Revert "Fix bogus math in object allocation."

This reverts commit 0bc4d60fe0. Reason for revert: https://chromium-swarm.appspot.com/task?id=38007b6df51fef10&refresh=10 terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc Caught signal 6 [Aborted], was running: 8888 image scanline_kNonNative_premul interlaced3.png unit test ArenaAllocReallyBigAlloc unit test ClampRange 565 image scaled_codec_premul_0.200 interlaced3.png_0.200 unit test ClipStack Likely culprit: unit test ArenaAllocReallyBigAlloc Stack trace: /mnt/pd0/s/w/ir/out/Debug/dm(+0x2381c1) [0x567aa1c1] linux-gate.so.1(__kernel_sigreturn+0) [0xf770cca0] linux-gate.so.1(__kernel_vsyscall+0x9) [0xf770cc89] /lib/i386-linux-gnu/libc.so.6(gsignal+0xb0) [0xf7027dc0] /lib/i386-linux-gnu/libc.so.6(abort+0x157) [0xf7029287] /usr/lib/i386-linux-gnu/libstdc++.so.6(_ZN9__gnu_cxx27__verbose_terminate_handlerEv+0x16f) [0xf729d2ff] /usr/lib/i386-linux-gnu/libstdc++.so.6(+0x71ea4) [0xf729aea4] /usr/lib/i386-linux-gnu/libstdc++.so.6(+0x71f1d) [0xf729af1d] /usr/lib/i386-linux-gnu/libstdc++.so.6(__cxa_rethrow+0) [0xf729b1d0] /usr/lib/i386-linux-gnu/libstdc++.so.6(+0x727ff) [0xf729b7ff] /usr/lib/i386-linux-gnu/libstdc++.so.6(_Znaj+0x18) [0xf729b898] /mnt/pd0/s/w/ir/out/Debug/dm(_ZN12SkArenaAlloc11ensureSpaceEjj+0xa0) [0x56f113a6] /mnt/pd0/s/w/ir/out/Debug/dm(+0x3c2462) [0x56934462] /mnt/pd0/s/w/ir/out/Debug/dm(+0x239acb) [0x567abacb] /mnt/pd0/s/w/ir/out/Debug/dm(+0x239bdc) [0x567abbdc] /mnt/pd0/s/w/ir/out/Debug/dm(+0xa6417b) [0x56fd617b] /mnt/pd0/s/w/ir/out/Debug/dm(_ZNKSt8functionIFvvEEclEv+0x20) [0x56f10504] /mnt/pd0/s/w/ir/out/Debug/dm(_ZN12SkThreadPool4LoopEPv+0x298) [0x56f10bdb] /mnt/pd0/s/w/ir/out/Debug/dm(+0xb39700) [0x570ab700] /lib/i386-linux-gnu/libpthread.so.0(+0x627a) [0xf76df27a] /lib/i386-linux-gnu/libc.so.6(clone+0x66) [0xf70e3b56] Aborted Command exited with code 134 Original change's description: > Fix bogus math in object allocation. > > When a size_t is convert from a very large number to ptrdiff_t, it > becomes negative causing the existing block to be used instead of > allocating a new block. > > BUG=chromium:744109 > > Change-Id: I0bf98e3fb924851c162f6eca43d29a3f40dc9eaa > Reviewed-on: https://skia-review.googlesource.com/34541 > Reviewed-by: Ben Wagner <bungeman@google.com> > Commit-Queue: Herb Derby <herb@google.com> TBR=bungeman@google.com,herb@google.com Change-Id: I8ce2b45d13178395247dabd7af6853354399721c No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:744109 Reviewed-on: https://skia-review.googlesource.com/35000 Reviewed-by: Florin Malita <fmalita@chromium.org> Commit-Queue: Florin Malita <fmalita@chromium.org>
2017-08-15 21:07:07 +00:00 · 2017-08-15 21:07:07 +00:00 · 32491566da
commit 32491566da
parent 5ddfd6f499
2 changed files with 4 additions and 17 deletions
--- a/src/core/SkArenaAlloc.h
+++ b/src/core/SkArenaAlloc.h
@ -156,16 +156,12 @@ private:

    char* allocObject(uint32_t size, uint32_t alignment) {
        uintptr_t mask = alignment - 1;
-        uintptr_t alignedOffset = (~reinterpret_cast<uintptr_t>(fCursor) + 1) & mask;
-        uintptr_t totalSize = size + alignedOffset;
-        if (totalSize < size) {
-            SK_ABORT("The total size of allocation overflowed uintptr_t.");
-        }
-        if (totalSize > static_cast<uintptr_t>(fEnd - fCursor)) {
+        char* objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
+        if ((ptrdiff_t)size > fEnd - objStart) {
            this->ensureSpace(size, alignment);
-            alignedOffset = (~reinterpret_cast<uintptr_t>(fCursor) + 1) & mask;
+            objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
        }
-        return fCursor + alignedOffset;
+        return objStart;
    }

    char* allocObjectWithFooter(uint32_t sizeIncludingFooter, uint32_t alignment);
--- a/tests/ArenaAllocTest.cpp
+++ b/tests/ArenaAllocTest.cpp
@ -181,12 +181,3 @@ DEF_TEST(ArenaAlloc, r) {
    REPORTER_ASSERT(r, created == 1);
    REPORTER_ASSERT(r, destroyed == 1);
 }
-
-// Chromium bug: https://bugs.chromium.org/p/chromium/issues/detail?id=744109
-// Must be compiled with target_cpu = "x86" to fail with segfault.
-DEF_TEST(ArenaAllocReallyBigAlloc, r) {
-    SkSTArenaAlloc<64> arena;
-    using T = struct {int f[1<<28];};
-    auto a = arena.makeArrayDefault<T>(3);
-    a[2].f[(1<<28) - 1] = 0;
-}