[Webkit-unassigned] [Bug 245968] Crash in pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 7 15:49:48 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=245968
Michael Catanzaro <mcatanzaro at gnome.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mcatanzaro at gnome.org
--- Comment #2 from Michael Catanzaro <mcatanzaro at gnome.org> ---
This crash happens quite lot, and based on the code it really should be impossible unless GCC is removing the check if (!pas_segregated_view_is_some_exclusive(owner) || !cache_node) on line 137. So I'm going to paste the assembler dump from gdb and hope somebody who understands assembler decides to look at this. It seems gdb was kind enough to put an arrow next to => 0x00007f6902108a45 <+133>: lock cmpxchg %dl,(%r14), which I presume means that is where the crash occurred?
Dump of assembler code for function pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl:
0x00007f69021089c0 <+0>: endbr64
0x00007f69021089c4 <+4>: push %rbp
0x00007f69021089c5 <+5>: mov %rsp,%rbp
0x00007f69021089c8 <+8>: push %r15
0x00007f69021089ca <+10>: mov %rdx,%r15
0x00007f69021089cd <+13>: push %r14
0x00007f69021089cf <+15>: push %r13
0x00007f69021089d1 <+17>: mov %rsi,%r13
0x00007f69021089d4 <+20>: lea 0x10(%rdx),%rsi
0x00007f69021089d8 <+24>: push %r12
0x00007f69021089da <+26>: mov %rdi,%r12
0x00007f69021089dd <+29>: push %rbx
0x00007f69021089de <+30>: sub $0x18,%rsp
0x00007f69021089e2 <+34>: mov 0x8(%r12),%rbx
0x00007f69021089e7 <+39>: mov 0x0(%r13),%rdx
0x00007f69021089eb <+43>: cmp %rbx,%rdx
0x00007f69021089ee <+46>: je 0x7f6902108a28 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+104>
0x00007f69021089f0 <+48>: mov 0x20(%r12),%rcx
0x00007f69021089f5 <+53>: test $0x6,%cl
0x00007f69021089f8 <+56>: jne 0x7f6902108a02 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+66>
0x00007f69021089fa <+58>: test %r15,%r15
0x00007f69021089fd <+61>: sete %al
0x00007f6902108a00 <+64>: jne 0x7f6902108a78 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+184>
0x00007f6902108a02 <+66>: mov 0x0(%r13),%rax
0x00007f6902108a06 <+70>: cmp %rax,%rbx
0x00007f6902108a09 <+73>: jne 0x7f6902108b50 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+400>
0x00007f6902108a0f <+79>: cmp %rbx,0x8(%r12)
0x00007f6902108a14 <+84>: jne 0x7f69021089e2 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+34>
0x00007f6902108a16 <+86>: add $0x18,%rsp
0x00007f6902108a1a <+90>: pop %rbx
0x00007f6902108a1b <+91>: pop %r12
0x00007f6902108a1d <+93>: pop %r13
0x00007f6902108a1f <+95>: pop %r14
0x00007f6902108a21 <+97>: pop %r15
0x00007f6902108a23 <+99>: pop %rbp
0x00007f6902108a24 <+100>: ret
0x00007f6902108a25 <+101>: nopl (%rax)
0x00007f6902108a28 <+104>: mov %rsi,%r14
0x00007f6902108a2b <+107>: cmp %rsi,%rdx
0x00007f6902108a2e <+110>: je 0x7f6902108bfa <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+570>
0x00007f6902108a34 <+116>: mov 0x20(%r12),%rcx
0x00007f6902108a39 <+121>: test $0x6,%cl
0x00007f6902108a3c <+124>: jne 0x7f6902108a02 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+66>
0x00007f6902108a3e <+126>: xor %eax,%eax
0x00007f6902108a40 <+128>: mov $0x1,%edx
=> 0x00007f6902108a45 <+133>: lock cmpxchg %dl,(%r14)
0x00007f6902108a4a <+138>: test %al,%al
0x00007f6902108a4c <+140>: jne 0x7f6902108b80 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+448>
0x00007f6902108a52 <+146>: cmp %r14,%rbx
0x00007f6902108a55 <+149>: je 0x7f6902108bf8 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+568>
0x00007f6902108a5b <+155>: cmp %rbx,0x8(%r12)
0x00007f6902108a60 <+160>: je 0x7f6902108b30 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+368>
0x00007f6902108a66 <+166>: xor %eax,%eax
0x00007f6902108a68 <+168>: xchg %al,(%rbx)
0x00007f6902108a6a <+170>: mov %r14,0x0(%r13)
0x00007f6902108a6e <+174>: jmp 0x7f69021089e2 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+34>
0x00007f6902108a73 <+179>: nopl 0x0(%rax,%rax,1)
0x00007f6902108a78 <+184>: lea 0x10(%r15),%r14
0x00007f6902108a7c <+188>: cmp %r14,%rdx
0x00007f6902108a7f <+191>: jne 0x7f6902108a97 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+215>
0x00007f6902108a81 <+193>: mov $0x1,%edx
0x00007f6902108a86 <+198>: lock cmpxchg %dl,(%rbx)
0x00007f6902108a8a <+202>: test %al,%al
0x00007f6902108a8c <+204>: je 0x7f6902108a52 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+146>
0x00007f6902108a8e <+206>: mov 0x0(%r13),%rdx
0x00007f6902108a92 <+210>: cmp %rdx,%rbx
0x00007f6902108a95 <+213>: je 0x7f6902108a3e <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+126>
0x00007f6902108a97 <+215>: test %rdx,%rdx
0x00007f6902108a9a <+218>: je 0x7f6902108aa0 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+224>
0x00007f6902108a9c <+220>: xor %eax,%eax
0x00007f6902108a9e <+222>: xchg %al,(%rdx)
0x00007f6902108aa0 <+224>: cmp %r14,%rbx
0x00007f6902108aa3 <+227>: je 0x7f6902108b00 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+320>
0x00007f6902108aa5 <+229>: and $0xfffffffffffffff8,%rcx
0x00007f6902108aa9 <+233>: add $0x12,%rcx
0x00007f6902108aad <+237>: cmp %rcx,%rbx
0x00007f6902108ab0 <+240>: je 0x7f6902108bd0 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+528>
0x00007f6902108ab6 <+246>: cmp %rbx,%r14
0x00007f6902108ab9 <+249>: jae 0x7f6902108b98 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+472>
0x00007f6902108abf <+255>: xor %edx,%edx
0x00007f6902108ac1 <+257>: mov $0x1,%ecx
0x00007f6902108ac6 <+262>: mov %edx,%eax
0x00007f6902108ac8 <+264>: lock cmpxchg %cl,(%r14)
0x00007f6902108acd <+269>: sete %al
0x00007f6902108ad0 <+272>: jne 0x7f6902108c26 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+614>
0x00007f6902108ad6 <+278>: mov %edx,%eax
0x00007f6902108ad8 <+280>: lock cmpxchg %cl,(%rbx)
0x00007f6902108adc <+284>: je 0x7f6902108a5b <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+155>
0x00007f6902108ae2 <+290>: mov %rbx,%rdi
0x00007f6902108ae5 <+293>: mov %rsi,-0x38(%rbp)
0x00007f6902108ae9 <+297>: call 0x7f6900e0a180 <pas_lock_lock_slow at plt>
0x00007f6902108aee <+302>: mov -0x38(%rbp),%rsi
0x00007f6902108af2 <+306>: jmp 0x7f6902108a5b <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+155>
0x00007f6902108af7 <+311>: nopw 0x0(%rax,%rax,1)
0x00007f6902108b00 <+320>: xor %eax,%eax
0x00007f6902108b02 <+322>: mov $0x1,%edx
0x00007f6902108b07 <+327>: lock cmpxchg %dl,(%r14)
0x00007f6902108b0c <+332>: jne 0x7f6902108c66 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+678>
0x00007f6902108b12 <+338>: mov %r14,0x0(%r13)
0x00007f6902108b16 <+342>: cmp %r14,0x8(%r12)
0x00007f6902108b1b <+347>: jne 0x7f69021089e2 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+34>
0x00007f6902108b21 <+353>: jmp 0x7f6902108a16 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+86>
0x00007f6902108b26 <+358>: cs nopw 0x0(%rax,%rax,1)
0x00007f6902108b30 <+368>: mov %r14,0x8(%r12)
0x00007f6902108b35 <+373>: xor %eax,%eax
0x00007f6902108b37 <+375>: xchg %al,(%rbx)
0x00007f6902108b39 <+377>: mov %r14,0x0(%r13)
0x00007f6902108b3d <+381>: add $0x18,%rsp
0x00007f6902108b41 <+385>: pop %rbx
0x00007f6902108b42 <+386>: pop %r12
0x00007f6902108b44 <+388>: pop %r13
0x00007f6902108b46 <+390>: pop %r14
0x00007f6902108b48 <+392>: pop %r15
0x00007f6902108b4a <+394>: pop %rbp
0x00007f6902108b4b <+395>: ret
0x00007f6902108b4c <+396>: nopl 0x0(%rax)
0x00007f6902108b50 <+400>: test %rax,%rax
0x00007f6902108b53 <+403>: je 0x7f6902108b59 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+409>
0x00007f6902108b55 <+405>: xor %edx,%edx
0x00007f6902108b57 <+407>: xchg %dl,(%rax)
0x00007f6902108b59 <+409>: test %rbx,%rbx
0x00007f6902108b5c <+412>: je 0x7f6902108b6f <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+431>
0x00007f6902108b5e <+414>: xor %eax,%eax
0x00007f6902108b60 <+416>: mov $0x1,%edx
0x00007f6902108b65 <+421>: lock cmpxchg %dl,(%rbx)
0x00007f6902108b69 <+425>: jne 0x7f6902108c11 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+593>
0x00007f6902108b6f <+431>: mov %rbx,0x0(%r13)
0x00007f6902108b73 <+435>: jmp 0x7f6902108a0f <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+79>
0x00007f6902108b78 <+440>: nopl 0x0(%rax,%rax,1)
0x00007f6902108b80 <+448>: mov 0x0(%r13),%rdx
0x00007f6902108b84 <+452>: test %rdx,%rdx
0x00007f6902108b87 <+455>: jne 0x7f6902108a9c <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+220>
0x00007f6902108b8d <+461>: jmp 0x7f6902108aa0 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+224>
0x00007f6902108b92 <+466>: nopw 0x0(%rax,%rax,1)
0x00007f6902108b98 <+472>: xor %eax,%eax
0x00007f6902108b9a <+474>: mov $0x1,%edx
0x00007f6902108b9f <+479>: lock cmpxchg %dl,(%rbx)
0x00007f6902108ba3 <+483>: jne 0x7f6902108c51 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+657>
0x00007f6902108ba9 <+489>: xor %eax,%eax
0x00007f6902108bab <+491>: mov $0x1,%edx
0x00007f6902108bb0 <+496>: lock cmpxchg %dl,(%r14)
0x00007f6902108bb5 <+501>: je 0x7f6902108a5b <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+155>
0x00007f6902108bbb <+507>: mov %r14,%rdi
0x00007f6902108bbe <+510>: mov %rsi,-0x38(%rbp)
0x00007f6902108bc2 <+514>: call 0x7f6900e0a180 <pas_lock_lock_slow at plt>
0x00007f6902108bc7 <+519>: mov -0x38(%rbp),%rsi
0x00007f6902108bcb <+523>: jmp 0x7f6902108a5b <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+155>
0x00007f6902108bd0 <+528>: xor %eax,%eax
0x00007f6902108bd2 <+530>: mov $0x1,%edx
0x00007f6902108bd7 <+535>: lock cmpxchg %dl,(%r14)
0x00007f6902108bdc <+540>: jne 0x7f6902108bff <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+575>
0x00007f6902108bde <+542>: xor %eax,%eax
0x00007f6902108be0 <+544>: mov $0x1,%edx
0x00007f6902108be5 <+549>: lock cmpxchg %dl,(%rbx)
0x00007f6902108be9 <+553>: je 0x7f6902108a5b <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+155>
0x00007f6902108bef <+559>: jmp 0x7f6902108ae2 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+290>
0x00007f6902108bf4 <+564>: nopl 0x0(%rax)
0x00007f6902108bf8 <+568>: ud2
0x00007f6902108bfa <+570>: jmp 0x7f6902108a16 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+86>
0x00007f6902108bff <+575>: mov %r14,%rdi
0x00007f6902108c02 <+578>: mov %rsi,-0x38(%rbp)
0x00007f6902108c06 <+582>: call 0x7f6900e0a180 <pas_lock_lock_slow at plt>
0x00007f6902108c0b <+587>: mov -0x38(%rbp),%rsi
0x00007f6902108c0f <+591>: jmp 0x7f6902108bde <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+542>
0x00007f6902108c11 <+593>: mov %rbx,%rdi
0x00007f6902108c14 <+596>: mov %rsi,-0x38(%rbp)
0x00007f6902108c18 <+600>: call 0x7f6900e0a180 <pas_lock_lock_slow at plt>
0x00007f6902108c1d <+605>: mov -0x38(%rbp),%rsi
0x00007f6902108c21 <+609>: jmp 0x7f6902108b6f <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+431>
0x00007f6902108c26 <+614>: mov %r14,%rdi
0x00007f6902108c29 <+617>: mov %al,-0x38(%rbp)
0x00007f6902108c2c <+620>: mov %rsi,-0x40(%rbp)
0x00007f6902108c30 <+624>: call 0x7f6900e0a180 <pas_lock_lock_slow at plt>
0x00007f6902108c35 <+629>: movzbl -0x38(%rbp),%eax
0x00007f6902108c39 <+633>: mov $0x1,%ecx
0x00007f6902108c3e <+638>: lock cmpxchg %cl,(%rbx)
0x00007f6902108c42 <+642>: mov -0x40(%rbp),%rsi
0x00007f6902108c46 <+646>: je 0x7f6902108a5b <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+155>
0x00007f6902108c4c <+652>: jmp 0x7f6902108ae2 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+290>
0x00007f6902108c51 <+657>: mov %rbx,%rdi
0x00007f6902108c54 <+660>: mov %rsi,-0x38(%rbp)
0x00007f6902108c58 <+664>: call 0x7f6900e0a180 <pas_lock_lock_slow at plt>
0x00007f6902108c5d <+669>: mov -0x38(%rbp),%rsi
0x00007f6902108c61 <+673>: jmp 0x7f6902108ba9 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+489>
0x00007f6902108c66 <+678>: mov %r14,%rdi
0x00007f6902108c69 <+681>: mov %rsi,-0x38(%rbp)
0x00007f6902108c6d <+685>: call 0x7f6900e0a180 <pas_lock_lock_slow at plt>
0x00007f6902108c72 <+690>: mov -0x38(%rbp),%rsi
0x00007f6902108c76 <+694>: jmp 0x7f6902108b12 <pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl+338>
End of assembler dump.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221107/5908ba9e/attachment-0001.htm>
More information about the webkit-unassigned
mailing list