diff options
| author | Anton Lapounov <antonl@microsoft.com> | 2020-01-08 02:12:25 -0800 |
|---|---|---|
| committer | Alexander Soldatov/AI Compiler Lab /SRR/Staff Engineer/Samsung Electronics <soldatov.a@samsung.com> | 2020-01-09 16:48:46 +0300 |
| commit | ba8e26eadf1a6f3534f5ef902e4045ad8b924809 (patch) | |
| tree | 6d3750416159957bd4605c07c36c8e3d191ee512 | |
| parent | 41b5d8ca351af198d29e1cbe0c56123eddd4f5b6 (diff) | |
| download | coreclr-ba8e26eadf1a6f3534f5ef902e4045ad8b924809.tar.gz coreclr-ba8e26eadf1a6f3534f5ef902e4045ad8b924809.tar.bz2 coreclr-ba8e26eadf1a6f3534f5ef902e4045ad8b924809.zip | |
Fix GC heap corruption on ARM. (#1389)submit/tizen_5.5/20200120.050447accepted/tizen/5.5/unified/20200121.031421
The allocate_in_free code path in allocate_in_expanded_heap incorrectly calculated the large (double) alignment padding size when limiting the plug size (SHORT_PLUGS) if set_padding_on_saved_p was true:
set_padding_in_expand (old_loc, set_padding_on_saved_p, pinned_plug_entry); // Sets the padding flag on the saved plug
...
pad += switch_alignment_size (is_plug_padded (old_loc)); // Reads the padding flag from the old (different!) plug
That caused access violation during a later heap walk since the g_gc_pFreeObjectMethodTable pointer marking the gap was not placed at the right address.
Change-Id: I10a5fa443b3f5a614909983cd3c06d5420d22858
| -rw-r--r-- | src/gc/gc.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gc/gc.cpp b/src/gc/gc.cpp index f49366474e..f13cf1731d 100644 --- a/src/gc/gc.cpp +++ b/src/gc/gc.cpp @@ -14961,7 +14961,7 @@ allocate_in_free: #else // FEATURE_STRUCTALIGN if (!((old_loc == 0) || same_large_alignment_p (old_loc, result+pad))) { - pad += switch_alignment_size (is_plug_padded (old_loc)); + pad += switch_alignment_size (pad != 0); set_node_realigned (old_loc); dprintf (3, ("Allocation realignment old_loc: %Ix, new_loc:%Ix", (size_t)old_loc, (size_t)(result+pad))); |