Diff
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/ChangeLog (200024 => 200025)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/ChangeLog 2016-04-25 15:53:03 UTC (rev 200024)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/ChangeLog 2016-04-25 15:53:24 UTC (rev 200025)
@@ -1,5 +1,39 @@
2016-04-19 Geoffrey Garen <[email protected]>
+ bmalloc: fix up overflow checks
+ https://bugs.webkit.org/show_bug.cgi?id=156780
+
+ Reviewed by Mark Lam.
+
+ We used to try to avoid overflow in large object math by setting a very
+ high limit on the largest large object. But that's a bit error-prone
+ since the check is far away from the math that might overflow -- and
+ we were missing some cases.
+
+ This patch removes the limit and instead checks at each math site.
+
+ * bmalloc/Allocator.cpp:
+ (bmalloc::Allocator::tryAllocate):
+ (bmalloc::Allocator::allocate):
+ (bmalloc::Allocator::reallocate):
+ (bmalloc::Allocator::allocateSlowCase): Remove the limit. tryAllocateLarge
+ will check for overflow for us.
+
+ * bmalloc/Chunk.h: This ASSERT was just totally wrong.
+
+ * bmalloc/Heap.cpp:
+ (bmalloc::Heap::tryAllocateLarge): Check for overflow when adding.
+
+ * bmalloc/Sizes.h:
+
+ * bmalloc/VMAllocate.h:
+ (bmalloc::tryVMAllocate): Check for overflow when adding.
+
+ * bmalloc/VMHeap.cpp:
+ (bmalloc::VMHeap::tryAllocateLargeChunk): Check for overflow when adding.
+
+2016-04-19 Geoffrey Garen <[email protected]>
+
Unreviewed, try to fix an ASSERT seen on the bots.
* bmalloc/Heap.cpp:
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Allocator.cpp (200024 => 200025)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Allocator.cpp 2016-04-25 15:53:03 UTC (rev 200024)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Allocator.cpp 2016-04-25 15:53:24 UTC (rev 200025)
@@ -58,12 +58,8 @@
if (size <= smallMax)
return allocate(size);
- if (size <= largeMax) {
- std::lock_guard<StaticMutex> lock(PerProcess<Heap>::mutex());
- return PerProcess<Heap>::getFastCase()->tryAllocateLarge(lock, alignment, size);
- }
-
- return nullptr;
+ std::lock_guard<StaticMutex> lock(PerProcess<Heap>::mutex());
+ return PerProcess<Heap>::getFastCase()->tryAllocateLarge(lock, alignment, size);
}
void* Allocator::allocate(size_t alignment, size_t size)
@@ -83,13 +79,8 @@
if (size <= smallMax && alignment <= smallMax)
return allocate(roundUpToMultipleOf(alignment, size));
- if (size <= largeMax && alignment <= largeMax / 2) {
- std::lock_guard<StaticMutex> lock(PerProcess<Heap>::mutex());
- return PerProcess<Heap>::getFastCase()->allocateLarge(lock, alignment, size);
- }
-
- BCRASH();
- return nullptr;
+ std::lock_guard<StaticMutex> lock(PerProcess<Heap>::mutex());
+ return PerProcess<Heap>::getFastCase()->allocateLarge(lock, alignment, size);
}
void* Allocator::reallocate(void* object, size_t newSize)
@@ -193,11 +184,7 @@
if (size <= smallMax)
return allocateLogSizeClass(size);
- if (size <= largeMax)
- return allocateLarge(size);
-
- BCRASH();
- return nullptr;
+ return allocateLarge(size);
}
} // namespace bmalloc
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Chunk.h (200024 => 200025)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Chunk.h 2016-04-25 15:53:03 UTC (rev 200024)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Chunk.h 2016-04-25 15:53:24 UTC (rev 200025)
@@ -56,8 +56,6 @@
std::array<SmallPage, chunkSize / smallPageSize> m_pages;
};
-static_assert(sizeof(Chunk) + largeMax <= chunkSize, "largeMax is too big");
-
struct ChunkHash {
static unsigned hash(Chunk* key)
{
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Heap.cpp (200024 => 200025)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Heap.cpp 2016-04-25 15:53:03 UTC (rev 200024)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Heap.cpp 2016-04-25 15:53:24 UTC (rev 200025)
@@ -342,13 +342,18 @@
void* Heap::tryAllocateLarge(std::lock_guard<StaticMutex>& lock, size_t alignment, size_t size)
{
- BASSERT(size <= largeMax);
- BASSERT(alignment <= largeMax / 2);
BASSERT(isPowerOfTwo(alignment));
- size = size ? roundUpToMultipleOf(largeAlignment, size) : largeAlignment;
- alignment = roundUpToMultipleOf<largeAlignment>(alignment);
+ size_t roundedSize = size ? roundUpToMultipleOf(largeAlignment, size) : largeAlignment;
+ if (roundedSize < size) // Check for overflow
+ return nullptr;
+ size = roundedSize;
+ size_t roundedAlignment = roundUpToMultipleOf<largeAlignment>(alignment);
+ if (roundedAlignment < alignment) // Check for overflow
+ return nullptr;
+ alignment = roundedAlignment;
+
XLargeRange range = m_largeFree.remove(alignment, size);
if (!range) {
range = m_vmHeap.tryAllocateLargeChunk(lock, alignment, size);
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Sizes.h (200024 => 200025)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Sizes.h 2016-04-25 15:53:03 UTC (rev 200024)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Sizes.h 2016-04-25 15:53:24 UTC (rev 200025)
@@ -64,7 +64,6 @@
static const size_t largeAlignment = smallMax / pageSizeWasteFactor;
static const size_t largeAlignmentMask = largeAlignment - 1;
- static const size_t largeMax = std::numeric_limits<size_t>::max() - largeAlignment; // Make sure that rounding up to largeAlignment does not overflow.
static const size_t deallocatorLogCapacity = 256;
static const size_t bumpRangeCacheCapacity = 3;
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/VMAllocate.h (200024 => 200025)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/VMAllocate.h 2016-04-25 15:53:03 UTC (rev 200024)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/VMAllocate.h 2016-04-25 15:53:24 UTC (rev 200025)
@@ -145,7 +145,10 @@
vmValidate(vmSize);
vmValidate(vmAlignment);
- size_t mappedSize = vmAlignment - vmPageSize() + vmSize;
+ size_t mappedSize = vmAlignment + vmSize;
+ if (mappedSize < vmAlignment || mappedSize < vmSize) // Check for overflow
+ return nullptr;
+
char* mapped = static_cast<char*>(tryVMAllocate(mappedSize));
if (!mapped)
return nullptr;
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/VMHeap.cpp (200024 => 200025)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/VMHeap.cpp 2016-04-25 15:53:03 UTC (rev 200024)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/VMHeap.cpp 2016-04-25 15:53:24 UTC (rev 200025)
@@ -33,9 +33,16 @@
{
// We allocate VM in aligned multiples to increase the chances that
// the OS will provide contiguous ranges that we can merge.
- alignment = roundUpToMultipleOf<chunkSize>(alignment);
- size = roundUpToMultipleOf<chunkSize>(size);
+ size_t roundedAlignment = roundUpToMultipleOf<chunkSize>(alignment);
+ if (roundedAlignment < alignment) // Check for overflow
+ return XLargeRange();
+ alignment = roundedAlignment;
+ size_t roundedSize = roundUpToMultipleOf<chunkSize>(size);
+ if (roundedSize < size) // Check for overflow
+ return XLargeRange();
+ size = roundedSize;
+
void* memory = tryVMAllocate(alignment, size);
if (!memory)
return XLargeRange();
