[Webkit-unassigned] [Bug 248267] JSC init crashes WebKit with overcommit limit enabled
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 6 11:05:26 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=248267
--- Comment #13 from Mark Lam <mark.lam at apple.com> ---
The RELEASE_ASSERT there:
ELEASE_ASSERT(g_jscConfig.startOfStructureHeap && ((g_jscConfig.startOfStructureHeap & ~StructureID::structureIDMask) == g_jscConfig.startOfStructureHeap));
... is enforcing that the start of the StructureHeap is always aligned with structureHeapAddressSize.
#elif CPU(ADDRESS64)
static constexpr CPURegister structureIDMask = structureHeapAddressSize - 1;
#endif
#if !ENABLE(STRUCTURE_ID_WITH_SHIFT)
#if defined(STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB) && STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB > 0
constexpr uintptr_t structureHeapAddressSize = STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB * MB;
#elif PLATFORM(IOS_FAMILY) && CPU(ARM64) && !CPU(ARM64E)
constexpr uintptr_t structureHeapAddressSize = 512 * MB;
#else
constexpr uintptr_t structureHeapAddressSize = 4 * GB;
#endif
#endif // !ENABLE(STRUCTURE_ID_WITH_SHIFT)
I don't know what `vm.overcommit_memory = 2` does, but my guess is that it affected the allocation of the StructureHeap such that the invariant is now broken.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221206/c3338a41/attachment.htm>
More information about the webkit-unassigned
mailing list