[Webkit-unassigned] [Bug 179914] [GTK] Crash in IsoAllocator::allocateSlow (WTF::Signal::BadAccess)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 7 02:44:23 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=179914

--- Comment #37 from Milan Crha <mcrha at redhat.com> ---
(In reply to Michael Catanzaro from comment #33)
> Milan, how *exactly* are you building it? Are you using Fedora 27, x86_64?

Right, this is Fedora 27, x86_64. Related environment variables:
ACLOCAL_FLAGS='-I /build/test-wk2/share/aclocal'
CFLAGS='-g -O0 -Wall'
GDK_SYNCHRONIZE=1
GSETTINGS_SCHEMA_DIR=/build/test-wk2/share/glib-2.0/schemas
LDFLAGS='-Wl,--as-needed -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,-z -Wl,defs'
LD_LIBRARY_PATH=/build/test-wk2/lib:/build/test-wk2/samba/lib
MAGIC_BUILD_ROOT=/build/test-wk2
PATH=/build/test-wk2/bin:$PATH
PKG_CONFIG_PATH=/build/test-wk2/lib/pkgconfig:/build/test-wk2/samba/lib/pkgconfig:/build/test-wk2/share/pkgconfig

cmake -G "Unix Makefiles" \
        -DPORT=GTK \
        -DCMAKE_BUILD_TYPE=RelWithDebInfo \
        -DCMAKE_PREFIX_PATH=$MAGIC_BUILD_ROOT \
        -DCMAKE_INSTALL_PREFIX=$MAGIC_BUILD_ROOT \
        -DLIB_INSTALL_DIR:PATH=$MAGIC_BUILD_ROOT/lib \
        -DENABLE_X11_TARGET=ON \
        -DENABLE_WAYLAND_TARGET=OFF \
        -DENABLE_PLUGIN_PROCESS_GTK2=OFF \
        -DENABLE_INTROSPECTION=OFF \
        -DENABLE_GTKDOC=OFF \
        -DDEVELOPER_MODE=OFF \
        -DENABLE_MINIBROWSER=ON \
        ..

Which results in:

-- Enabled features:
--  ENABLE_ACCELERATED_2D_CANVAS ................... OFF
--  ENABLE_DRAG_SUPPORT                              ON
--  ENABLE_GEOLOCATION ............................. ON
--  ENABLE_GLES2                                     OFF
--  ENABLE_GTKDOC .................................. OFF
--  ENABLE_ICONDATABASE                              ON
--  ENABLE_INTROSPECTION ........................... OFF
--  ENABLE_JIT                                       ON
--  ENABLE_MINIBROWSER ............................. ON
--  ENABLE_OPENGL                                    ON
--  ENABLE_PLUGIN_PROCESS_GTK2 ..................... OFF
--  ENABLE_QUARTZ_TARGET                             OFF
--  ENABLE_SAMPLING_PROFILER ....................... ON
--  ENABLE_SPELLCHECK                                ON
--  ENABLE_TOUCH_EVENTS ............................ ON
--  ENABLE_VIDEO                                     ON
--  ENABLE_WAYLAND_TARGET .......................... OFF
--  ENABLE_WEBDRIVER                                 ON
--  ENABLE_WEB_AUDIO ............................... ON
--  ENABLE_WEB_CRYPTO                                ON
--  ENABLE_X11_TARGET .............................. ON
--  USE_LIBHYPHEN                                    ON
--  USE_LIBNOTIFY .................................. ON
--  USE_LIBSECRET                                    ON
--  USE_SYSTEM_MALLOC .............................. OFF
--  USE_UPOWER                                       ON
--  USE_WOFF2 ...................................... ON

I cannot built git at commit 2506187a87eb3fd845e47a985516cc76548ba27d (git-svn-id: http://svn.webkit.org/repository/webkit/trunk@225622 268f45cc-cd09-0410-ab3c-d52691b4dbfc), it fails to compile with error:

In file included from ....webkit.master/Source/JavaScriptCore/runtime/JSCPoisonedPtr.h:28:0,
                 from ....webkit.master/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:29,
                 from ....webkit.master/Source/JavaScriptCore/interpreter/AbstractPC.h:28,
                 from ....webkit.master/Source/JavaScriptCore/interpreter/CallFrame.h:25,
                 from ....webkit.master/Source/JavaScriptCore/runtime/ClassInfo.h:25,
                 from ....webkit.master/Source/JavaScriptCore/runtime/Structure.h:28,
                 from ....webkit.master/Source/JavaScriptCore/bytecode/ArrayProfile.h:29,
                 from ....webkit.master/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp:28:
....webkit.master/Source/WTF/wtf/Poisoned.h: In substitution of ‘template<uintptr_t& key, class T> using Poisoned = WTF::PoisonedImpl<const long unsigned int&, ((const long unsigned int&)key), T> [with uintptr_t& key = JSC::g_classInfoPoison; T = const JSC::ClassInfo*]’:
....webkit.master/Source/JavaScriptCore/runtime/JSCPoisonedPtr.h:37:74:   required from here
....webkit.master/Source/WTF/wtf/Poisoned.h:122:56: error: ‘(const long unsigned int&)JSC::g_classInfoPoison’ is not a valid template argument for type ‘const long unsigned int&’ because it is not an object with linkage
 using Poisoned = PoisonedImpl<const uintptr_t&, key, T>;
                                                        ^
....webkit.master/Source/WTF/wtf/Poisoned.h: In substitution of ‘template<uintptr_t& key, class T> using Poisoned = WTF::PoisonedImpl<const long unsigned int&, ((const long unsigned int&)key), T> [with uintptr_t& key = JSC::g_masmPoison; T = void*]’:
....webkit.master/Source/JavaScriptCore/runtime/JSCPoisonedPtr.h:38:53:   required from here
....webkit.master/Source/WTF/wtf/Poisoned.h:122:56: error: ‘(const long unsigned int&)JSC::g_masmPoison’ is not a valid template argument for type ‘const long unsigned int&’ because it is not an object with linkage
In file included from ....webkit.master/Source/JavaScriptCore/interpreter/AbstractPC.h:28:0,
                 from ....webkit.master/Source/JavaScriptCore/interpreter/CallFrame.h:25,
                 from ....webkit.master/Source/JavaScriptCore/runtime/ClassInfo.h:25,
                 from ....webkit.master/Source/JavaScriptCore/runtime/Structure.h:28,
                 from ....webkit.master/Source/JavaScriptCore/bytecode/ArrayProfile.h:29,
                 from ....webkit.master/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp:28:
....webkit.master/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h: In constructor ‘JSC::FunctionPtr::FunctionPtr(returnType (*)())’:
....webkit.master/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:70:9: error: ‘PoisonedMasmPtr’ has not been declared

I reverted commit 679b410c541bdccac78ef40c873ea497a613243abdccac78ef40c873ea497a613243a to be able to move forward.

I'm running under X, not under Wayland (I cannot run it under Wayland due to some mesa issue in rawhide, which may or may not be due to the machine being virtual; https://bugzilla.redhat.com/show_bug.cgi?id=1518674 ).

Thus I'm with clean webkitgtk+ checkout at commit 2506187a87eb3fd845e47a985516cc76548ba27d minus commit 679b410c541bdccac78ef40c873ea497a613243a and it's still crashing, this time here, with no this=0x0 in the backtrace:

#6  0x00007f5aa50892e2 in bmalloc::IsoAllocator<bmalloc::IsoConfig<560u> >::allocateSlow(bool) (this=0x7f5aa619a098, abortOnFailure=true) at ..../webkit.master/Source/bmalloc/bmalloc/IsoAllocatorInlines.h:63
#7  0x00007f5aa5089531 in bmalloc::IsoAllocator<bmalloc::IsoConfig<560u> >::allocate(bool)::{lambda()#1}::operator()() const (__closure=<optimized out>) at ..../webkit.master/Source/bmalloc/bmalloc/IsoAllocatorInlines.h:53
#8  0x00007f5aa5089531 in bmalloc::FreeList::allocate<bmalloc::IsoConfig<560u>, bmalloc::IsoAllocator<bmalloc::IsoConfig<560u> >::allocate(bool)::{lambda()#1}>(bmalloc::IsoAllocator<bmalloc::IsoConfig<560u> >::allocate(bool)::{lambda()#1} const&) (slowPath=..., this=<optimized out>) at ..../webkit.master/Source/bmalloc/bmalloc/FreeListInlines.h:44
#9  0x00007f5aa5089531 in bmalloc::IsoAllocator<bmalloc::IsoConfig<560u> >::allocate(bool) (this=<optimized out>, abortOnFailure=<optimized out>) at ..../webkit.master/Source/bmalloc/bmalloc/IsoAllocatorInlines.h:51
#10 0x00007f5aa49244f2 in WebCore::createRenderer<WebCore::RenderView, WebCore::Document&, WebCore::RenderStyle>(WebCore::Document&, WebCore::RenderStyle&&) () at ..../webkit.master/Source/WebCore/rendering/RenderPtr.h:43
#11 0x00007f5aa49244f2 in WebCore::Document::createRenderTree() (this=0x7f5a426f1800) at ..../webkit.master/Source/WebCore/dom/Document.cpp:2212
#12 0x00007f5aa4935ed0 in WebCore::Document::didBecomeCurrentDocumentInFrame() (this=0x7f5a426f1800) at ..../webkit.master/Source/WebCore/dom/Document.cpp:2228

(In reply to Michael Catanzaro from comment #36)
> Failing that... let's test a workaround. Try removing the
> WTF_MAKE_ISO_ALLOCATED(RenderView) line from RenderView.h, and the
> corresponding WTF_MAKE_ISO_ALLOCATED_IMPL(RenderView); line in
> RenderView.cpp. Does that help?

Nope, still goes down:

#3  0x00007fc263e6bc16 in WTF::jscSignalHandler(int, siginfo_t*, void*) (sig=<optimized out>, info=0x7ffd9602eef0, ucontext=0x7ffd9602edc0) at ..../webkit.master/Source/WTF/wtf/threads/Signals.cpp:353
#4  0x00007fc2668a0720 in <signal handler called> () at /lib64/libc.so.6
#5  0x00007fc2686769f2 in WebCore::RenderBlockFlow::operator new(unsigned long) (size=size at entry=560) at ..../webkit.master/Source/WebCore/rendering/RenderBlockFlow.cpp:62
#6  0x00007fc2680921f2 in WebCore::createRenderer<WebCore::RenderView, WebCore::Document&, WebCore::RenderStyle>(WebCore::Document&, WebCore::RenderStyle&&) () at ..../webkit.master/Source/WebCore/rendering/RenderPtr.h:43
#7  0x00007fc2680921f2 in WebCore::Document::createRenderTree() (this=0x7fc209ff1800) at ..../webkit.master/Source/WebCore/dom/Document.cpp:2212
#8  0x00007fc2680a3bd0 in WebCore::Document::didBecomeCurrentDocumentInFrame() (this=0x7fc209ff1800) at ..../webkit.master/Source/WebCore/dom/Document.cpp:2228
#9  0x00007fc26841c6fa in WebCore::Frame::setDocument(WTF::RefPtr<WebCore::Document>&&) (this=0x7fc24c3b8550, newDocument=...) at ..../webkit.master/Source/WebCore/page/Frame.cpp:297
#10 0x00007fc26835d44d in WebCore::DocumentWriter::begin(WebCore::URL const&, bool, WebCore::Document*) (this=this at entry=0x7fc24c39a080, urlReference=..., dispatch=dispatch at entry=false, ownerDocument=ownerDocument at entry=0x0) at ..../webkit.master/Source/WebCore/loader/DocumentWriter.cpp:174
#11 0x00007fc26835d79d in WebCore::DocumentLoader::commitData(char const*, unsigned long) (this=this at entry=0x7fc24c39a000, bytes=bytes at entry=0x0, length=length at entry=0) at ..../webkit.master/Source/WebCore/loader/DocumentLoader.cpp:867
#12 0x00007fc26835deac in WebCore::DocumentLoader::finishedLoading() (this=this at entry=0x7fc24c39a000) at ..../webkit.master/Source/WebCore/loader/DocumentLoader.cpp:425
#13 0x00007fc26835fdd9 in WebCore::DocumentLoader::maybeLoadEmpty() (this=this at entry=0x7fc24c39a000) at ..../webkit.master/Source/WebCore/loader/DocumentLoader.cpp:1514
#14 0x00007fc26836149c in WebCore::DocumentLoader::startLoadingMainResource() (this=0x7fc24c39a000) at ..../webkit.master/Source/WebCore/loader/DocumentLoader.cpp:1526
#15 0x00007fc26836f3c3 in WebCore::FrameLoader::init() (this=0x7889d0) at ..../webkit.master/Source/WebCore/loader/FrameLoader.cpp:307
#16 0x00007fc26841c67c in WebCore::Frame::init() (this=<optimized out>) at ..../webkit.master/Source/WebCore/page/Frame.cpp:203
#17 0x00007fc2677318cc in WebKit::WebFrame::createWithCoreMainFrame(WebKit::WebPage*, WebCore::Frame*) (page=page at entry=0x7fc209ff9000, coreFrame=0x7fc24c3b8550) at ..../webkit.master/Source/WebKit/WebProcess/WebPage/WebFrame.cpp:120
#18 0x00007fc267747887 in WebKit::WebPage::WebPage(unsigned long, WebKit::WebPageCreationParameters&&) (this=0x7fc209ff9000, pageID=<optimized out>, parameters=...) at ..../webkit.master/Source/WebKit/WebProcess/WebPage/WebPage.cpp:440
#19 0x00007fc2677480ee in WebKit::WebPage::create(unsigned long, WebKit::WebPageCreationParameters&&) (pageID=1, parameters=...) at ..../webkit.master/Source/WebKit/WebProcess/WebPage/WebPage.cpp:316
#20 0x00007fc26769c6a8 in WebKit::WebProcess::createWebPage(unsigned long, WebKit::WebPageCreationParameters&&) (this=0x78ea20, pageID=<optimized out>, parameters=...) at ..../webkit.master/Source/WebKit/WebProcess/WebProcess.cpp:579
#21 0x00007fc26792e2b7 in IPC::callMemberFunctionImpl<WebKit::WebProcess, void (WebKit::WebProcess::*)(unsigned long, WebKit::WebPageCreationParameters&&), std::tuple<unsigned long, WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess*, void (WebKit::WebProcess::*)(unsigned long, WebKit::WebPageCreationParameters&&), std::tuple<unsigned long, WebKit::WebPageCreationParameters>&&, std::integer_sequence<unsigned long, 0ul, 1ul>) (args=..., function=<optimized out>, object=0x78ea20) at ..../webkit.master/Source/WebKit/Platform/IPC/HandleMessage.h:40
#22 0x00007fc26792e2b7 in IPC::callMemberFunction<WebKit::WebProcess, void (WebKit::WebProcess::*)(unsigned long, WebKit::WebPageCreationParameters&&), std::tuple<unsigned long, WebKit::WebPageCreationParameters>, std::integer_sequence<unsigned long, 0ul, 1ul> >(std::tuple<unsigned long, WebKit::WebPageCreationParameters>&&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(unsigned long, WebKit::WebPageCreationParameters&&)) (function=<optimized out>, object=0x78ea20, args=...) at ..../webkit.master/Source/WebKit/Platform/IPC/HandleMessage.h:46
#23 0x00007fc26792e2b7 in IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, void (WebKit::WebProcess::*)(unsigned long, WebKit::WebPageCreationParameters&&)>(IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(unsigned long, WebKit::WebPageCreationParameters&&)) (decoder=..., object=object at entry=0x78ea20, function=(void (WebKit::WebProcess::*)(WebKit::WebProcess * const, unsigned long, WebKit::WebPageCreationParameters &&)) 0x7fc26769c650 <WebKit::WebProcess::createWebPage(unsigned long, WebKit::WebPageCreationParameters&&)>) at ..../webkit.master/Source/WebKit/Platform/IPC/HandleMessage.h:126
#24 0x00007fc26792a883 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) (this=0x78ea20, connection=..., decoder=...) at ..../webkit.master/_build/DerivedSources/WebKit/WebProcessMessageReceiver.cpp:69
#25 0x00007fc267545d5b in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7fc24c3e5000, message=std::unique_ptr<IPC::Decoder> containing 0x7fc24c3dd060) at ..../webkit.master/Source/WebKit/Platform/IPC/Connection.cpp:928
#26 0x00007fc2675465d8 in IPC::Connection::dispatchOneMessage() (this=0x7fc24c3e5000) at ..../webkit.master/Source/WebKit/Platform/IPC/Connection.cpp:959
#27 0x00007fc263e482bd in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ..../webkit.master/Source/WTF/wtf/Function.h:56
#28 0x00007fc263e482bd in WTF::RunLoop::performWork() (this=0x7fc24c3f9000) at ..../webkit.master/Source/WTF/wtf/RunLoop.cpp:123
#29 0x00007fc263e6e899 in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at ..../webkit.master/Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#30 0x00007fc263e6e899 in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at ..../webkit.master/Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#31 0x00007fc26434fbb7 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#32 0x00007fc26434ff60 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#33 0x00007fc264350272 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#34 0x00007fc263e6f1d8 in WTF::RunLoop::run() () at ..../webkit.master/Source/WTF/wtf/glib/RunLoopGLib.cpp:96
#35 0x00007fc2678c93f8 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=<optimized out>, argv=0x7ffd96030eb8) at ..../webkit.master/Source/WebKit/Shared/unix/ChildProcessMain.h:61
#36 0x00007fc26688a03a in __libc_start_main () at /lib64/libc.so.6
#37 0x000000000040086a in _start ()

And it looks suspicious, thus I reverted the previous change in RenderView and disabled bmalloc in my local build to see whether it'll help and with the system malloc the MiniBrowser opens webkitgtk.org page with no problem.

I'll try to involve some other helper tools like valgrind or AddressSanitizer, as soon as I manage to compile WebKitGTK+ again, without the system malloc.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171207/c49bcfbb/attachment-0001.html>

More information about the webkit-unassigned mailing list