Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f209caf4db1270c6d2d54161c9fb0cb842f4be8d
https://github.com/WebKit/WebKit/commit/f209caf4db1270c6d2d54161c9fb0cb842f4be8d
Author: Marcus Plutowski <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_large_heap.c
M Source/bmalloc/libpas/src/libpas/pas_small_large_map_entry.h
M Source/bmalloc/libpas/src/libpas/pas_tiny_large_map_entry.h
Log Message:
-----------
[libpas] Make pas_{small,tiny}_large_map_entry aware of delegation
https://bugs.webkit.org/show_bug.cgi?id=308695
rdar://170300268
Reviewed by Daniel Liu.
When non-delegated allocations are stored in the large-heap, it is
possible that their metadata will be stored in the tiny_large_map
or the small_large_map, which are compressed versions of the normal
large-map.
When this happens, we need to ensure that at the point the large-map
reconstructs a large_map_entry from the compressed contents of those
heaps, it populates all fields in the entry, as the entry is not
guaranteed to be zero-filled beforehand. Previously, the
delegated_to_system_malloc field was not populated, and could thus
contain garbage from the stack, sometimes leading to libpas
asking libmalloc to free objects that were actually allocated via
libpas. This would always cause an immediate crash.
This also makes it clear that delegated allocations cannot be tracked
through the small/tiny large_map variants.
Canonical link: https://commits.webkit.org/308296@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
