Changeset 25637 in webkit for trunk/JavaScriptCore/wtf/FastMalloc.cpp

Timestamp:

Sep 19, 2007, 3:07:19 AM (18 years ago)

Author:

bdash

Message:

2007-09-19 Mark Rowe <​[email protected]>

Reviewed by Maciej.

<rdar://problem/5487107> NULL dereference crash in FastMallocZone::enumerate when running leaks against Safari

Storing remote pointers to their local equivalents in mapped memory was leading to the local pointer being
interpreted as a remote pointer. This caused a crash when using the result of mapping this invalid remote pointer.
The fix is to follow the pattern used elsewhere in FastMallocZone by always doing the mapping after reading and
never storing the mapped pointer.

• wtf/FastMalloc.cpp: (WTF::FastMallocZone::enumerate):

File:

• trunk/JavaScriptCore/wtf/FastMalloc.cpp (modified) (2 diffs)

trunk/JavaScriptCore/wtf/FastMalloc.cpp

@@ -2476 +2476 @@
     void findFreeObjects(TCMalloc_ThreadCache* threadCache)
     {
-        for (; threadCache; threadCache = threadCache->next_)
+        for (; threadCache; threadCache = (threadCache->next_ ? m_reader(threadCache->next_) : 0))
             threadCache->enumerateFreeObjects(*this, m_reader);
     }
@@ -2594 +2594 @@
 
     TCMalloc_Central_FreeListPadded* centralCaches = memoryReader(mzone->m_centralCaches, sizeof(TCMalloc_Central_FreeListPadded) * kNumClasses);
-
-    // Rebuild the linked list in our address space, mapping over the remote pointers as needed
-    for (TCMalloc_ThreadCache* threadHeap = threadHeaps; threadHeap->next_; threadHeap = threadHeap->next_) {
-        threadHeap->next_ = memoryReader(threadHeap->next_);
-        threadHeap->next_->prev_ = threadHeap;
-    }
 
     FreeObjectFinder finder(memoryReader);