Changeset 96424 in webkit
- Timestamp:
- Sep 30, 2011 2:15:04 PM (13 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 3 edited
-
ChangeLog (modified) (1 diff)
-
heap/MarkedSpace.cpp (modified) (3 diffs)
-
heap/MarkedSpace.h (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r96421 r96424 1 2011-09-30 Geoffrey Garen <ggaren@apple.com> 2 3 Crash due to out of bounds read/write in MarkedSpace 4 https://bugs.webkit.org/show_bug.cgi?id=69148 5 6 This was a case of being surprised by a poorly aritulcated cell size limit, 7 plus an incorrect ASSERT guarding the cell size limit. 8 9 Reviewed by Oliver Hunt. 10 11 * heap/MarkedSpace.h: 12 (JSC::MarkedSpace::sizeClassFor): Changed heap size ranges to be inclusive, 13 since it makes the ranges easier to understand. 14 15 Bumped up the max cell size to support the use case in this bug. Since the 16 atomSize is much bigger than it used to be, there isn't much accounting 17 cost to handling more size classes. 18 19 Switched to FixedArray, to help catch SizeClass indexing bugs in the future. 20 21 * heap/MarkedSpace.cpp: 22 (JSC::MarkedSpace::MarkedSpace): 23 (JSC::MarkedSpace::resetAllocator): 24 (JSC::MarkedSpace::canonicalizeCellLivenessData): Updated for size ranges 25 being inclusive. 26 1 27 2011-09-30 Pierre Rossi <pierre.rossi@gmail.com> 2 28 -
trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp
r95912 r96424 36 36 , m_heap(heap) 37 37 { 38 for (size_t cellSize = preciseStep; cellSize < preciseCutoff; cellSize += preciseStep)38 for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) 39 39 sizeClassFor(cellSize).cellSize = cellSize; 40 40 41 for (size_t cellSize = impreciseStep; cellSize < impreciseCutoff; cellSize += impreciseStep)41 for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) 42 42 sizeClassFor(cellSize).cellSize = cellSize; 43 43 } … … 65 65 m_waterMark = 0; 66 66 67 for (size_t cellSize = preciseStep; cellSize < preciseCutoff; cellSize += preciseStep)67 for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) 68 68 sizeClassFor(cellSize).resetAllocator(); 69 69 70 for (size_t cellSize = impreciseStep; cellSize < impreciseCutoff; cellSize += impreciseStep)70 for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) 71 71 sizeClassFor(cellSize).resetAllocator(); 72 72 } … … 74 74 void MarkedSpace::canonicalizeCellLivenessData() 75 75 { 76 for (size_t cellSize = preciseStep; cellSize < preciseCutoff; cellSize += preciseStep)76 for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) 77 77 sizeClassFor(cellSize).zapFreeList(); 78 78 79 for (size_t cellSize = impreciseStep; cellSize < impreciseCutoff; cellSize += impreciseStep)79 for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) 80 80 sizeClassFor(cellSize).zapFreeList(); 81 81 } -
trunk/Source/JavaScriptCore/heap/MarkedSpace.h
r95912 r96424 33 33 #include <wtf/Vector.h> 34 34 35 #define ASSERT_CLASS_FITS_IN_CELL(class) COMPILE_ASSERT(sizeof(class) < MarkedSpace::maxCellSize, class_fits_in_cell)35 #define ASSERT_CLASS_FITS_IN_CELL(class) COMPILE_ASSERT(sizeof(class) <= MarkedSpace::maxCellSize, class_fits_in_cell) 36 36 37 37 namespace JSC { … … 46 46 WTF_MAKE_NONCOPYABLE(MarkedSpace); 47 47 public: 48 static const size_t maxCellSize = 1024;48 static const size_t maxCellSize = 2048; 49 49 50 50 struct SizeClass { … … 79 79 80 80 private: 81 // [ 8, 16... 128 )81 // [ 32... 256 ] 82 82 static const size_t preciseStep = MarkedBlock::atomSize; 83 static const size_t preciseCutoff = 128; 84 static const size_t maximumPreciseAllocationSize = preciseCutoff - preciseStep; 85 static const size_t preciseCount = preciseCutoff / preciseStep - 1; 83 static const size_t preciseCutoff = 256; 84 static const size_t preciseCount = preciseCutoff / preciseStep; 86 85 87 // [ 128, 256... 1024 )86 // [ 512... 2048 ] 88 87 static const size_t impreciseStep = preciseCutoff; 89 88 static const size_t impreciseCutoff = maxCellSize; 90 static const size_t impreciseCount = impreciseCutoff / impreciseStep - 1;89 static const size_t impreciseCount = impreciseCutoff / impreciseStep; 91 90 92 SizeClass m_preciseSizeClasses[preciseCount];93 SizeClass m_impreciseSizeClasses[impreciseCount];91 FixedArray<SizeClass, preciseCount> m_preciseSizeClasses; 92 FixedArray<SizeClass, impreciseCount> m_impreciseSizeClasses; 94 93 size_t m_waterMark; 95 94 size_t m_highWaterMark; … … 114 113 inline MarkedSpace::SizeClass& MarkedSpace::sizeClassFor(size_t bytes) 115 114 { 116 ASSERT(bytes && bytes < maxCellSize);117 if (bytes <= maximumPreciseAllocationSize)115 ASSERT(bytes && bytes <= maxCellSize); 116 if (bytes <= preciseCutoff) 118 117 return m_preciseSizeClasses[(bytes - 1) / preciseStep]; 119 118 return m_impreciseSizeClasses[(bytes - 1) / impreciseStep];
Note: See TracChangeset
for help on using the changeset viewer.
