[Webkit-unassigned] [Bug 117139] New: OOM crash in WTF::OSAllocator::reserveUncommitted.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 3 04:22:25 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=117139
Summary: OOM crash in WTF::OSAllocator::reserveUncommitted.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: reni at webkit.org
Blocks: 116980
The for loop in the following test is unlimited and runs until it's crashing on the following check in Source/WTF/wtf/OSAllocatorPosix.cpp:
151 if (mprotect(address, bytes, protection))
152 CRASH();
Maybe we should add a "loopCounter mechanism" to the code?
==========================================================
The test:
function test() {
for (var byteRate = "b"; byteRate.renderedBuffer != byteRate; byteRate += 2e3) {
}
}
test();
==========================================================
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000007fb8e5 in WTFCrash ()
at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339
339 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00000000007fb8e5 in WTFCrash ()
at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339
#1 0x000000000083d4c4 in WTF::OSAllocator::reserveUncommitted (bytes=126976,
usage=WTF::OSAllocator::UnknownUsage, writable=true, executable=false,
includesGuardPages=false)
at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/OSAllocatorPosix.cpp:58
#2 0x000000000081ece7 in WTF::PageAllocationAligned::allocate (size=65536,
alignment=65536, usage=WTF::OSAllocator::UnknownUsage, writable=true)
at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/PageAllocationAligned.cpp:55
#3 0x000000000050ecbe in JSC::ExcessRegion::create (blockSize=65536)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/Region.h:179
#4 0x000000000050efe4 in JSC::Region::create (superRegion=0xf31838,
blockSize=65536)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/Region.h:232
#5 0x000000000052e1a9 in JSC::BlockAllocator::allocate<JSC::MarkedBlock> (
this=0xf31838)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/BlockAll0,
bytes=48)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/MarkedAllocator.cpp:115
#7 0x000000000052da0d in JSC::MarkedAllocator::allocateSlowCase (
this=0xf34960, bytes=48)
---Type <return> to continue, or q <return> to quit---
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/MarkedAllocator.cpp:97
#8 0x0000000000411fc4 in JSC::MarkedAllocator::allocate (this=0xf34960,
bytes=48)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/MarkedAllocator.h:82
#9 0x0000000000412264 in JSC::MarkedSpace::allocateWithImmortalStructureDestructor (this=0xf31a80, bytes=48)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/MarkedSpace.h:210
#10 0x0000000000412470 in JSC::Heap::allocateWithImmortalStructureDestructor (
this=0xf317f8, bytes=48)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/Heap.h:380
#11 0x00000000005c07c3 in JSC::allocateCell<JSC::JSRopeString> (heap=...,
size=48)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCellInlines.h:92
#12 0x00000000005bfa2d in JSC::allocateCell<JSC::JSRopeString> (heap=...)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCellInlines.h:104
#13 0x00000000005bbd9e in JSC::JSRopeString::create (vm=...,
s1=0x7ffe9a0a0470, s2=0x7ffe9a0b4e20)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSString.h:300
#14 0x00000000005ba170 in JSC::DFG::operationMakeRope2 (exec=0x7fffb21c20a0,
left=0x7ffe9a0a0470, right=0x7ffe9a0b4e20)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGOperations---Type <return> to continue, or q <return> to quit---
.cpp:1592
#15 0x00007fffb45c7b91 in ?? ()
#16 0x00007fffb21c2058 in ?? ()
#17 0x0000000000000014 in ?? ()
#18 0x00007fffb21132f0 in ?? ()
#19 0x00000000006483c7 in JSC::JSStack::installTrapsAfterFrame (this=0x0,
frame=0x0)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212
#20 0x0000000000647226 in JSC::JITCode::execute (this=0x7fffb217fe90,
stack=0xf40950, callFrame=0x7fffb21c2058, vm=0xf317e0)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.h:135
#21 0x0000000000644747 in JSC::Interpreter::execute (this=0xf40940,
program=0x7fffb217fe70, callFrame=0x7ffff7f5fb78, thisObj=0x7ffff7e6feb0)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:976
#22 0x00000000007292c0 in JSC::evaluate (exec=0x7ffff7f5fb78, source=...,
thisValue=..., returnedException=0x7fffffffda10)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83
#23 0x000000000040fdcd in runWithScripts (globalObject=0x7ffff7f5f970,
scripts=..., dump=false)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:587
#24 0x0000000000410b3d in jscmain (argc=2, argv=0x7fffffffdc98)
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:803
#25 0x000000000040fbcd in main (argc=2, argv=0x7fffffffdc98)
---Type <return> to continue, or q <return> to quit---
at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:550
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list