heap: Fix Android crash to unaligned atomic load

On-stack buffer used as the target of the copy (in hash_table.h) needs to be force-aligned. Bug: 1058777 Change-Id: Id70f54ce0c44c780e0dfa9c1e0b97e9e37f3d632 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2089833Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/master@{#747688}

heap: Fix Android crash to unaligned atomic load
On-stack buffer used as the target of the copy (in hash_table.h) needs to be force-aligned. Bug: 1058777 Change-Id: Id70f54ce0c44c780e0dfa9c1e0b97e9e37f3d632 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2089833Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/master@{#747688}
4f175892 · Omer Katz · Commit Bot · 2e320cea · 4f175892 · 4f175892
Commit 4f175892 authored Mar 06, 2020 by Omer Katz Committed by Commit Bot Mar 06, 2020
3 changed files
--- a/third_party/blink/renderer/platform/wtf/allocator/allocator.h
+++ b/third_party/blink/renderer/platform/wtf/allocator/allocator.h
@@ -168,6 +168,9 @@ ALWAYS_INLINE const std::atomic<T>* AsAtomicPtr(const T* t) {
 WTF_EXPORT void AtomicMemcpy(void* to, const void* from, size_t bytes);
 template <size_t bytes>
 ALWAYS_INLINE void AtomicMemcpy(void* to, const void* from) {
+  static_assert(bytes > 0, "Number of copied bytes should be greater than 0");
+  DCHECK_EQ(0u, reinterpret_cast<size_t>(from) & (sizeof(size_t) - 1));
+  DCHECK_EQ(0u, reinterpret_cast<size_t>(to) & (sizeof(size_t) - 1));
  AtomicMemcpy(to, from, bytes);
 }


--- a/third_party/blink/renderer/platform/wtf/allocator/atomic_memcpy_test.cc
+++ b/third_party/blink/renderer/platform/wtf/allocator/atomic_memcpy_test.cc
@@ -12,12 +12,12 @@ class AtomicMemcpyTest : public ::testing::Test {};

 template <size_t buffer_size>
 void TestAtomicMemcpy() {
-  unsigned char src[buffer_size];
+  alignas(sizeof(size_t)) unsigned char src[buffer_size];
  for (size_t i = 0; i < buffer_size; ++i)
    src[i] = static_cast<char>(i + 1);
  // Allocating extra memory before and after the buffer to make sure the
  // atomic memcpy doesn't exceed the buffer in any direction.
-  unsigned char tgt[buffer_size + (2 * sizeof(size_t))];
+  alignas(sizeof(size_t)) unsigned char tgt[buffer_size + (2 * sizeof(size_t))];
  memset(tgt, 0, buffer_size + (2 * sizeof(size_t)));
  AtomicMemcpy<buffer_size>(tgt + sizeof(size_t), src);
  // Check nothing before the buffer was changed

--- a/third_party/blink/renderer/platform/wtf/hash_table.h
+++ b/third_party/blink/renderer/platform/wtf/hash_table.h
@@ -25,6 +25,7 @@

 #include <memory>

+#include "base/bits.h"
 #include "base/numerics/checked_math.h"
 #include "third_party/blink/renderer/platform/wtf/allocator/allocator.h"
 #include "third_party/blink/renderer/platform/wtf/allocator/partition_allocator.h"
@@ -663,7 +664,7 @@ struct HashTableHelper {
    return IsEmptyBucket(key) || IsDeletedBucket(key);
  }
  static bool IsEmptyOrDeletedBucketSafe(const Value& value) {
-    char buf[sizeof(Key)];
+    alignas(std::max(alignof(Key), sizeof(size_t))) char buf[sizeof(Key)];
    const Key& key = Extractor::ExtractSafe(value, &buf);
    return IsEmptyBucket(key) || IsDeletedBucket(key);
  }