From 002fb23a0ebb914d0219fa41b7443866f44fe3b0 Mon Sep 17 00:00:00 2001 From: Mike Hommey Date: Fri, 11 Jan 2013 12:24:31 +0100 Subject: [PATCH] Bug 828894 - Fix possible off-by-one-page in custom linker. r=nfroyd --HG-- extra : rebase_source : 7bdafcec8108b001bf2b817bd2c4b293a0dbee2e --- mozglue/linker/Mappable.cpp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/mozglue/linker/Mappable.cpp b/mozglue/linker/Mappable.cpp index f92a44c7ca5..32c01769d62 100644 --- a/mozglue/linker/Mappable.cpp +++ b/mozglue/linker/Mappable.cpp @@ -197,12 +197,13 @@ public: /* The Gecko crash reporter is confused by adjacent memory mappings of * the same file. On Android, subsequent mappings are growing in memory * address, and chances are we're going to map from the same file - * descriptor right away. Allocate one page more than requested so that - * there is a gap between this mapping and the subsequent one. */ + * descriptor right away. To avoid problems with the crash reporter, + * create an empty anonymous page after the ashmem mapping. To do so, + * allocate one page more than requested, then replace the last page with + * an anonymous mapping. */ void *buf = ::mmap(NULL, length + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (buf != MAP_FAILED) { - /* Actually create the gap with anonymous memory */ - ::mmap(reinterpret_cast(buf) + ((length + PAGE_SIZE) & PAGE_MASK), + ::mmap(reinterpret_cast(buf) + ((length + PAGE_SIZE - 1) & PAGE_MASK), PAGE_SIZE, PROT_NONE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); debug("Decompression buffer of size %d in ashmem \"%s\", mapped @%p", @@ -248,7 +249,7 @@ public: #ifdef ANDROID ~_MappableBuffer() { /* Free the additional page we allocated. See _MappableBuffer::Create */ - ::munmap(*this + ((GetLength() + PAGE_SIZE) & ~(PAGE_SIZE - 1)), PAGE_SIZE); + ::munmap(*this + ((GetLength() + PAGE_SIZE - 1) & PAGE_MASK), PAGE_SIZE); } #endif