[Webkit-unassigned] [Bug 275555] SIGSEGV in JSC in pas_versioned_field_try_write_watched

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 17 19:23:17 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=275555

--- Comment #4 from Yusuke Suzuki <ysuzuki at apple.com> ---
(In reply to qbtly from comment #3)
> Output when building with ASAN:
> Direct leak of 24 byte(s) in 1 object(s) allocated from:
>     #0 0x7f54fd1be91f in __interceptor_malloc
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
>     #1 0x55fdecfa9594 in bmalloc::DebugHeap::malloc(unsigned long,
> bmalloc::FailureAction) /JSC/Source/bmalloc/bmalloc/DebugHeap.cpp:118
>     #2 0x55fdecfa9e2b in pas_debug_heap_malloc
> /JSC/Source/bmalloc/bmalloc/DebugHeap.cpp:223
>     #3 0x55fdecfcbd2a in pas_debug_heap_allocate
> /JSC/Source/bmalloc/libpas/src/libpas/pas_debug_heap.h:106
>     #4 0x55fdecfcc67f in pas_try_allocate_intrinsic_impl_casual_case
> /JSC/Source/bmalloc/libpas/src/libpas/pas_try_allocate_intrinsic.h:105
>     #5 0x55fdecfcce63 in bmalloc_allocate_impl_casual_case
> /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69
>     #6 0x55fdecfcd34e in bmalloc_allocate_casual
> /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap.c:64
>     #7 0x55fdece3cef5 in bmalloc_allocate_inline
> /JSC/asan/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:120
>     #8 0x55fdece401e3 in bmalloc::api::malloc(unsigned long,
> bmalloc::CompactAllocationMode, bmalloc::HeapKind)
> /JSC/asan/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc.h:75
>     #9 0x55fdece401e3 in WTF::fastCompactMalloc(unsigned long)
> /JSC/Source/WTF/wtf/FastMalloc.cpp:709
>     #10 0x55fdecf38eea in WTF::StringImpl::operator new(unsigned long)
> /JSC/Source/WTF/wtf/text/StringImpl.h:186
>     #11 0x55fdecf4c33b in
> WTF::StringImpl::createWithoutCopyingNonEmpty(std::span<unsigned char const,
> 18446744073709551615ul>) /JSC/Source/WTF/wtf/text/StringImpl.cpp:169
>     #12 0x55fde7e4524d in
> WTF::StringImpl::createWithoutCopying(std::span<unsigned char const,
> 18446744073709551615ul>)
> /JSC/asan/JSCOnly/Debug/WTF/Headers/wtf/text/StringImpl.h:270
>     #13 0x55fdecf36cda in WTF::BufferFromStaticDataTranslator<unsigned
> char>::translate(WTF::Packed<WTF::StringImpl*>&,
> WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned int)
> /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:280
>     #14 0x55fdecf35231 in void
> WTF::HashSetTranslatorAdapter<WTF::BufferFromStaticDataTranslator<unsigned
> char> >::translate<WTF::Packed<WTF::StringImpl*>,
> WTF::HashTranslatorCharBuffer<unsigned char>
> >(WTF::Packed<WTF::StringImpl*>&, WTF::HashTranslatorCharBuffer<unsigned
> char> const&, WTF::HashTranslatorCharBuffer<unsigned char> const&, unsigned
> int) /JSC/Source/WTF/wtf/HashSet.h:216
>     #15 0x55fdecf32472 in
> WTF::HashTableAddResult<WTF::HashTableIterator<WTF::HashTable<WTF::
> Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>,
> WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >,
> WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>,
> WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > >
> WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>,
> WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >
> >::addPassingHashCode<WTF::HashSetTranslatorAdapter<WTF::
> BufferFromStaticDataTranslator<unsigned char> >,
> WTF::HashTranslatorCharBuffer<unsigned char> const&,
> WTF::HashTranslatorCharBuffer<unsigned char>
> const&>(WTF::HashTranslatorCharBuffer<unsigned char> const&,
> WTF::HashTranslatorCharBuffer<unsigned char> const&)
> /JSC/Source/WTF/wtf/HashTable.h:979
>     #16 0x55fdecf2f6df in
> WTF::HashTableAddResult<WTF::HashTableIterator<WTF::HashTable<WTF::
> Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>,
> WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >,
> WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>,
> WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > > >
> WTF::HashSet<WTF::Packed<WTF::StringImpl*>,
> WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >,
> WTF::HashTableTraits>::add<WTF::BufferFromStaticDataTranslator<unsigned
> char>, WTF::HashTranslatorCharBuffer<unsigned char>
> >(WTF::HashTranslatorCharBuffer<unsigned char> const&)
> /JSC/Source/WTF/wtf/HashSet.h:333
>     #17 0x55fdecf2dd9c in
> addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>,
> WTF::BufferFromStaticDataTranslator<unsigned char> >
> /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:75
>     #18 0x55fdecf2d746 in
> addToStringTable<WTF::HashTranslatorCharBuffer<unsigned char>,
> WTF::BufferFromStaticDataTranslator<unsigned char> >
> /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:88
>     #19 0x55fdecf2ab86 in WTF::AtomStringImpl::addLiteral(std::span<unsigned
> char const, 18446744073709551615ul>)
> /JSC/Source/WTF/wtf/text/AtomStringImpl.cpp:316
>     #20 0x55fde7e47508 in WTF::AtomStringImpl::add(WTF::ASCIILiteral)
> /JSC/asan/JSCOnly/Debug/WTF/Headers/wtf/text/AtomStringImpl.h:111
>     #21 0x55fde7e7ba43 in JSC::Identifier::add(JSC::VM&, WTF::ASCIILiteral)
> /JSC/Source/JavaScriptCore/runtime/Identifier.h:222
>     #22 0x55fde7e7b4f1 in JSC::Identifier::Identifier(JSC::VM&,
> WTF::ASCIILiteral) /JSC/Source/JavaScriptCore/runtime/Identifier.h:162
>     #23 0x55fde7e90ae6 in JSC::Identifier::fromString(JSC::VM&,
> WTF::ASCIILiteral) /JSC/Source/JavaScriptCore/runtime/IdentifierInlines.h:85
>     #24 0x55fdebd51128 in JSC::StringPrototype::finishCreation(JSC::VM&,
> JSC::JSGlobalObject*)
> /JSC/Source/JavaScriptCore/runtime/StringPrototype.cpp:144
>     #25 0x55fdebd537d0 in JSC::StringPrototype::create(JSC::VM&,
> JSC::JSGlobalObject*, JSC::Structure*)
> /JSC/Source/JavaScriptCore/runtime/StringPrototype.cpp:182
>     #26 0x55fdeb7aba40 in JSC::JSGlobalObject::init(JSC::VM&)
> /JSC/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:1132
>     #27 0x55fdeb7c80d7 in JSC::JSGlobalObject::finishCreation(JSC::VM&)
> /JSC/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:3268
>     #28 0x55fde7ea3432 in GlobalObject::finishCreation(JSC::VM&,
> WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>
> const&) /JSC/Source/JavaScriptCore/jsc.cpp:624
>     #29 0x55fde7ea171f in GlobalObject::create(JSC::VM&, JSC::Structure*,
> WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>
> const&) /JSC/Source/JavaScriptCore/jsc.cpp:550
>     #30 0x55fde7f264e3 in runJSC<jscmain(int, char**)::<lambda(JSC::VM&,
> GlobalObject*, bool&)> > /JSC/Source/JavaScriptCore/jsc.cpp:4204
> 
> SUMMARY: AddressSanitizer: 771 byte(s) leaked in 31 allocation(s).

This is different from the original issue, and this is false-positive since this cannot trace PackedPtr correctly.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240618/c13f6a1b/attachment.htm>

More information about the webkit-unassigned mailing list