| Summary: | [libpas] it should be possible to decommit unused parts of a thread_local_cache (update to 78508e79fa2797680344d43b94841ae2e903b15b) | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> | ||||||||||
| Component: | bmalloc | Assignee: | Filip Pizlo <fpizlo> | ||||||||||
| Status: | RESOLVED FIXED | ||||||||||||
| Severity: | Normal | CC: | annulen, ews-watchlist, fred.wang, ggaren, gyuyoung.kim, ryuan.choi, sergio, webkit-bug-importer, ysuzuki | ||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||
| Version: | WebKit Nightly Build | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | All | ||||||||||||
| Bug Depends on: | |||||||||||||
| Bug Blocks: | 231938 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Filip Pizlo
2022-01-18 20:06:09 PST
Created attachment 449459 [details]
maybe the patch
Still testing this...
Created attachment 449637 [details]
updated patch
Comment on attachment 449637 [details]
updated patch
I think that the debug layout test failures are preexisting.
Comment on attachment 449637 [details] updated patch View in context: https://bugs.webkit.org/attachment.cgi?id=449637&action=review r=me > Source/bmalloc/libpas/src/libpas/pas_committed_pages_vector.c:1 > +/* Can you add it to CMakeLists.txt too? > Source/bmalloc/libpas/src/libpas/pas_committed_pages_vector.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_compact_thread_local_cache_layout_node.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_decommit_exclusion_range.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_large_virtual_range.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_large_virtual_range_min_heap.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_mmap_capability.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_thread_local_cache.c:981 > + if ( verbose) Remove this space. > Source/bmalloc/libpas/src/libpas/pas_thread_local_cache_layout_entry.h:1 > +/* Ditto. Created attachment 451556 [details]
patch for landing
Created attachment 451587 [details]
better patch for landing
Addresses Yusuke's feedback.
Committed r289724 (247209@trunk): <https://commits.webkit.org/247209@trunk> Committed r289725 (247210@trunk): <https://commits.webkit.org/247210@trunk> It looks like most of LayoutTests start crashing after this patch with ASan.
Reverting it for now.
==80471==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b51746a0 at pc 0x00013e3cf63b bp 0x7ff7b5174660 sp 0x7ff7b5174658
READ of size 8 at 0x7ff7b51746a0 thread T0
==80471==WARNING: invalid path to external symbolizer!
==80471==WARNING: Failed to use and restart external symbolizer!
#0 0x13e3cf63a in pas_compact_thread_local_cache_layout_node_load_non_null+0x2a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x31063a)
#1 0x13e3cec21 in pas_thread_local_cache_layout_entry_get_key+0xc1 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30fc21)
#2 0x13e3ce5dc in pas_thread_local_cache_layout_hashtable_add_new+0xc (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f5dc)
#3 0x13e3ce4d1 in pas_thread_local_cache_layout_add_node+0x171 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f4d1)
#4 0x13e3ce680 in pas_thread_local_cache_layout_add+0x10 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f680)
#5 0x13e3a8fed in pas_segregated_size_directory_create_tlc_allocator+0x7d (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2e9fed)
#6 0x13e35415f in set_up_range+0x4cf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29515f)
#7 0x13e35381c in pas_designated_intrinsic_heap_initialize+0x49c (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29481c)
#8 0x13e2f85d6 in bmalloc_heap_config_activate+0x16 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2395d6)
#9 0x13e36d8f9 in pas_heap_config_activate+0x59 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae8f9)
#10 0x13e338bcf in jit_heap_config_activate+0xf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x279bcf)
#11 0x13e36d8f9 in pas_heap_config_activate+0x59 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae8f9)
#12 0x13e395ba2 in pas_segregated_heap_ensure_size_directory_for_size+0x32 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2d6ba2)
#13 0x13e36d717 in pas_heap_ensure_size_directory_for_size_slow+0x47 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae717)
#14 0x13e33d831 in jit_heap_config_specialized_try_allocate_common_impl_slow+0x191 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x27e831)
#15 0x13e33893c in jit_try_allocate_common_primitive_impl_impl_slow+0x2c (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x27993c)
#16 0x13e3387f2 in jit_try_allocate_common_primitive_impl_casual_case+0x232 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2797f2)
#17 0x13e337ce6 in jit_heap_try_allocate+0xa6 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x278ce6)
#18 0x140b8bae5 in JSC::ExecutableMemoryHandle::createImpl(unsigned long)+0x15 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2accae5)
#19 0x140b8b244 in JSC::FixedVMPoolExecutableAllocator::allocate(unsigned long)+0x14 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2acc244)
#20 0x140b8aba9 in JSC::ExecutableAllocator::allocate(unsigned long, JSC::JITCompilationEffort)+0x1c9 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2acbba9)
#21 0x13f2c46d6 in JSC::LinkBuffer::allocate(JSC::MacroAssembler&, JSC::JITCompilationEffort)+0x1a6 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12056d6)
#22 0x13f2c41a5 in JSC::LinkBuffer::linkCode(JSC::MacroAssembler&, JSC::JITCompilationEffort)+0xd5 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12051a5)
#23 0x13f2e59d9 in JSC::LinkBuffer::LinkBuffer(JSC::MacroAssembler&, void*, JSC::LinkBuffer::Profile, JSC::JITCompilationEffort)+0x79 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12269d9)
#24 0x13f2e24c8 in JSC::LinkBuffer::LinkBuffer(JSC::MacroAssembler&, void*, JSC::LinkBuffer::Profile, JSC::JITCompilationEffort)+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12234c8)
#25 0x1410a736a in JSC::nativeForGenerator(JSC::VM&, JSC::ThunkFunctionType, JSC::CodeSpecializationKind, JSC::ThunkEntryType)+0x89a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fe836a)
#26 0x1410a7897 in JSC::internalFunctionCallGenerator(JSC::VM&)+0x17 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fe8897)
#27 0x14107741b in JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2::operator()() const+0x4b (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fb841b)
#28 0x141067d3a in JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> JSC::JITThunks::ctiStubImpl<JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2>(JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&), JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2)+0x28a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa8d3a)
#29 0x141067413 in JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))+0xd3 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa8413)
#30 0x1410678f7 in JSC::JITThunks::ctiInternalFunctionCall(JSC::VM&)+0xc7 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa88f7)
#31 0x141c0a393 in JSC::VM::getCTIInternalFunctionTrampolineFor(JSC::CodeSpecializationKind)+0x1a3 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4b393)
#32 0x141c060fd in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType, WTF::RunLoop*, bool*)+0x201d (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b470fd)
#33 0x141c0a698 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType, WTF::RunLoop*, bool*)+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4b698)
#34 0x141c0bab3 in JSC::VM::create(JSC::HeapType, WTF::RunLoop*)+0x33 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4cab3)
#35 0x1520b6549 in WebCore::commonVMSlow()+0xb9 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x3225549)
#36 0x122f64862 in WebCore::commonVM()+0x32 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x119e862)
#37 0x1243c7e15 in WebKit::WebProcess::initializeWebProcess(WebKit::WebProcessCreationParameters&&)+0xbc5 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x2601e15)
#38 0x124fc98df in void IPC::callMemberFunctionImpl<WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>, 0ul>(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>&&, std::__1::integer_sequence<unsigned long, 0ul>)+0x4f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x32038df)
#39 0x124fc9268 in void IPC::callMemberFunction<WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebKit::WebProcessCreationParameters>&&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&))+0x28 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x3203268)
#40 0x124fbee90 in void IPC::handleMessage<Messages::WebProcess::InitializeWebProcess, WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&))+0x160 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x31f8e90)
#41 0x124fbdc6f in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&)+0x3f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x31f7c6f)
#42 0x1243cc097 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x47 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x2606097)
#43 0x1236929ef in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x24f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cc9ef)
#44 0x123693478 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)+0x2e8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cd478)
#45 0x123693fc4 in IPC::Connection::dispatchOneIncomingMessage()+0x194 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cdfc4)
#46 0x1236b2a25 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_15::operator()()+0x35 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18eca25)
#47 0x1236b298c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_15, void>::call()+0xc (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18ec98c)
#48 0x13e0fccae in WTF::Function<void ()>::operator()() const+0x3e (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3dcae)
#49 0x13e1c0737 in WTF::RunLoop::performWork()+0x327 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x101737)
#50 0x13e1c3d6a in WTF::RunLoop::performWork(void*)+0xba (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x104d6a)
#51 0x7ff812b67b67 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7fb67)
#52 0x7ff812b67acf in __CFRunLoopDoSource0+0xb3 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7facf)
#53 0x7ff812b67842 in __CFRunLoopDoSources0+0xf1 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7f842)
#54 0x7ff812b6625e in __CFRunLoopRun+0x380 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7e25e)
#55 0x7ff812b65808 in CFRunLoopRunSpecific+0x236 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7d808)
#56 0x7ff8138f475d in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x6075d)
#57 0x7ff81397f2c2 in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xeb2c2)
#58 0x7ff8127ec232 in _xpc_objc_main+0x338 (/usr/lib/system/libxpc.dylib:x86_64+0x16232)
#59 0x7ff8127ebc21 in xpc_main+0x62 (/usr/lib/system/libxpc.dylib:x86_64+0x15c21)
#60 0x122def7d3 in WebKit::XPCServiceMain(int, char const**)+0x323 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x10297d3)
#61 0x1250d63f8 in WKXPCServiceMain+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x33103f8)
#62 0x10ad8ae18 in main+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100003e18)
#63 0x10f92d4fd (/usr/lib/dyld:x86_64+0x54fd)
Address 0x7ff7b51746a0 is located in stack of thread T0 at offset 32 in frame
#0 0x13e3ceb6f in pas_thread_local_cache_layout_entry_get_key+0xf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30fb6f)
This frame has 1 object(s):
[32, 36) 'entry2' <== Memory access at offset 32 partially overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x31063a) in pas_compact_thread_local_cache_layout_node_load_non_null+0x2a
Shadow bytes around the buggy address:
0x1ffef6a2e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1ffef6a2e890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1ffef6a2e8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1ffef6a2e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1ffef6a2e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1ffef6a2e8d0: f1 f1 f1 f1[04]f3 f3 f3 00 00 00 00 00 00 00 00
0x1ffef6a2e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x1ffef6a2e8f0: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x1ffef6a2e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1ffef6a2e910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1ffef6a2e920: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==80471==ABORTING
com.apple.WebKit.WebContent.Development terminated (pid 80471) because the process crashed
(In reply to Yusuke Suzuki from comment #11) > It looks like most of LayoutTests start crashing after this patch with ASan. > Reverting it for now. Did you actually revert it? If so, what's the revision corresponding to the revert? (In reply to Frédéric Wang (:fredw) from comment #12) > (In reply to Yusuke Suzuki from comment #11) > > It looks like most of LayoutTests start crashing after this patch with ASan. > > Reverting it for now. > > Did you actually revert it? If so, what's the revision corresponding to the > revert? No. I landed a fix instead. |