[Webkit-unassigned] [Bug 102828] r134080 causes heap problem on linux systems where PAGESIZE != 4096

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Dec 15 11:14:31 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=102828





--- Comment #10 from Balazs Kilvady <kilvadyb at homejinni.com>  2012-12-15 11:16:50 PST ---
(In reply to comment #7)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > (From update of attachment 175259 [details] [details] [details])
happens in a heap operation since r134080. This patch fixed the problem.
> 
> I don't like the idea of doing a blind fix.  Can you try to do more investigation into where in our memory management logic things go wrong?
> 
> It would be good to understand this.  It may even be that you've found a more fundamental bug that happens to only show up with larger page sizes, but is just harder to spot with the usual page sizes that most WebKit clients use.

The bug comes up at GC visiting when regexp of v8 performance test executed on a MIPS board where the (linux) kernel’s pagesize is 16KB and WeakBLock::blockSize == MarkStackSegment::blockSize == 4KB. In each tests I modified only WeakBLock::blockSize and MarkStackSegment::blockSize in the current master branch.

When a particular MarkedBlock is allocated from WeakSet::addAllocator() the weakSet looks like:

this WeakSet: 0x2e010224
(gdb) p this->m_blocks
$2 = {m_head = 0x2db93000, m_tail = 0x2db96000}
(gdb) p this->m_blocks.m_head.m_next
$3 = (class JSC::WeakBlock *) 0x2db96000

After allocating some longer (> 3000 bytes) strings the GarbageCollector starts to visit MarkedBlocks and jsc crashes on an invalid block:
(gdb) p &this->m_weakSet
$5 = (JSC::WeakSet *) 0x2e010224
(gdb) p this->m_weakSet.m_blocks
$7 = {m_head = 0x2db93000, m_tail = 0x2db96000}
(gdb) p *this->m_weakSet.m_blocks.m_head
$9 = {<JSC::HeapBlock<JSC::WeakBlock>> = {<WTF::DoublyLinkedListNode<JSC::WeakBlock>> = {<No data fields>}, 
   m_region = 0x2e1a6800, m_prev = 0x2e1a67e0, m_next = 0x2e1a67a0}, static blockSize = 4096, m_sweepResult = {
   blockIsFree = 96, freeList = 0x2e1a6720}}

So the block in the head of the weakSet’s m_blocks was overwritten while m_blocks.m_tail.m_prev == 0x2db93000 == m_blocks.m_head. It seems like a WeakImpl (WeakBlock::FreeCell?) list node would be written to the address of a WeakBlock node.

The ASSERT failure with backtrace:
ASSERTION FAILED: isCell()
/data/kilvadyb/webkit-mips/webkit/Source/JavaScriptCore/runtime/JSValueInlines.h(295) : JSC::JSCell* JSC::JSValue::asCell() const

Program received signal SIGBUS, Bus error.
0x2ad71ec8 in JSC::JSValue::asCell (this=0x2e2367c0)
    at /data/kilvadyb/webkit-mips/webkit/Source/JavaScriptCore/runtime/JSValueInlines.h:295
295            ASSERT(isCell());
(gdb) bt
#0  0x2ad71ec8 in JSC::JSValue::asCell (this=0x2e2367c0)
    at /data/kilvadyb/webkit-mips/webkit/Source/JavaScriptCore/runtime/JSValueInlines.h:295
#1  0x2aef3170 in JSC::WeakBlock::visit (this=0x2e2367a0, heapRootVisitor=...)
    at /data/kilvadyb/webkit-mips/webkit/Source/JavaScriptCore/heap/WeakBlock.cpp:103
#2  0x2af29000 in JSC::WeakSet::visit (this=0x2e090224, visitor=...)
    at /data/kilvadyb/webkit-mips/webkit/Source/JavaScriptCore/heap/WeakSet.h:104
#3  0x2af29364 in JSC::MarkedBlock::visitWeakSet (this=0x2e090000, heapRootVisitor=...)
    at /data/kilvadyb/webkit-mips/webkit/Source/JavaScriptCore/heap/MarkedBlock.h:300
#4  0x2af29cc4 in JSC::VisitWeakSet::operator() (this=0x7fff1f78, block=0x2e090000)
    at /data/kilvadyb/webkit-mips/webkit/Source/JavaScriptCore/heap/MarkedSpace.cpp:71
#5  0x2af2b790 in JSC::MarkedAllocator::forEachBlock<JSC::VisitWeakSet> (this=0x46a3f0, functor=...)
    at /data/kilvadyb/webkit-mips/webkit/Source/JavaScriptCore/heap/MarkedAllocator.h:116

I have made some testing on mac and ARMv7 linux qt environments with WeakBLock::blockSize == MarkStackSegment::blockSize == 1KB. In this case these blockSizes are one fourth of the WTF::pageSize() like 4KB on MIPS 16KB pagesize. On both arches the same ASSERT failure comes up (but different from the MIPS failure):

ASSERTION FAILED: node != m_head
/Users/bali/Work/MattaKis/webkit/WebKitBuild/Debug/usr/local/include/wtf/DoublyLinkedList.h(165) : void WTF::DoublyLinkedList<JSC::DeadBlock>::remove(JSC::DeadBlock *)
1   0x1000af862 WTF::DoublyLinkedList<JSC::DeadBlock>::remove(JSC::DeadBlock*)
2   0x1000af7c8 WTF::DoublyLinkedList<JSC::DeadBlock>::removeHead()
3   0x1000af787 JSC::Region::allocate()DoublyLinkedList<T>::remove(T* node)
…
at DoublyLinkedList.h:165
   162     template<typename T> inline void DoublyLinkedList<T>::remove(T* node)
   163     {
   164         if (node->prev()) {
-> 165             ASSERT(node != m_head);
   166             node->prev()->setNext(node->next());
   167         } else {

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list