[Webkit-unassigned] [Bug 135702] New: Segmentation fault in WTF::OSAllocator::reserveUncommitted(unsigned long, +WTF::OSAllocator::Usage, bool, bool) when running wkhtmltopdf on PowerLinux
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 7 09:05:14 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=135702
Summary: Segmentation fault in
WTF::OSAllocator::reserveUncommitted(unsigned long,
+WTF::OSAllocator::Usage, bool, bool) when running
wkhtmltopdf on PowerLinux
Product: WebKit
Version: 528+ (Nightly build)
Platform: Other
OS/Version: Linux
Status: NEW
Severity: Major
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: nacc at us.ibm.com
The following stack trace is produced by wkhtmltopdf when built for/running in Linux on an IBM Power machine:
#0 0x0000000010167a3c in .WTF::OSAllocator::reserveUncommitted(unsigned long, WTF::OSAllocator::Usage, bool, bool) ()
#1 0x000000001160e734 in .WTF::PageAllocationAligned::allocate(unsigned long, unsigned long, WTF::OSAllocator::Usage, bool, bool) ()
#2 0x000000001144b4fc in .JSC::MarkedBlock::create(JSC::JSGlobalData*, unsigned long) ()
#3 0x0000000010da9680 in .JSC::MarkedSpace::allocateBlock(JSC::MarkedSpace::SizeClass&) ()
#4 0x0000000010da9ac0 in .JSC::MarkedSpace::allocateFromSizeClass(JSC::MarkedSpace::SizeClass&) ()
#5 0x0000000010de71e8 in .JSC::JSGlobalData::JSGlobalData(JSC::JSGlobalData::GlobalDataType, JSC::ThreadStackType) ()
#6 0x0000000010de8cec in .JSC::JSGlobalData::createLeaked(JSC::ThreadStackType) ()
#7 0x0000000010197aec in .WebCore::JSDOMWindowBase::commonJSGlobalData() ()
#8 0x00000000101a320c in .WebCore::ScriptController::getAllWorlds(WTF::Vector<WebCore::DOMWrapperWorld*, 0ul>&) ()
#9 0x000000001053f2b8 in .WebCore::FrameLoader::dispatchDidClearWindowObjectsInAllWorlds() ()
#10 0x0000000010540e24 in .WebCore::FrameLoader::receivedFirstData() ()
#11 0x0000000010537c40 in .WebCore::DocumentWriter::setEncoding(WTF::String const&, bool) ()
#12 0x000000001052fef4 in .WebCore::DocumentLoader::commitData(char const*, int)---Type <return> to continue, or q <return> to quit---
()
#13 0x0000000010117650 in .WebCore::FrameLoaderClientQt::committedLoad(WebCore::DocumentLoader*, char const*, int) ()
#14 0x0000000010530eb8 in .WebCore::DocumentLoader::commitLoad(char const*, int) ()
#15 0x00000000105645bc in .WebCore::MainResourceLoader::addData(char const*, int, bool) ()
#16 0x000000001057a9dc in .WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) ()
#17 0x0000000010566ce4 in .WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) ()
#18 0x0000000010578364 in .WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) ()
#19 0x000000001088e104 in .WebCore::QNetworkReplyHandler::forwardData() ()
#20 0x0000000010891210 in .WebCore::QNetworkReplyHandlerCallQueue::flush() [clone .part.47] ()
#21 0x0000000010892758 in .WebCore::QNetworkReplyWrapper::emitMetaDataChanged()
()
#22 0x0000000010892c9c in .WebCore::QNetworkReplyWrapper::receiveMetaData() ()
#23 0x0000000010893364 in .WebCore::QNetworkReplyWrapper::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) ()
#24 0x00000000122b6e0c in .QMetaObject::activate(QObject*, QMetaObject const*, int, void**) ()
---Type <return> to continue, or q <return> to quit---
#25 0x000000001230f5cc in .QIODevice::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) ()
#26 0x00000000122b20d4 in .QMetaCallEvent::placeMetaCall(QObject*) ()
#27 0x00000000122bbbd0 in .QObject::event(QEvent*) ()
#28 0x00000000118c1e78 in .QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
#29 0x00000000118cab4c in .QApplication::notify(QObject*, QEvent*) ()
#30 0x000000001229a180 in .QCoreApplication::notifyInternal(QObject*, QEvent*)
()
#31 0x000000001229e97c in .QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
#32 0x00000000122d4dfc in .QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
#33 0x000000001229eef8 in .QCoreApplication::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
#34 0x000000001006930c in .wkhtmltopdf::ConverterPrivate::convert() ()
#35 0x000000001004340c in .main ()
After analysis of the code (wkhtmltopdf carries its own copy of WTF, etc.), PageAllocationAligned PageAllocationAligned::allocate(size_t size, size_t alignment, OSAllocator::Usage usage, bool writable) is doing an unsigned operation that might overflow. It uses the system pagesize to make some calculation regarding a future mmap call to 'fix' alignment. However, since pagesize on powerpc64 Linux is usually 64K, the operations overflows and the negative alignment adjustments ends up creating an wrong value that will be passed to mmap. More specifically, the following change is needed:
--- PageAllocationAligned.cpp 2013-10-17 19:47:43.000000000 -0700
+++ PageAllocationAligned-dev.cpp 2014-08-07 09:02:58.545053630 -0700
@@ -48,7 +48,10 @@ PageAllocationAligned PageAllocationAlig
vm_map(current_task(), &address, size, alignmentMask, flags, MEMORY_OBJECT_NULL, 0, FALSE, protection, PROT_READ | PROT_WRITE, VM_INHERIT_DEFAULT);
return PageAllocationAligned(reinterpret_cast<void*>(address), size);
#else
- size_t alignmentDelta = alignment - pageSize();
+ size_t pagesize = pageSize();
+ size_t alignmentDelta = 0;
+ if (alignment > pagesize)
+ alignmentDelta = alignment - pagesize;
// Resererve with suffcient additional VM to correctly align.
size_t reservationSize = size + alignmentDelta;
Note that actually, on Linux, the 'adjustment' code is superfluous: mmap calls will always returned memory pagesize aligned, so just pass a size and let the kernel do the hard work.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list