Title: [160004] trunk/Source/_javascript_Core
- Revision
- 160004
- Author
- [email protected]
- Date
- 2013-12-03 09:09:54 -0800 (Tue, 03 Dec 2013)
Log Message
testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
https://bugs.webkit.org/show_bug.cgi?id=121972
Patch by [email protected] <[email protected]> on 2013-12-03
Reviewed by Michael Saboff.
The reason for the crash is that the wrong memory block is decommitted.
This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.
* interpreter/JSStack.cpp:
(JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (160003 => 160004)
--- trunk/Source/_javascript_Core/ChangeLog 2013-12-03 15:53:32 UTC (rev 160003)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-12-03 17:09:54 UTC (rev 160004)
@@ -1,3 +1,19 @@
+2013-12-03 [email protected] <[email protected]>
+
+ testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
+ https://bugs.webkit.org/show_bug.cgi?id=121972
+
+ Reviewed by Michael Saboff.
+
+ The reason for the crash is that the wrong memory block is decommitted.
+ This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
+ In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
+ If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
+ if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.
+
+ * interpreter/JSStack.cpp:
+ (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.
+
2013-12-03 László Langó <[email protected]>
Guard JIT include.
Modified: trunk/Source/_javascript_Core/interpreter/JSStack.cpp (160003 => 160004)
--- trunk/Source/_javascript_Core/interpreter/JSStack.cpp 2013-12-03 15:53:32 UTC (rev 160003)
+++ trunk/Source/_javascript_Core/interpreter/JSStack.cpp 2013-12-03 17:09:54 UTC (rev 160004)
@@ -63,8 +63,10 @@
JSStack::~JSStack()
{
void* highAddress = reinterpret_cast<void*>(static_cast<char*>(m_reservation.base()) + m_reservation.size());
- m_reservation.decommit(reinterpret_cast<void*>(m_commitEnd), reinterpret_cast<intptr_t>(highAddress) - reinterpret_cast<intptr_t>(m_commitEnd));
- addToCommittedByteCount(-(reinterpret_cast<intptr_t>(highAddress) - reinterpret_cast<intptr_t>(m_commitEnd)));
+ if (highAddress > m_commitEnd) {
+ m_reservation.decommit(reinterpret_cast<void*>(m_commitEnd), reinterpret_cast<intptr_t>(highAddress) - reinterpret_cast<intptr_t>(m_commitEnd));
+ addToCommittedByteCount(-(reinterpret_cast<intptr_t>(highAddress) - reinterpret_cast<intptr_t>(m_commitEnd)));
+ }
m_reservation.deallocate();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
