RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 12:48:10 +00:00
Code Issues Activity Actions

LibJS: Fix fatal mistake in HeapBlock::cell_from_possible_pointer()

Browse source 
When scanning for potential heap pointers during conservative GC,
we look for any value that is an address somewhere inside a heap cell.

However, we were failing to account for the slack at the end of a
block (which occurs whenever the block storage size isn't an exact
multiple of the cell size.) Pointers inside the trailing slack were
misidentified as pointers into "last_cell+1".

Instead of skipping over them, we would treat this garbage data as a
live cell and try to mark it. I believe this is the test-js crash that
has been terrorizing Travis for a while. :^)
This commit is contained in:
Andreas Kling 2020-10-01 20:54:36 +02:00
parent 0245e0f03a
commit bd5abbc454
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Libraries/LibJS/Heap/HeapBlock.h
View file

@ -64,6 +64,8 @@ public:
if (pointer < reinterpret_cast<FlatPtr>(m_storage))
return nullptr;
size_t cell_index = (pointer - reinterpret_cast<FlatPtr>(m_storage)) / m_cell_size;
if (cell_index >= cell_count())
return nullptr;
return cell(cell_index);
}