RESOLVED FIXED199524
Flaky API Test TestWTF.bmalloc.ScavengedMemoryShouldBeReused 
https://bugs.webkit.org/show_bug.cgi?id=199524
Summary Flaky API Test TestWTF.bmalloc.ScavengedMemoryShouldBeReused
Aakash Jain
Reported 2019-07-05 12:06:52 PDT
Created attachment 373521 [details] TestWTF_2019-07-05-094659_ews150.crash TestWTF.bmalloc.ScavengedMemoryShouldBeReused seems flaky. In https://ews-build.webkit.org/#/builders/3/builds/4182, the test passed in run-api-tests step. However, in the immediately next retry step (re-run-api-tests), it Crashed. Crash log attached.
Attachments
TestWTF_2019-07-05-094659_ews150.crash (47.78 KB, text/plain)
2019-07-05 12:06 PDT, Aakash Jain 		no flags
Details
Patch (4.94 KB, patch)
2019-07-11 14:38 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (4.59 KB, patch)
2019-07-11 14:39 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (4.63 KB, patch)
2019-07-11 14:41 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Aakash Jain
Comment 1 2019-07-05 12:06:56 PDT
This test seems to be added in http://trac.webkit.org/changeset/245908/webkit
Aakash Jain
Comment 2 2019-07-06 16:33:03 PDT
More instances of flakiness of this test: https://ews-build.webkit.org/#/builders/3/builds/4250 https://ews-build.webkit.org/#/builders/3/builds/4266
Ryan Haddad
Comment 3 2019-07-08 10:11:17 PDT
<rdar://problem/52783816>
Yusuke Suzuki
Comment 4 2019-07-11 02:48:01 PDT
This test has strong assumption on how we allocate pages in IsoHeap. But this assumption is broken because we have IsoHeap sharing tier. I think this crash is due to passing a garbage pointer to IsoHeap deallocator. I'll fix the test to make it work.
Yusuke Suzuki
Comment 5 2019-07-11 13:56:24 PDT
(In reply to Yusuke Suzuki from comment #4) > This test has strong assumption on how we allocate pages in IsoHeap. But > this assumption is broken because we have IsoHeap sharing tier. > I think this crash is due to passing a garbage pointer to IsoHeap > deallocator. > I'll fix the test to make it work. Yeah, my guess was correct. ptrs.size() is 2021. And IsoPage<decltype(heap)::Config>::numObjects - 1 is 2047. So we are accessing OoB of std::vector, getting a garbage, and passing it to IsoHeap::deallocate, and crashing. I'll fix the test.
Yusuke Suzuki
Comment 6 2019-07-11 14:38:43 PDT
Created attachment 373955 [details] Patch
Yusuke Suzuki
Comment 7 2019-07-11 14:39:27 PDT
Created attachment 373957 [details] Patch
Yusuke Suzuki
Comment 8 2019-07-11 14:41:21 PDT
Created attachment 373958 [details] Patch
Yusuke Suzuki
Comment 9 2019-07-11 14:56:37 PDT
Committed r247368: <https://trac.webkit.org/changeset/247368>
Note You need to log in before you can comment on or make changes to this bug.