From bd5abbc454552128ea3c9effce7d44cb58e86d20 Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Thu, 1 Oct 2020 20:54:36 +0200 Subject: [PATCH] LibJS: Fix fatal mistake in HeapBlock::cell_from_possible_pointer() When scanning for potential heap pointers during conservative GC, we look for any value that is an address somewhere inside a heap cell. However, we were failing to account for the slack at the end of a block (which occurs whenever the block storage size isn't an exact multiple of the cell size.) Pointers inside the trailing slack were misidentified as pointers into "last_cell+1". Instead of skipping over them, we would treat this garbage data as a live cell and try to mark it. I believe this is the test-js crash that has been terrorizing Travis for a while. :^) --- Libraries/LibJS/Heap/HeapBlock.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Libraries/LibJS/Heap/HeapBlock.h b/Libraries/LibJS/Heap/HeapBlock.h index 6269ebd45d..3de49c5e28 100644 --- a/Libraries/LibJS/Heap/HeapBlock.h +++ b/Libraries/LibJS/Heap/HeapBlock.h @@ -64,6 +64,8 @@ public: if (pointer < reinterpret_cast(m_storage)) return nullptr; size_t cell_index = (pointer - reinterpret_cast(m_storage)) / m_cell_size; + if (cell_index >= cell_count()) + return nullptr; return cell(cell_index); }