Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c6894f128e9bac5871ad6e72574a9f60102974e0
https://github.com/WebKit/WebKit/commit/c6894f128e9bac5871ad6e72574a9f60102974e0
Author: Dan Hecht <[email protected]>
Date: 2024-06-24 (Mon, 24 Jun 2024)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_bitfit_heap.c
M Source/bmalloc/libpas/src/libpas/pas_segregated_heap.c
M Source/bmalloc/libpas/src/test/BmallocTests.cpp
Log Message:
-----------
[libpas]
pas_segregated_heap_ensure_size_directory_for_size/check_medium_directories
assert fail due to creating overlapping directories
https://bugs.webkit.org/show_bug.cgi?id=275820
rdar://129774839
Reviewed by Yusuke Suzuki.
There are some edge cases that can cause
pas_segregated_heap_ensure_size_directory_for_size()
to create a new directory that overlaps the next largest directory, i.e.
the new directory's object_size index is greater than the next largest's
min_index. One case in which this can occur is after entering mini mode,
which forces bitfit. A side effect of that is that the "ideal object size"
computation changes, which can lead to this overlap.
There are three possible solutions:
1. Extend the directory for the next largest size class (candidate) down
to the new install_index. However, after this solution can lead to
pathologically large directories if given the a particular sequence of
allocates. This is because then the candidate is extended based on the
min_index, which then could continue decreasing after each allocate.
Normally, size classes are extended based only on the candidate's
object_size, which doesn't change once the directory is created.
2. Trim the lower bound of the next biggest directory (candidate) if the
new directory would overlap the candidate min_index. This appears to be
unsafe if the candidate is bitfit given the comment in the code that does
similar trimming for result.
/* Bitfit size directories claim super high alignment, so they should
never get replaced. This is a
hard requirement, since:
- pas_bitfit_size_class is allocated as part of the
pas_segregated_size_directory.
- We cannot add duplicate bitfit_size_classes, so if we ever tried
to replace a
segregated_size_directory with another one of the same size, and
they both had bitfit_size_classes,
then we'd be in trouble. */
PAS_ASSERT(!pas_segregated_size_directory_is_bitfit(result));
3. Cap the new directory's object_size at the next largest directories
min_index. Bumping of the new directory's object_size to the ideal
object size appears to be an optimization and so it is safe to not do
this if it would create overlapping directories.
Some of the existing libpas chaos test cases do hit this case, but it
goes unnoticed because the overlapping directories are small, not medium.
The assert that made this problem apparent is only for medium directories
(to verify their index can be binary searched). While this doesn't cause
an assert with small directories, it seems that overlapping directories
should not be allowed for small directories either as it can lead to
inconsistencies. For example, if the index tables need to be
dematerialized we may index to a different set of directories then were
indexed previously.
So I've added a libpas test case that does trigger the medium director
assert without this fix.
* Source/bmalloc/libpas/src/libpas/pas_bitfit_heap.c:
(pas_bitfit_heap_select_variant):
* Source/bmalloc/libpas/src/libpas/pas_segregated_heap.c:
(pas_segregated_heap_ensure_size_directory_for_size):
* Source/bmalloc/libpas/src/test/BmallocTests.cpp:
(std::testBmallocForceBitfitAfterAlloc):
(addBmallocTests):
Canonical link: https://commits.webkit.org/280317@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
