atomics: correctly implement padding write of 11 byte atomics with 4 byte pointer #59395
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…byte pointer On 32 bit machines, for an atomic of size 9 to 12 bytes, the result fits in the 16 byte pool, but only with a maximum write of 12 bytes. This was accidentally doing a 16 byte write instead, which could smash the type tag field (usually will NULL) of the next object. Not sure how to test, since just noticed this while reading the code.
vtjnash
changed the title
vtjnash
added
backport 1.12
IanButterworth
removed
the
merge me
KristofferC
pushed a commit
that referenced
this pull request
Sep 1, 2025
…byte pointer (#59395) On 32 bit machines, for an atomic of size 9 to 11 bytes, the result fits in the 16 byte pool, but only with a maximum write of 12 bytes (there is 1 byte reserved for the `success` plus 4 for the type tag, leaving 11 bytes for the data). This was accidentally doing a 16 byte write instead, which could smash the type tag field (usually will NULL) of the next object. Not sure how to test, since just noticed this while reading the code. (cherry picked from commit bbd491a)
KristofferC
pushed a commit
that referenced
this pull request
Sep 2, 2025
…byte pointer (#59395) On 32 bit machines, for an atomic of size 9 to 11 bytes, the result fits in the 16 byte pool, but only with a maximum write of 12 bytes (there is 1 byte reserved for the `success` plus 4 for the type tag, leaving 11 bytes for the data). This was accidentally doing a 16 byte write instead, which could smash the type tag field (usually will NULL) of the next object. Not sure how to test, since just noticed this while reading the code. (cherry picked from commit bbd491a)
KristofferC
removed
the
backport 1.12
KristofferC
pushed a commit
that referenced
this pull request
Sep 15, 2025
…byte pointer (#59395) On 32 bit machines, for an atomic of size 9 to 11 bytes, the result fits in the 16 byte pool, but only with a maximum write of 12 bytes (there is 1 byte reserved for the `success` plus 4 for the type tag, leaving 11 bytes for the data). This was accidentally doing a 16 byte write instead, which could smash the type tag field (usually will NULL) of the next object. Not sure how to test, since just noticed this while reading the code. (cherry picked from commit bbd491a)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On 32 bit machines, for an atomic of size 9 to 11 bytes, the result fits in the 16 byte pool, but only with a maximum write of 12 bytes (there is 1 byte reserved for the
successplus 4 for the type tag, leaving 11 bytes for the data). This was accidentally doing a 16 byte write instead, which could smash the type tag field (usually will NULL) of the next object. Not sure how to test, since just noticed this while reading the code.