<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Crash on xLarge memory allocation using bmalloc on 32bit systems"
href="https://bugs.webkit.org/show_bug.cgi?id=146440">146440</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Crash on xLarge memory allocation using bmalloc on 32bit systems
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>528+ (Nightly build)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>New Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mario@webkit.org
</td>
</tr></table>
<p>
<div>
<pre>As mentioned in the WebKitGTK+ mailing list[1], I've been seeing the following crash consistently after upgrading to 2.8.3, in a 32bit Linux system:
(gdb) bt
#0 allocateXLarge () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/bmalloc/bmalloc/Heap.cpp:287
#1 0xb4fc94f5 in allocateXLarge () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/bmalloc/bmalloc/Heap.cpp:293
#2 0xb4fc6ac4 in allocateXLarge () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/bmalloc/bmalloc/Allocator.cpp:227
#3 0xb4fc6b2e in allocateSlowCase () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/bmalloc/bmalloc/Allocator.cpp:245
#4 0xb4f95de2 in allocate () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/bmalloc/bmalloc/Allocator.h:86
#5 allocate () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/bmalloc/bmalloc/Cache.h:79
#6 malloc () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/bmalloc/bmalloc/bmalloc.h:43
#7 fastMalloc () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/FastMalloc.cpp:270
#8 0xb5592815 in allocateBuffer () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/Vector.h:269
#9 reserveCapacity () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/Vector.h:1090
#10 expandCapacity () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/Vector.h:951
#11 0xb5f766e1 in expandCapacity () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/Vector.h:958
#12 appendSlowCase<WebCore::FloatRect&> () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/Vector.h:1219
#13 append<WebCore::FloatRect&> () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/Vector.h:1210
#14 createOrDestroyTilesIfNeeded () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp:89
#15 0xb5f77001 in updateContents () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp:148
#16 0xb64aefb3 in updateBackingStoreIfNeeded () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:549
#17 0xb64af095 in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:519
#18 0xb64af0ed in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:526
#19 0xb64af0ed in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:526
#20 0xb64af0ed in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:526
#21 0xb64af0ed in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:526
#22 0xb64af0ed in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:526
#23 0xb64af0ed in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:526
#24 0xb64af0ed in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:526
#25 0xb64af0ed in updateBackingStoreIncludingSubLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:526
#26 0xb57a3c06 in flushPendingLayerChanges () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebKit2/WebProcess/WebPage/gtk/LayerTreeHostGtk.cpp:272
#27 0xb57a43f6 in flushAndRenderLayers () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebKit2/WebProcess/WebPage/gtk/LayerTreeHostGtk.cpp:313
#28 0xb57a4507 in layerFlushTimerFired () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebKit2/WebProcess/WebPage/gtk/LayerTreeHostGtk.cpp:237
#29 0xb57a48d2 in operator()<, void> () at /usr/include/c++/4.9/functional:569
#30 __call<void, 0u> () at /usr/include/c++/4.9/functional:1264
#31 operator()<, void> () at /usr/include/c++/4.9/functional:1323
#32 _M_invoke () at /usr/include/c++/4.9/functional:2039
#33 0xb4f43141 in operator() () at /usr/include/c++/4.9/functional:2439
#34 0xb4fc608d in voidCallback () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/gobject/GMainLoopSource.cpp:365
#35 0xb4fc17fd in voidSourceCallback () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/gobject/GMainLoopSource.cpp:456
#36 0xb3b8a3e0 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#37 0xb3b8dca3 in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
#38 0xb3b8e0b9 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#39 0xb3b8e469 in g_main_loop_run () from /lib/i386-linux-gnu/libglib-2.0.so.0
#40 0xb6aeb8d9 in run () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WTF/wtf/gtk/RunLoopGtk.cpp:63
#41 0xb57a22d8 in ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#42 0xb57a202c in WebProcessMainUnix () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:77
#43 0x080485f2 in main () at /home/mario/webkit2gtk-2.8.3+dfsg1/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44
(Sorry for not having a better backtrace. Being a 32bit build makes it quite complicate to build a debug build with more than -g1)
According to <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - Integer overflow in XLarge allocation (due to unchecked roundUpToMultipleOf)"
href="show_bug.cgi?id=145385#c6">https://bugs.webkit.org/show_bug.cgi?id=145385#c6</a>, this very same bug has been observed in at least 105 occasions on Fedora too, always in 32bit systems as well: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1225733">https://bugzilla.redhat.com/show_bug.cgi?id=1225733</a>
Also, I've tried applying the patch for <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - Integer overflow in XLarge allocation (due to unchecked roundUpToMultipleOf)"
href="show_bug.cgi?id=145385">bug 145385</a> in case it was happening due to an integer overflow but that did no good either (and did not good either for the Fedora package either[2]), so the issue has to be caused by something else...
In the last week I've been debugging this quite thoroughly, comparing how the webkigtk package was being built in our environment before and after the upgrade to 2.8.3 and found that building with -O0 instead of -O2 seems to make the crash go away, so perhaps this is related to some compiler options? JFTR, we used to build the previous version of webkigtk+ we use (2.6.2) with gcc 4.8 and are now using 4.9, so perhaps some of the changes in GCC 4.9's could be affecting to this, not sure yet though.
[1] <a href="https://lists.webkit.org/pipermail/webkit-gtk/2015-June/002381.html">https://lists.webkit.org/pipermail/webkit-gtk/2015-June/002381.html</a>
[2] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1225733#c4">https://bugzilla.redhat.com/show_bug.cgi?id=1225733#c4</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>