[webkit-changes] [WebKit/WebKit] 0b3756: Crash in pas_segregated_page_switch_lock_and_rebia...
Michael Catanzaro
noreply at github.com
Wed Nov 9 08:45:44 PST 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0b3756093c94f5b7a611b2393554a0e49d6fedf7
https://github.com/WebKit/WebKit/commit/0b3756093c94f5b7a611b2393554a0e49d6fedf7
Author: Michael Catanzaro <mcatanzaro at redhat.com>
Date: 2022-11-09 (Wed, 09 Nov 2022)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_segregated_page.c
Log Message:
-----------
Crash in pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl
https://bugs.webkit.org/show_bug.cgi?id=245968
Reviewed by Mark Lam and Yusuke Suzuki.
There is a pretty frequent crash here that occurs when derefrencing
cache_node->page_lock when cache_node is nullptr. It's a little strange
because the crash occurs on line 146, which should be unreachable in
this case because there is a check for nullptr on line 137 that ensures
the rest of the function is skipped in this case. And yet, it's
happening anyway. Perhaps that check is being optimized out due to the
even earlier dereference of cache_node on line 130? I'm not sure, but
clearly cache_node is expected to be nullptr here, so let's check for
it earlier before the first dereference, which is good to do no matter
what.
This solution was suggested by Benjamin Otte, but it's not his fault if
it doesn't fix the crash! This is only a speculative fix. To know for
sure whether this is the problem, somebody would have to study the
disassembled code more closely.
* Source/bmalloc/libpas/src/libpas/pas_segregated_page.c:
(pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl):
Canonical link: https://commits.webkit.org/256486@main
More information about the webkit-changes
mailing list