[Webkit-unassigned] [Bug 179914] [GTK] Crash in IsoAllocator::allocateSlow (WTF::Signal::BadAccess)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 11 03:12:51 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=179914

--- Comment #49 from Carlos Garcia Campos <cgarcia at igalia.com> ---
Hey Michael, good catch, it helped a lot to find the problem, which is in PerProcess. What happens is that we have two copies of the bmalloc symbols, one in libwk and the other one in libjsc. When building in developer mode, all the symbols are public (global) by default in both libwk and libjsc, but when using the symbol filter, all symbols are global in libjsc, but local in libwk except for the ones defined as global in the filter file (our public API symbols). In IsoTLS::ensureEntries(), PerProcess is used to get the global IsoTLSLayout. The first time the IsoTLSLayout is created when PerProcess<IsoTLSLayout>::get() is called from IsoTLSEntry constructor. Then it's called again from IsoTLS::ensureEntries(), but this second time a new IsoTLSLayout is created again. That's not expected to happen, and the result is that startEntry is nullptr and IsoTLSAllocatorEntry<Config>::construct() is never called (m_heap is never initialized). My guess is that the first time we initialize bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object in libjsc (or libwk) and the second time the one from libwk (or libjsc) is used. This is probably because bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase() is local symbol in libwk, so when using the libwk one, s_object is also the libwk one, because it's local. See:

$ objdump -x libjavascriptcoregtk-4.0.so | c++filt | grep IsoTLSLayout
0000000000eb4e80 l     O .rodata        000000000000000c              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase()::__FUNCTION__
0000000000eb4e8c l     O .rodata        0000000000000004              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::get()::__FUNCTION__
0000000000000000 l    df *ABS*  0000000000000000              IsoTLSLayout.cpp
0000000000eb4e98 l     O .rodata        000000000000000d              bmalloc::IsoTLSLayout::IsoTLSLayout(std::lock_guard<bmalloc::StaticMutex> const&)::__FUNCTION__
00000000010761e0 l     O .bss   0000000000000008              guard variable for bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)::addingMutex
00000000010761e8 l     O .bss   0000000000000002              bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)::addingMutex
0000000000eb4e90 l     O .rodata        0000000000000004              bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)::__FUNCTION__
0000000000361710 l     F .text  0000000000000011              _GLOBAL__sub_I_IsoTLSLayout.cpp
0000000000df8820 g     F .text  00000000000000fd              bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)
0000000000df87e0 g     F .text  0000000000000034              bmalloc::IsoTLSLayout::IsoTLSLayout(std::lock_guard<bmalloc::StaticMutex> const&)
00000000010761c0 u     O .bss   0000000000000008              guard variable for bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_mutex
00000000010761c8 u     O .bss   0000000000000008              guard variable for bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object
0000000000df87e0 g     F .text  0000000000000034              bmalloc::IsoTLSLayout::IsoTLSLayout(std::lock_guard<bmalloc::StaticMutex> const&)
00000000010761b0 u     O .bss   0000000000000010              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_memory
00000000010761d8 u     O .bss   0000000000000008              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object
00000000010761d0 u     O .bss   0000000000000002              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_mutex
0000000000df8740  w    F .text  000000000000008b              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase()

$ objdump -x libwebkit2gtk-4.0.so | c++filt | grep IsoTLSLayout
0000000002c6d930 l     O .rodata        000000000000000c              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase()::__FUNCTION__
0000000002c6d93c l     O .rodata        0000000000000004              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::get()::__FUNCTION__
0000000000000000       F *UND*  0000000000000000              bmalloc::IsoTLSLayout::IsoTLSLayout(std::lock_guard<bmalloc::StaticMutex> const&)
000000000372f138 u     O .bss   0000000000000008              guard variable for bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object
000000000372f148 u     O .bss   0000000000000008              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object
000000000372f120 u     O .bss   0000000000000010              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_memory
0000000002b5c910  w    F .text  000000000000008b              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase()
000000000372f130 u     O .bss   0000000000000008              guard variable for bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_mutex
000000000372f140 u     O .bss   0000000000000002              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_mutex
0000000000000000       F *UND*  0000000000000000              bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)

This is the case of not using the filter file, getSlowCase() is weak in both and s_object is unique global in both too.

$ objdump -x libjavascriptcoregtk-4.0.so | c++filt | grep IsoTLSLayout
0000000000eb4eb0 l     O .rodata        000000000000000c              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase()::__FUNCTION__
0000000000eb4ebc l     O .rodata        0000000000000004              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::get()::__FUNCTION__
0000000000000000 l    df *ABS*  0000000000000000              IsoTLSLayout.cpp
0000000000eb4ed8 l     O .rodata        000000000000000d              bmalloc::IsoTLSLayout::IsoTLSLayout(std::lock_guard<bmalloc::StaticMutex> const&)::__FUNCTION__
00000000010761e0 l     O .bss   0000000000000008              guard variable for bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)::addingMutex
00000000010761e8 l     O .bss   0000000000000002              bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)::addingMutex
0000000000eb4ed0 l     O .rodata        0000000000000004              bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)::__FUNCTION__
0000000000361710 l     F .text  0000000000000011              _GLOBAL__sub_I_IsoTLSLayout.cpp
0000000000df8840 g     F .text  00000000000000fd              bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)
0000000000df8800 g     F .text  0000000000000034              bmalloc::IsoTLSLayout::IsoTLSLayout(std::lock_guard<bmalloc::StaticMutex> const&)
00000000010761c0 u     O .bss   0000000000000008              guard variable for bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_mutex
00000000010761c8 u     O .bss   0000000000000008              guard variable for bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object
0000000000df8800 g     F .text  0000000000000034              bmalloc::IsoTLSLayout::IsoTLSLayout(std::lock_guard<bmalloc::StaticMutex> const&)
00000000010761b0 u     O .bss   0000000000000010              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_memory
00000000010761d8 u     O .bss   0000000000000008              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object
00000000010761d0 u     O .bss   0000000000000002              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_mutex
0000000000df8760  w    F .text  000000000000008b              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase()

$ objdump -x libwebkit2gtk-4.0.so | c++filt | grep IsoTLSLayout
0000000001f84e90 l     O .rodata        000000000000000c              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase()::__FUNCTION__
0000000001f84e9c l     O .rodata        0000000000000004              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::get()::__FUNCTION__
0000000001e73e80 l     F .text  000000000000008b              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::getSlowCase()
00000000029a48c0 l     O .bss   0000000000000002              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_mutex
00000000029a48c8 l     O .bss   0000000000000008              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object
00000000029a48a0 l     O .bss   0000000000000010              bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_memory
00000000029a48b8 l     O .bss   0000000000000008              guard variable for bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_object
00000000029a48b0 l     O .bss   0000000000000008              guard variable for bmalloc::PerProcess<bmalloc::IsoTLSLayout>::s_mutex
0000000000000000       F *UND*  0000000000000000              bmalloc::IsoTLSLayout::IsoTLSLayout(std::lock_guard<bmalloc::StaticMutex> const&)
0000000000000000       F *UND*  0000000000000000              bmalloc::IsoTLSLayout::add(bmalloc::IsoTLSEntry*)

This is with the filter file. Nothing changes in libjsc, but all symbols are local in libwk. Adding _ZN7bmalloc10PerProcessINS_12IsoTLSLayoutEE8s_objectE to the global section in the filter file fixes the crash, because it makes the symbol unique global in libwk too, but I'm not sure that's the right fix, because this can happen with other symbols that are expected to be global. Maybe we should make all symbols shared between libjsc and libwk global (bmalloc and WTF)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171211/5a2de34e/attachment-0001.html>

More information about the webkit-unassigned mailing list