[Webkit-unassigned] [Bug 200566] New: Segmentation fault on 64K page size kernel Linux

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Aug 9 02:25:27 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=200566

            Bug ID: 200566
           Summary: Segmentation fault on 64K page size kernel Linux
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: bmalloc
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jz_xue at 163.com
                CC: ggaren at apple.com

On a Linux system with a 64K page size 4.4.131 kernel, run yelp reveived SIGSEGV.

webkit2gtk version: 2.20.1

gdb message:
Program received signal SIGSEGV, Segmentation fault.
0x0000ffffb488c1b0 in protectGigacageBasePtrs ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/Gigacage.cpp:61
61          RELEASE_BASSERT(!(basePtrs & (vmPageSize() - 1)));
(gdb) bt
#0  0x0000ffffb488c1b0 in protectGigacageBasePtrs ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/Gigacage.cpp:61
#1  0x0000ffffb488cafc in operator() ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/Gigacage.cpp:173
#2  _M_invoke<> () at /usr/include/c++/5/functional:1531
#3  operator() () at /usr/include/c++/5/functional:1520
#4  __once_call_impl<std::_Bind_simple<Gigacage::ensureGigacage()::<lambda()>()> >(void) ()
    at /usr/include/c++/5/mutex:706
#5  0x0000ffffb523ea2c in __pthread_once_slow (
    once_control=0xffffb49a0028 <Gigacage::ensureGigacage()::onceFlag>,
    init_routine=0xffffb2cd70e8 <__once_proxy>) at pthread_once.c:116
#6  0x0000ffffb488c4c4 in __gthread_once () at /usr/include/aarch64-linux-gnu/c++/5/bits/gthr-default.h:699
#7  call_once<Gigacage::ensureGigacage()::<lambda()> > () at /usr/include/c++/5/mutex:738
#8  Gigacage::ensureGigacage ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/Gigacage.cpp:175
#9  0x0000ffffb488d32c in bmalloc::Heap::Heap ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/Heap.cpp:58
#10 0x0000ffffb488b12c in bmalloc::PerHeapKindBase<bmalloc::Heap>::PerHeapKindBase<std::lock_guard<bmalloc::StaticMutex>&> () at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/PerHeapKind.h:43
#11 bmalloc::PerHeapKind<bmalloc::Heap>::PerHeapKind<std::lock_guard<bmalloc::StaticMutex>&> ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/PerHeapKind.h:95
#12 bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::getSlowCase ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/PerProcess.h:81
#13 0x0000ffffb488ad20 in bmalloc::PerProcess<bmalloc::PerHeapKind<bmalloc::Heap> >::get ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/PerProcess.h:65
#14 bmalloc::Cache::Cache () at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/Cache.cpp:46
#15 0x0000ffffb488b1dc in bmalloc::PerHeapKindBase<bmalloc::Cache>::PerHeapKindBase<>() ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/PerHeapKind.h:43
#16 bmalloc::PerHeapKind<bmalloc::Cache>::PerHeapKind<>() ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/PerHeapKind.h:95
#17 bmalloc::PerThread<bmalloc::PerHeapKind<bmalloc::Cache> >::getSlowCase ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/PerThread.h:145
#18 0x0000ffffb488adc4 in bmalloc::Cache::allocateSlowCaseNullCache ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/bmalloc/bmalloc/Cache.cpp:58
---Type <return> to continue, or q <return> to quit---
#19 0x0000ffffb48700bc in WTF::StringImpl::operator new ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/WTF/wtf/text/StringImpl.h:161
#20 WTF::StringImpl::createFromLiteral ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/WTF/wtf/text/StringImpl.cpp:153
#21 0x0000ffffb4870150 in WTF::StringImpl::createFromLiteral ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/WTF/wtf/text/StringImpl.cpp:158
#22 0x0000ffffb487c860 in WTF::String::String ()
    at /build/webkit2gtk-oPMfUy/webkit2gtk-2.20.1/Source/WTF/wtf/text/WTFString.cpp:83
#23 0x0000ffffb620cd1c in ?? () from /usr/lib/aarch64-linux-gnu/libwebkit2gtk-4.0.so.37
#24 0x0000000000000001 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

code:
57      void protectGigacageBasePtrs()
58      {
59          uintptr_t basePtrs = reinterpret_cast<uintptr_t>(g_gigacageBasePtrs);
60          // We might only get page size alignment, but that's also the minimum we need.
61          RELEASE_BASSERT(!(basePtrs & (vmPageSize() - 1)));
62          mprotect(g_gigacageBasePtrs, GIGACAGE_BASE_PTRS_SIZE, PROT_READ);
63      }

(gdb) p/x g_gigacageBasePtrs
$1 = 0x80000000

Is this a bug?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190809/91f0f756/attachment.html>

More information about the webkit-unassigned mailing list