bmalloc: stress_aligned fails when allocating a zero-sized object with XLarge alignment

https://bugs.webkit.org/show_bug.cgi?id=155896

Reviewed by Andreas Kling.

We normally filter zero-sized allocations into small allocations, but
a zero-sized allocation can sneak through if it requires sufficiently
large alignment.

* bmalloc/Heap.cpp:
(bmalloc::Heap::tryAllocateXLarge): Set a floor on allocation size to
catch zero-sized allocations.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198680 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog
index 401f45ddb36c6b83b10fbeb438bbac068fa9a548..0186ffaa97cd511247a6c67a7a829d55cfebe9ec 100644 (file)
--- a/Source/bmalloc/ChangeLog
+++ b/Source/bmalloc/ChangeLog
@@ -1,3 +1,18 @@
+2016-03-25  Geoffrey Garen  <ggaren@apple.com>
+
+        bmalloc: stress_aligned fails when allocating a zero-sized object with XLarge alignment
+        https://bugs.webkit.org/show_bug.cgi?id=155896
+
+        Reviewed by Andreas Kling.
+
+        We normally filter zero-sized allocations into small allocations, but
+        a zero-sized allocation can sneak through if it requires sufficiently
+        large alignment.
+
+        * bmalloc/Heap.cpp:
+        (bmalloc::Heap::tryAllocateXLarge): Set a floor on allocation size to
+        catch zero-sized allocations.
+
 2016-03-25  Geoffrey Garen  <ggaren@apple.com>
 
         bmalloc: Renamed LargeChunk => Chunk

diff --git a/Source/bmalloc/bmalloc/Heap.cpp b/Source/bmalloc/bmalloc/Heap.cpp
index 5bc7fdd7a0f5995332782206aa6e8fcc93edf47d..0365a5f4cb95af28d42ee9a00a2a21d673c21f65 100644 (file)
--- a/Source/bmalloc/bmalloc/Heap.cpp
+++ b/Source/bmalloc/bmalloc/Heap.cpp
@@ -429,6 +429,7 @@ void* Heap::tryAllocateXLarge(std::lock_guard<StaticMutex>&, size_t alignment, s
 
     m_isAllocatingPages = true;
 
+    size = std::max(vmPageSize, size);
     alignment = roundUpToMultipleOf<xLargeAlignment>(alignment);
 
     XLargeRange range = m_xLargeMap.takeFree(alignment, size);