
     6        Reviewed by Michael Saboff.
     7
     8        The reason for the crash is that the wrong memory block is decommitted.
     9        This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
     10        In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
     11        If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
     12        if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.
     13
     14        * interpreter/JSStack.cpp:
     15        (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.
     16
    1172013-12-03  László Langó  <lango@inf.u-szeged.hu>
    218

  • trunk/Source/JavaScriptCore/interpreter/JSStack.cpp

    r159826 r160004  
    6464{
    6565    void* highAddress = reinterpret_cast<void*>(static_cast<char*>(m_reservation.base()) + m_reservation.size());
    66     m_reservation.decommit(reinterpret_cast<void*>(m_commitEnd), reinterpret_cast<intptr_t>(highAddress) - reinterpret_cast<intptr_t>(m_commitEnd));
    67     addToCommittedByteCount(-(reinterpret_cast<intptr_t>(highAddress) - reinterpret_cast<intptr_t>(m_commitEnd)));
     66    if (highAddress > m_commitEnd) {
     67        m_reservation.decommit(reinterpret_cast<void*>(m_commitEnd), reinterpret_cast<intptr_t>(highAddress) - reinterpret_cast<intptr_t>(m_commitEnd));
     68        addToCommittedByteCount(-(reinterpret_cast<intptr_t>(highAddress) - reinterpret_cast<intptr_t>(m_commitEnd)));
     69    }
    6870    m_reservation.deallocate();
    6971}
Note: See TracChangeset for help on using the changeset viewer.