[Webkit-unassigned] [Bug 102828] r134080 causes heap problem on linux systems where PAGESIZE != 4096

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 9 09:47:02 PST 2013


https://bugs.webkit.org/show_bug.cgi?id=102828





--- Comment #11 from Balazs Kilvady <kilvadyb at homejinni.com>  2013-01-09 09:48:56 PST ---
> I don't like the idea of doing a blind fix.  Can you try to do more investigation into where in our memory management logic things go wrong?
> 
> It would be good to understand this.  It may even be that you've found a more fundamental bug that happens to only show up with larger page sizes, but is just harder to spot with the usual page sizes that most WebKit clients use.

The problem is caused by the default value of the gcMarkStackSegmentSize JSC VM option. This default value is (WTF::)pageSize() which is 16KB on our MIPS target device. In heap/MarkStack.cpp the constructor of MarkStackArray initializes its segment's capacity with this value:
MarkStackArray::MarkStackArray(BlockAllocator& blockAllocator)
   : m_blockAllocator(blockAllocator)
   , m_segmentCapacity(MarkStackSegment::capacityFromSize(Options::gcMarkStackSegmentSize()))
   , m_top(0)
   , m_numberOfSegments(0)
{
   ASSERT(MarkStackSegment::blockSize == WeakBlock::blockSize);

So in the MarkStackArray::append function the overwriting might happen as it believes from a 4KB block that that has a 16KB capacity:
inline void MarkStackArray::append(const JSCell* cell)
{
   if (m_top == m_segmentCapacity)
       expand();
   m_segments.head()->data()[postIncTop()] = cell;
}

If I run a problematic test with a right option then it works fine and passes:
/data/kilvadyb/webkit-mips/webkit/WebKitBuild/Debug/bin/jsc --gcMarkStackSegmentSize=4096 -s js1_5/shell.js js1_5/Regress/regress-159334.js

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list