RESOLVED WORKSFORME 117139
OOM crash in WTF::OSAllocator::reserveUncommitted. 
https://bugs.webkit.org/show_bug.cgi?id=117139
Summary OOM crash in WTF::OSAllocator::reserveUncommitted.
Renata Hodovan
Reported 2013-06-03 04:20:58 PDT
The for loop in the following test is unlimited and runs until it's crashing on the following check in Source/WTF/wtf/OSAllocatorPosix.cpp: 151 if (mprotect(address, bytes, protection)) 152 CRASH(); Maybe we should add a "loopCounter mechanism" to the code? ========================================================== The test: function test() { for (var byteRate = "b"; byteRate.renderedBuffer != byteRate; byteRate += 2e3) { } } test(); ========================================================== Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 #1 0x000000000083d4c4 in WTF::OSAllocator::reserveUncommitted (bytes=126976, usage=WTF::OSAllocator::UnknownUsage, writable=true, executable=false, includesGuardPages=false) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/OSAllocatorPosix.cpp:58 #2 0x000000000081ece7 in WTF::PageAllocationAligned::allocate (size=65536, alignment=65536, usage=WTF::OSAllocator::UnknownUsage, writable=true) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/PageAllocationAligned.cpp:55 #3 0x000000000050ecbe in JSC::ExcessRegion::create (blockSize=65536) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/Region.h:179 #4 0x000000000050efe4 in JSC::Region::create (superRegion=0xf31838, blockSize=65536) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/Region.h:232 #5 0x000000000052e1a9 in JSC::BlockAllocator::allocate<JSC::MarkedBlock> ( this=0xf31838) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/BlockAll0, bytes=48) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/MarkedAllocator.cpp:115 #7 0x000000000052da0d in JSC::MarkedAllocator::allocateSlowCase ( this=0xf34960, bytes=48) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/MarkedAllocator.cpp:97 #8 0x0000000000411fc4 in JSC::MarkedAllocator::allocate (this=0xf34960, bytes=48) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/MarkedAllocator.h:82 #9 0x0000000000412264 in JSC::MarkedSpace::allocateWithImmortalStructureDestructor (this=0xf31a80, bytes=48) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/MarkedSpace.h:210 #10 0x0000000000412470 in JSC::Heap::allocateWithImmortalStructureDestructor ( this=0xf317f8, bytes=48) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/heap/Heap.h:380 #11 0x00000000005c07c3 in JSC::allocateCell<JSC::JSRopeString> (heap=..., size=48) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCellInlines.h:92 #12 0x00000000005bfa2d in JSC::allocateCell<JSC::JSRopeString> (heap=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCellInlines.h:104 #13 0x00000000005bbd9e in JSC::JSRopeString::create (vm=..., s1=0x7ffe9a0a0470, s2=0x7ffe9a0b4e20) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSString.h:300 #14 0x00000000005ba170 in JSC::DFG::operationMakeRope2 (exec=0x7fffb21c20a0, left=0x7ffe9a0a0470, right=0x7ffe9a0b4e20) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGOperations---Type <return> to continue, or q <return> to quit--- .cpp:1592 #15 0x00007fffb45c7b91 in ?? () #16 0x00007fffb21c2058 in ?? () #17 0x0000000000000014 in ?? () #18 0x00007fffb21132f0 in ?? () #19 0x00000000006483c7 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #20 0x0000000000647226 in JSC::JITCode::execute (this=0x7fffb217fe90, stack=0xf40950, callFrame=0x7fffb21c2058, vm=0xf317e0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.h:135 #21 0x0000000000644747 in JSC::Interpreter::execute (this=0xf40940, program=0x7fffb217fe70, callFrame=0x7ffff7f5fb78, thisObj=0x7ffff7e6feb0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:976 #22 0x00000000007292c0 in JSC::evaluate (exec=0x7ffff7f5fb78, source=..., thisValue=..., returnedException=0x7fffffffda10) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83 #23 0x000000000040fdcd in runWithScripts (globalObject=0x7ffff7f5f970, scripts=..., dump=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:587 #24 0x0000000000410b3d in jscmain (argc=2, argv=0x7fffffffdc98) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:803 #25 0x000000000040fbcd in main (argc=2, argv=0x7fffffffdc98) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:550
Attachments
Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2014-09-08 04:25:56 PDT
The issue isn't reproducible anymore.
Note You need to log in before you can comment on or make changes to this bug.