Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 53d5133d6b99b6bd96261e68814a5698ec58fad6
https://github.com/WebKit/WebKit/commit/53d5133d6b99b6bd96261e68814a5698ec58fad6
Author: Sosuke Suzuki <[email protected]>
Date: 2026-05-07 (Thu, 07 May 2026)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_fast_large_free_heap.c
M Source/bmalloc/libpas/src/test/LargeFreeHeapTests.cpp
Log Message:
-----------
[libpas] `fast_large_free_heap` has inverted max-heap invariant checks
https://bugs.webkit.org/show_bug.cgi?id=314255
Reviewed by Yusuke Suzuki.
pas_fast_large_free_heap stores free ranges in a cartesian tree keyed by
size with a max-heap invariant (parent.size >= child.size). Two of the
update paths checked the wrong neighbor when deciding whether the node
needed to be re-inserted to restore the invariant:
* fast_write_cursor compared against the parent on shrink and against
the children on grow. The relations are the opposite: a shrinking
node may now be smaller than its children, and a growing node may now
be larger than its parent.
* fast_merge, which only grows left_node by coalescing the right
neighbor, compared against left_node's children. It should compare
against left_node's parent.
When the root shrank, or a leaf grew via coalescing, the node stayed
in place with parent.size < child.size, so find_first could not see the
larger free block and the allocator fell through to a redundant
aligned_allocator pull. This affects every pas_large_heap and
pas_large_utility_free_heap (i.e. all TLC allocations).
Add two regression tests in LargeFreeHeapTests, one per code path
* Source/bmalloc/libpas/src/libpas/pas_fast_large_free_heap.c:
(fast_write_cursor):
(fast_merge):
* Source/bmalloc/libpas/src/test/LargeFreeHeapTests.cpp:
(addLargeFreeHeapTests):
Canonical link: https://commits.webkit.org/312846@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
