[Webkit-unassigned] [Bug 248267] JSC init crashes WebKit with overcommit limit enabled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 24 17:42:49 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=248267

Carlos Alberto Lopez Perez <clopez at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |clopez at igalia.com,
                   |                            |mark.lam at apple.com,
                   |                            |ysuzuki at apple.com

--- Comment #9 from Carlos Alberto Lopez Perez <clopez at igalia.com> ---
(In reply to Paul van Tilburg from comment #6)
> Indeed, great!
> 
> Here it is:
> 
> Thread 1 (Thread 0x7ff906b3cac0 (LWP 90112)):
> #0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
> #1  0x00007ff90ad67859 in __GI_abort () at abort.c:79
> #2  0x00007ff90b588e1d in WTFCrashWithInfo(int, char const*, char const*,
> int) () at WTF/Headers/wtf/Assertions.h:778
> #3  JSC::StructureMemoryManager::StructureMemoryManager() () at
> ../Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp:90

It crashes there on a RELEASE_ASSERTION:

[...]
#if CPU(ADDRESS64) && !ENABLE(STRUCTURE_ID_WITH_SHIFT)

class StructureMemoryManager {
public:
    StructureMemoryManager()
    {
        // Don't use the first page because zero is used as the empty StructureID and the first allocation will conflict.
        m_usedBlocks.set(0);

        uintptr_t mappedHeapSize = structureHeapAddressSize;
        for (unsigned i = 0; i < 8; ++i) {
            g_jscConfig.startOfStructureHeap = reinterpret_cast<uintptr_t>(OSAllocator::tryReserveUncommittedAligned(mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages));
            if (g_jscConfig.startOfStructureHeap)
                break;
            mappedHeapSize /= 2;
        }
        g_jscConfig.sizeOfStructureHeap = mappedHeapSize;
        RELEASE_ASSERT(g_jscConfig.startOfStructureHeap && ((g_jscConfig.startOfStructureHeap & ~StructureID::structureIDMask) == g_jscConfig.startOfStructureHeap));
[...]

This assertion was added on 250199 at main (bug 239957)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221125/e04d98f8/attachment.htm>

More information about the webkit-unassigned mailing list