Bug 235347

Created attachment 449459 [details] maybe the patch Still testing this...

Created attachment 449637 [details] updated patch

Comment on attachment 449637 [details] updated patch I think that the debug layout test failures are preexisting.

Comment on attachment 449637 [details] updated patch View in context: https://bugs.webkit.org/attachment.cgi?id=449637&action=review r=me > Source/bmalloc/libpas/src/libpas/pas_committed_pages_vector.c:1 > +/* Can you add it to CMakeLists.txt too? > Source/bmalloc/libpas/src/libpas/pas_committed_pages_vector.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_compact_thread_local_cache_layout_node.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_decommit_exclusion_range.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_large_virtual_range.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_large_virtual_range_min_heap.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_mmap_capability.h:1 > +/* Ditto. > Source/bmalloc/libpas/src/libpas/pas_thread_local_cache.c:981 > + if ( verbose) Remove this space. > Source/bmalloc/libpas/src/libpas/pas_thread_local_cache_layout_entry.h:1 > +/* Ditto.

<rdar://problem/88058546>

Created attachment 451556 [details] patch for landing

Created attachment 451587 [details] better patch for landing Addresses Yusuke's feedback.

Landed in https://trac.webkit.org/changeset/289579/webkit

Committed r289724 (247209@trunk): <https://commits.webkit.org/247209@trunk>

Committed r289725 (247210@trunk): <https://commits.webkit.org/247210@trunk>

It looks like most of LayoutTests start crashing after this patch with ASan. Reverting it for now. ==80471==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b51746a0 at pc 0x00013e3cf63b bp 0x7ff7b5174660 sp 0x7ff7b5174658 READ of size 8 at 0x7ff7b51746a0 thread T0 ==80471==WARNING: invalid path to external symbolizer! ==80471==WARNING: Failed to use and restart external symbolizer! #0 0x13e3cf63a in pas_compact_thread_local_cache_layout_node_load_non_null+0x2a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x31063a) #1 0x13e3cec21 in pas_thread_local_cache_layout_entry_get_key+0xc1 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30fc21) #2 0x13e3ce5dc in pas_thread_local_cache_layout_hashtable_add_new+0xc (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f5dc) #3 0x13e3ce4d1 in pas_thread_local_cache_layout_add_node+0x171 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f4d1) #4 0x13e3ce680 in pas_thread_local_cache_layout_add+0x10 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f680) #5 0x13e3a8fed in pas_segregated_size_directory_create_tlc_allocator+0x7d (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2e9fed) #6 0x13e35415f in set_up_range+0x4cf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29515f) #7 0x13e35381c in pas_designated_intrinsic_heap_initialize+0x49c (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29481c) #8 0x13e2f85d6 in bmalloc_heap_config_activate+0x16 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2395d6) #9 0x13e36d8f9 in pas_heap_config_activate+0x59 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae8f9) #10 0x13e338bcf in jit_heap_config_activate+0xf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x279bcf) #11 0x13e36d8f9 in pas_heap_config_activate+0x59 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae8f9) #12 0x13e395ba2 in pas_segregated_heap_ensure_size_directory_for_size+0x32 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2d6ba2) #13 0x13e36d717 in pas_heap_ensure_size_directory_for_size_slow+0x47 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae717) #14 0x13e33d831 in jit_heap_config_specialized_try_allocate_common_impl_slow+0x191 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x27e831) #15 0x13e33893c in jit_try_allocate_common_primitive_impl_impl_slow+0x2c (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x27993c) #16 0x13e3387f2 in jit_try_allocate_common_primitive_impl_casual_case+0x232 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2797f2) #17 0x13e337ce6 in jit_heap_try_allocate+0xa6 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x278ce6) #18 0x140b8bae5 in JSC::ExecutableMemoryHandle::createImpl(unsigned long)+0x15 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2accae5) #19 0x140b8b244 in JSC::FixedVMPoolExecutableAllocator::allocate(unsigned long)+0x14 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2acc244) #20 0x140b8aba9 in JSC::ExecutableAllocator::allocate(unsigned long, JSC::JITCompilationEffort)+0x1c9 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2acbba9) #21 0x13f2c46d6 in JSC::LinkBuffer::allocate(JSC::MacroAssembler&, JSC::JITCompilationEffort)+0x1a6 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12056d6) #22 0x13f2c41a5 in JSC::LinkBuffer::linkCode(JSC::MacroAssembler&, JSC::JITCompilationEffort)+0xd5 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12051a5) #23 0x13f2e59d9 in JSC::LinkBuffer::LinkBuffer(JSC::MacroAssembler&, void*, JSC::LinkBuffer::Profile, JSC::JITCompilationEffort)+0x79 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12269d9) #24 0x13f2e24c8 in JSC::LinkBuffer::LinkBuffer(JSC::MacroAssembler&, void*, JSC::LinkBuffer::Profile, JSC::JITCompilationEffort)+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12234c8) #25 0x1410a736a in JSC::nativeForGenerator(JSC::VM&, JSC::ThunkFunctionType, JSC::CodeSpecializationKind, JSC::ThunkEntryType)+0x89a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fe836a) #26 0x1410a7897 in JSC::internalFunctionCallGenerator(JSC::VM&)+0x17 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fe8897) #27 0x14107741b in JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2::operator()() const+0x4b (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fb841b) #28 0x141067d3a in JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> JSC::JITThunks::ctiStubImpl<JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2>(JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&), JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2)+0x28a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa8d3a) #29 0x141067413 in JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))+0xd3 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa8413) #30 0x1410678f7 in JSC::JITThunks::ctiInternalFunctionCall(JSC::VM&)+0xc7 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa88f7) #31 0x141c0a393 in JSC::VM::getCTIInternalFunctionTrampolineFor(JSC::CodeSpecializationKind)+0x1a3 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4b393) #32 0x141c060fd in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType, WTF::RunLoop*, bool*)+0x201d (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b470fd) #33 0x141c0a698 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType, WTF::RunLoop*, bool*)+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4b698) #34 0x141c0bab3 in JSC::VM::create(JSC::HeapType, WTF::RunLoop*)+0x33 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4cab3) #35 0x1520b6549 in WebCore::commonVMSlow()+0xb9 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x3225549) #36 0x122f64862 in WebCore::commonVM()+0x32 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x119e862) #37 0x1243c7e15 in WebKit::WebProcess::initializeWebProcess(WebKit::WebProcessCreationParameters&&)+0xbc5 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x2601e15) #38 0x124fc98df in void IPC::callMemberFunctionImpl<WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>, 0ul>(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>&&, std::__1::integer_sequence<unsigned long, 0ul>)+0x4f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x32038df) #39 0x124fc9268 in void IPC::callMemberFunction<WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebKit::WebProcessCreationParameters>&&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&))+0x28 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x3203268) #40 0x124fbee90 in void IPC::handleMessage<Messages::WebProcess::InitializeWebProcess, WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&))+0x160 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x31f8e90) #41 0x124fbdc6f in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&)+0x3f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x31f7c6f) #42 0x1243cc097 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x47 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x2606097) #43 0x1236929ef in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x24f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cc9ef) #44 0x123693478 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)+0x2e8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cd478) #45 0x123693fc4 in IPC::Connection::dispatchOneIncomingMessage()+0x194 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cdfc4) #46 0x1236b2a25 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_15::operator()()+0x35 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18eca25) #47 0x1236b298c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_15, void>::call()+0xc (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18ec98c) #48 0x13e0fccae in WTF::Function<void ()>::operator()() const+0x3e (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3dcae) #49 0x13e1c0737 in WTF::RunLoop::performWork()+0x327 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x101737) #50 0x13e1c3d6a in WTF::RunLoop::performWork(void*)+0xba (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x104d6a) #51 0x7ff812b67b67 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7fb67) #52 0x7ff812b67acf in __CFRunLoopDoSource0+0xb3 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7facf) #53 0x7ff812b67842 in __CFRunLoopDoSources0+0xf1 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7f842) #54 0x7ff812b6625e in __CFRunLoopRun+0x380 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7e25e) #55 0x7ff812b65808 in CFRunLoopRunSpecific+0x236 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7d808) #56 0x7ff8138f475d in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x6075d) #57 0x7ff81397f2c2 in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xeb2c2) #58 0x7ff8127ec232 in _xpc_objc_main+0x338 (/usr/lib/system/libxpc.dylib:x86_64+0x16232) #59 0x7ff8127ebc21 in xpc_main+0x62 (/usr/lib/system/libxpc.dylib:x86_64+0x15c21) #60 0x122def7d3 in WebKit::XPCServiceMain(int, char const**)+0x323 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x10297d3) #61 0x1250d63f8 in WKXPCServiceMain+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x33103f8) #62 0x10ad8ae18 in main+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100003e18) #63 0x10f92d4fd (/usr/lib/dyld:x86_64+0x54fd) Address 0x7ff7b51746a0 is located in stack of thread T0 at offset 32 in frame #0 0x13e3ceb6f in pas_thread_local_cache_layout_entry_get_key+0xf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30fb6f) This frame has 1 object(s): [32, 36) 'entry2' <== Memory access at offset 32 partially overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x31063a) in pas_compact_thread_local_cache_layout_node_load_non_null+0x2a Shadow bytes around the buggy address: 0x1ffef6a2e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1ffef6a2e890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1ffef6a2e8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1ffef6a2e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1ffef6a2e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1ffef6a2e8d0: f1 f1 f1 f1[04]f3 f3 f3 00 00 00 00 00 00 00 00 0x1ffef6a2e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x1ffef6a2e8f0: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x1ffef6a2e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1ffef6a2e910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1ffef6a2e920: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==80471==ABORTING com.apple.WebKit.WebContent.Development terminated (pid 80471) because the process crashed

(In reply to Yusuke Suzuki from comment #11) > It looks like most of LayoutTests start crashing after this patch with ASan. > Reverting it for now. Did you actually revert it? If so, what's the revision corresponding to the revert?

(In reply to Frédéric Wang (:fredw) from comment #12) > (In reply to Yusuke Suzuki from comment #11) > > It looks like most of LayoutTests start crashing after this patch with ASan. > > Reverting it for now. > > Did you actually revert it? If so, what's the revision corresponding to the > revert? No. I landed a fix instead.