UserspaceEmulator: Don't assume entire malloc block is chunked

Accesses in the header (or trailing padding) of a malloc block should not be associated with any mallocation since only the chunk-sized slots actually get returned by malloc. Basically, allow address-to-chunk lookup to fail, and handle such failures gracefully at call sites. Fixes #5706.
2025-07-26 19:17:35 +00:00 · 2021-03-09 13:27:05 +01:00 · 2021-03-09 13:27:05 +01:00 · 1381720d1d
commit 1381720d1d
parent 38fc522f5d
2 changed files with 27 additions and 13 deletions
--- a/Userland/DevTools/UserspaceEmulator/MallocTracer.h
+++ b/Userland/DevTools/UserspaceEmulator/MallocTracer.h
@ -60,8 +60,8 @@ public:
    FlatPtr address { 0 };
    size_t chunk_size { 0 };

-    size_t chunk_index_for_address(FlatPtr) const;
-    Mallocation& mallocation_for_address(FlatPtr) const;
+    Optional<size_t> chunk_index_for_address(FlatPtr) const;
+    Mallocation* mallocation_for_address(FlatPtr) const;

    Vector<Mallocation> mallocations;
 };
@ -103,11 +103,14 @@ ALWAYS_INLINE Mallocation* MallocTracer::find_mallocation(const Region& region,
    auto* malloc_data = static_cast<MmapRegion&>(const_cast<Region&>(region)).malloc_metadata();
    if (!malloc_data)
        return nullptr;
-    auto& mallocation = malloc_data->mallocation_for_address(address);
-    if (!mallocation.used)
+    auto* mallocation = malloc_data->mallocation_for_address(address);
+    if (!mallocation)
        return nullptr;
-    VERIFY(mallocation.contains(address));
-    return &mallocation;
+    if (!mallocation->used)
+        return nullptr;
+    if (!mallocation->contains(address))
+        return nullptr;
+    return mallocation;
 }

 }