235347 – [libpas] it should be possible to decommit unused parts of a thread_local_cache (update to 78508e79fa2797680344d43b94841ae2e903b15b)

Bug 235347 - [libpas] it should be possible to decommit unused parts of a thread_local_cache (update to 78508e79fa2797680344d43b94841ae2e903b15b)

Summary: [libpas] it should be possible to decommit unused parts of a thread_local_cac...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	bmalloc (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:	231938
	Show dependency tree / graph

Reported:	2022-01-18 20:06 PST by Filip Pizlo
Modified:	2022-02-23 11:35 PST (History)
CC List:	9 users (show)

See Also:

Attachments
maybe the patch (320.59 KB, patch) 2022-01-18 20:25 PST, Filip Pizlo	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
updated patch (282.49 KB, patch) 2022-01-20 20:19 PST, Filip Pizlo	ysuzuki: review+ ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
patch for landing (284.26 KB, patch) 2022-02-10 09:49 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
better patch for landing (287.33 KB, patch) 2022-02-10 12:04 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2022-01-18 20:06:09 PST

...

Comment 1 Filip Pizlo 2022-01-18 20:25:38 PST

Created attachment 449459 [details]
maybe the patch

Still testing this...

Comment 2 Filip Pizlo 2022-01-20 20:19:24 PST

Created attachment 449637 [details]
updated patch

Comment 3 Filip Pizlo 2022-01-22 13:02:46 PST

Comment on attachment 449637 [details]
updated patch

I think that the debug layout test failures are preexisting.

Comment 4 Yusuke Suzuki 2022-01-24 16:33:48 PST

Comment on attachment 449637 [details]
updated patch

View in context: https://bugs.webkit.org/attachment.cgi?id=449637&action=review

r=me

> Source/bmalloc/libpas/src/libpas/pas_committed_pages_vector.c:1
> +/*

Can you add it to CMakeLists.txt too?

> Source/bmalloc/libpas/src/libpas/pas_committed_pages_vector.h:1
> +/*

Ditto.

> Source/bmalloc/libpas/src/libpas/pas_compact_thread_local_cache_layout_node.h:1
> +/*

Ditto.

> Source/bmalloc/libpas/src/libpas/pas_decommit_exclusion_range.h:1
> +/*

Ditto.

> Source/bmalloc/libpas/src/libpas/pas_large_virtual_range.h:1
> +/*

Ditto.

> Source/bmalloc/libpas/src/libpas/pas_large_virtual_range_min_heap.h:1
> +/*

Ditto.

> Source/bmalloc/libpas/src/libpas/pas_mmap_capability.h:1
> +/*

Ditto.

> Source/bmalloc/libpas/src/libpas/pas_thread_local_cache.c:981
> +    if ( verbose)

Remove this space.

> Source/bmalloc/libpas/src/libpas/pas_thread_local_cache_layout_entry.h:1
> +/*

Ditto.

Comment 5 Radar WebKit Bug Importer 2022-01-25 20:07:18 PST

<rdar://problem/88058546>

Comment 6 Filip Pizlo 2022-02-10 09:49:06 PST

Created attachment 451556 [details]
patch for landing

Comment 7 Filip Pizlo 2022-02-10 12:04:10 PST

Created attachment 451587 [details]
better patch for landing

Addresses Yusuke's feedback.

Comment 8 Filip Pizlo 2022-02-10 14:35:21 PST

Landed in https://trac.webkit.org/changeset/289579/webkit

Comment 9 Yusuke Suzuki 2022-02-13 21:14:48 PST

Committed r289724 (247209@trunk): <https://commits.webkit.org/247209@trunk>

Comment 10 Yusuke Suzuki 2022-02-13 21:23:07 PST

Committed r289725 (247210@trunk): <https://commits.webkit.org/247210@trunk>

Comment 11 Yusuke Suzuki 2022-02-14 14:44:33 PST

It looks like most of LayoutTests start crashing after this patch with ASan.
Reverting it for now.

==80471==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b51746a0 at pc 0x00013e3cf63b bp 0x7ff7b5174660 sp 0x7ff7b5174658
READ of size 8 at 0x7ff7b51746a0 thread T0
==80471==WARNING: invalid path to external symbolizer!
==80471==WARNING: Failed to use and restart external symbolizer!
    #0 0x13e3cf63a in pas_compact_thread_local_cache_layout_node_load_non_null+0x2a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x31063a)
    #1 0x13e3cec21 in pas_thread_local_cache_layout_entry_get_key+0xc1 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30fc21)
    #2 0x13e3ce5dc in pas_thread_local_cache_layout_hashtable_add_new+0xc (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f5dc)
    #3 0x13e3ce4d1 in pas_thread_local_cache_layout_add_node+0x171 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f4d1)
    #4 0x13e3ce680 in pas_thread_local_cache_layout_add+0x10 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30f680)
    #5 0x13e3a8fed in pas_segregated_size_directory_create_tlc_allocator+0x7d (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2e9fed)
    #6 0x13e35415f in set_up_range+0x4cf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29515f)
    #7 0x13e35381c in pas_designated_intrinsic_heap_initialize+0x49c (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29481c)
    #8 0x13e2f85d6 in bmalloc_heap_config_activate+0x16 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2395d6)
    #9 0x13e36d8f9 in pas_heap_config_activate+0x59 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae8f9)
    #10 0x13e338bcf in jit_heap_config_activate+0xf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x279bcf)
    #11 0x13e36d8f9 in pas_heap_config_activate+0x59 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae8f9)
    #12 0x13e395ba2 in pas_segregated_heap_ensure_size_directory_for_size+0x32 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2d6ba2)
    #13 0x13e36d717 in pas_heap_ensure_size_directory_for_size_slow+0x47 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ae717)
    #14 0x13e33d831 in jit_heap_config_specialized_try_allocate_common_impl_slow+0x191 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x27e831)
    #15 0x13e33893c in jit_try_allocate_common_primitive_impl_impl_slow+0x2c (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x27993c)
    #16 0x13e3387f2 in jit_try_allocate_common_primitive_impl_casual_case+0x232 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2797f2)
    #17 0x13e337ce6 in jit_heap_try_allocate+0xa6 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x278ce6)
    #18 0x140b8bae5 in JSC::ExecutableMemoryHandle::createImpl(unsigned long)+0x15 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2accae5)
    #19 0x140b8b244 in JSC::FixedVMPoolExecutableAllocator::allocate(unsigned long)+0x14 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2acc244)
    #20 0x140b8aba9 in JSC::ExecutableAllocator::allocate(unsigned long, JSC::JITCompilationEffort)+0x1c9 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2acbba9)
    #21 0x13f2c46d6 in JSC::LinkBuffer::allocate(JSC::MacroAssembler&, JSC::JITCompilationEffort)+0x1a6 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12056d6)
    #22 0x13f2c41a5 in JSC::LinkBuffer::linkCode(JSC::MacroAssembler&, JSC::JITCompilationEffort)+0xd5 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12051a5)
    #23 0x13f2e59d9 in JSC::LinkBuffer::LinkBuffer(JSC::MacroAssembler&, void*, JSC::LinkBuffer::Profile, JSC::JITCompilationEffort)+0x79 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12269d9)
    #24 0x13f2e24c8 in JSC::LinkBuffer::LinkBuffer(JSC::MacroAssembler&, void*, JSC::LinkBuffer::Profile, JSC::JITCompilationEffort)+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12234c8)
    #25 0x1410a736a in JSC::nativeForGenerator(JSC::VM&, JSC::ThunkFunctionType, JSC::CodeSpecializationKind, JSC::ThunkEntryType)+0x89a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fe836a)
    #26 0x1410a7897 in JSC::internalFunctionCallGenerator(JSC::VM&)+0x17 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fe8897)
    #27 0x14107741b in JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2::operator()() const+0x4b (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fb841b)
    #28 0x141067d3a in JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> JSC::JITThunks::ctiStubImpl<JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2>(JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&), JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))::$_2)+0x28a (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa8d3a)
    #29 0x141067413 in JSC::JITThunks::ctiStub(JSC::VM&, JSC::MacroAssemblerCodeRef<(WTF::PtrTag)26129> (*)(JSC::VM&))+0xd3 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa8413)
    #30 0x1410678f7 in JSC::JITThunks::ctiInternalFunctionCall(JSC::VM&)+0xc7 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fa88f7)
    #31 0x141c0a393 in JSC::VM::getCTIInternalFunctionTrampolineFor(JSC::CodeSpecializationKind)+0x1a3 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4b393)
    #32 0x141c060fd in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType, WTF::RunLoop*, bool*)+0x201d (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b470fd)
    #33 0x141c0a698 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType, WTF::RunLoop*, bool*)+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4b698)
    #34 0x141c0bab3 in JSC::VM::create(JSC::HeapType, WTF::RunLoop*)+0x33 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b4cab3)
    #35 0x1520b6549 in WebCore::commonVMSlow()+0xb9 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x3225549)
    #36 0x122f64862 in WebCore::commonVM()+0x32 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x119e862)
    #37 0x1243c7e15 in WebKit::WebProcess::initializeWebProcess(WebKit::WebProcessCreationParameters&&)+0xbc5 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x2601e15)
    #38 0x124fc98df in void IPC::callMemberFunctionImpl<WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>, 0ul>(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>&&, std::__1::integer_sequence<unsigned long, 0ul>)+0x4f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x32038df)
    #39 0x124fc9268 in void IPC::callMemberFunction<WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&), std::__1::tuple<WebKit::WebProcessCreationParameters>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebKit::WebProcessCreationParameters>&&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&))+0x28 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x3203268)
    #40 0x124fbee90 in void IPC::handleMessage<Messages::WebProcess::InitializeWebProcess, WebKit::WebProcess, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WebKit::WebProcessCreationParameters&&))+0x160 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x31f8e90)
    #41 0x124fbdc6f in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&)+0x3f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x31f7c6f)
    #42 0x1243cc097 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x47 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x2606097)
    #43 0x1236929ef in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x24f (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cc9ef)
    #44 0x123693478 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)+0x2e8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cd478)
    #45 0x123693fc4 in IPC::Connection::dispatchOneIncomingMessage()+0x194 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18cdfc4)
    #46 0x1236b2a25 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_15::operator()()+0x35 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18eca25)
    #47 0x1236b298c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_15, void>::call()+0xc (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x18ec98c)
    #48 0x13e0fccae in WTF::Function<void ()>::operator()() const+0x3e (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3dcae)
    #49 0x13e1c0737 in WTF::RunLoop::performWork()+0x327 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x101737)
    #50 0x13e1c3d6a in WTF::RunLoop::performWork(void*)+0xba (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x104d6a)
    #51 0x7ff812b67b67 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7fb67)
    #52 0x7ff812b67acf in __CFRunLoopDoSource0+0xb3 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7facf)
    #53 0x7ff812b67842 in __CFRunLoopDoSources0+0xf1 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7f842)
    #54 0x7ff812b6625e in __CFRunLoopRun+0x380 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7e25e)
    #55 0x7ff812b65808 in CFRunLoopRunSpecific+0x236 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x7d808)
    #56 0x7ff8138f475d in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x6075d)
    #57 0x7ff81397f2c2 in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xeb2c2)
    #58 0x7ff8127ec232 in _xpc_objc_main+0x338 (/usr/lib/system/libxpc.dylib:x86_64+0x16232)
    #59 0x7ff8127ebc21 in xpc_main+0x62 (/usr/lib/system/libxpc.dylib:x86_64+0x15c21)
    #60 0x122def7d3 in WebKit::XPCServiceMain(int, char const**)+0x323 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x10297d3)
    #61 0x1250d63f8 in WKXPCServiceMain+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x33103f8)
    #62 0x10ad8ae18 in main+0x8 (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100003e18)
    #63 0x10f92d4fd  (/usr/lib/dyld:x86_64+0x54fd)

Address 0x7ff7b51746a0 is located in stack of thread T0 at offset 32 in frame
    #0 0x13e3ceb6f in pas_thread_local_cache_layout_entry_get_key+0xf (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30fb6f)

  This frame has 1 object(s):
    [32, 36) 'entry2' <== Memory access at offset 32 partially overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/Volumes/Data/worker/trunk-monterey-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x31063a) in pas_compact_thread_local_cache_layout_node_load_non_null+0x2a
Shadow bytes around the buggy address:
  0x1ffef6a2e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1ffef6a2e890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1ffef6a2e8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1ffef6a2e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1ffef6a2e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1ffef6a2e8d0: f1 f1 f1 f1[04]f3 f3 f3 00 00 00 00 00 00 00 00
  0x1ffef6a2e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1ffef6a2e8f0: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x1ffef6a2e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1ffef6a2e910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1ffef6a2e920: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==80471==ABORTING
com.apple.WebKit.WebContent.Development terminated (pid 80471) because the process crashed

Comment 12 Frédéric Wang (:fredw) 2022-02-23 05:46:00 PST

(In reply to Yusuke Suzuki from comment #11)
> It looks like most of LayoutTests start crashing after this patch with ASan.
> Reverting it for now.

Did you actually revert it? If so, what's the revision corresponding to the revert?

Comment 13 Yusuke Suzuki 2022-02-23 11:35:06 PST

(In reply to Frédéric Wang (:fredw) from comment #12)
> (In reply to Yusuke Suzuki from comment #11)
> > It looks like most of LayoutTests start crashing after this patch with ASan.
> > Reverting it for now.
> 
> Did you actually revert it? If so, what's the revision corresponding to the
> revert?

No. I landed a fix instead.