[libpas] PGM Crash Testing: Align allocation to page size

https://bugs.webkit.org/show_bug.cgi?id=276181 rdar://problem/131064444 Reviewed by David Kilzer. PGM will align pages left or right, so by allocating the entire length of the page it will give the same result whether left or right aligned. This will make testing guard pages reliable again. * Source/JavaScriptCore/jsc.cpp: (crashPGMUAF): (crashPGMUpperGuardPage): (crashPGMLowerGuardPage): Canonical link: https://commits.webkit.org/280836@main
dhecht · Jul 10, 2024 · 69db446 · 69db446
1 parent 5172cde
commit 69db446
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/Source/JavaScriptCore/jsc.cpp b/Source/JavaScriptCore/jsc.cpp
@@ -3928,7 +3928,8 @@ static bool isMJSFile(char *filename)
 static NEVER_INLINE void crashPGMUAF()
 {
     WTF::forceEnablePGM();
-    char* result = static_cast<char*>(fastMalloc(10000000));
+    size_t allocSize = getpagesize() * 10000;
+    char* result = static_cast<char*>(fastMalloc(allocSize));
     fastFree(result);
     *result = 'a';
 }
@@ -3937,16 +3938,17 @@ static NEVER_INLINE void crashPGMUpperGuardPage()
 {
     WTF::forceEnablePGM();
     size_t allocSize = getpagesize() * 10000;
-    char* result = static_cast<char*>(fastMalloc(10000000));
+    char* result = static_cast<char*>(fastMalloc(allocSize));
     result = result + allocSize;
     *result = 'a';
 }
 
 static NEVER_INLINE void crashPGMLowerGuardPage()
 {
     WTF::forceEnablePGM();
-    char* result = static_cast<char*>(fastMalloc(10000000));
-    result = result - getpagesize();
+    size_t allocSize = getpagesize() * 10000;
+    char* result = static_cast<char*>(fastMalloc(allocSize));
+    result = result - 1;
     *result = 'a';
 }
 #endif