RESOLVED DUPLICATE of bug 275555 274712
Segmentation fault in pas_versioned_field_try_write_watched 
https://bugs.webkit.org/show_bug.cgi?id=274712
Summary Segmentation fault in pas_versioned_field_try_write_watched
qbtly
Reported 2024-05-25 06:59:44 PDT
###### Webkit e03a2518eb73ce8bf82bf9870c96fdc1077f9444 ###### Build platform Ubuntu 22.04.3 ###### Build steps ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=0524 --cmakeargs="-DENABLE_STATIC_JSC=ON" ###### Test case ```sh ``` ###### Execution steps ./jsc poc.js ###### Output Thread 1 "jsc" received signal SIGSEGV, Segmentation fault. 0x0000555558d722ca in pas_versioned_field_try_write_watched (expected_value=..., new_value=<optimized out>, field=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_versioned_field.c:74 74 if (new_value > expected_value.value) (gdb) bt #0 0x0000555558d722ca in pas_versioned_field_try_write_watched (expected_value=..., new_value=<optimized out>, field=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_versioned_field.c:74 #1 pas_versioned_field_maximize_watched (field=field@entry=0x7fffeed2d6b0, expected_value=..., new_value=new_value@entry=1) at /JSC/Source/bmalloc/libpas/src/libpas/pas_versioned_field.c:75 #2 0x0000555558cf9cd0 in pas_bitfit_directory_get_first_free_view (directory=0x7fffeed2d6a0, start_index=<optimized out>, size=401408, page_config=page_config@entry=0x555558dc3d18 <bmalloc_heap_config+824>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_bitfit_directory.c:141 #3 0x0000555558cfd699 in pas_bitfit_size_class_get_first_free_view (size_class=0x7fffeed2d580, page_config=0x555558dc3d18 <bmalloc_heap_config+824>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_bitfit_size_class.c:97 #4 0x0000555558ce441f in pas_bitfit_allocator_try_allocate (allocator=0x7fffeb103360, local_allocator=0x7fffeb103328, size=401408, alignment=1, config=..., allocation_mode=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_bitfit_allocator_inlines.h:97 #5 bmalloc_marge_bitfit_page_config_specialized_allocator_try_allocate (allocator=0x7fffeb103360, local_allocator=0x7fffeb103328, size=<optimized out>, alignment=1, allocation_mode=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:43 #6 pas_local_allocator_try_allocate_out_of_line_cases (allocator=0x7fffeb103328, size=<optimized out>, alignment=1, allocation_mode=<optimized out>, config=...) at /JSC/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h:1672 #7 pas_local_allocator_try_allocate_slow_impl (config=..., allocator=<optimized out>, size=<optimized out>, alignment=<optimized out>, allocation_mode=<optimized out>, counts=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h:1703 #8 pas_local_allocator_try_allocate_slow (config=..., allocator=<optimized out>, size=<optimized out>, alignment=<optimized out>, allocation_mode=<optimized out>, counts=<optimized out>, result_filter=<optimized out>) at /JSC/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h:1750 #9 bmalloc_heap_config_specialized_local_allocator_try_allocate_slow (allocator=0x7fffeb103328, size=<optimized out>, alignment=1, allocation_mode=<optimized out>, counts=<optimized out>, result_filter=0x555558bfd900 <pas_allocation_result_identity(pas_allocation_result)>) at /JSC/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:43 #10 0x0000555558bfddde in pas_local_allocator_try_allocate (allocator=0x7fffeb103328, size=400000, alignment=1, allocation_mode=pas_compact_allocation_mode, config=..., counts=<optimized out>, result_filter=<optimized out>) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/pas_local_allocator_inlines.h:1856 #11 pas_try_allocate_common_impl_fast (config=..., allocator=0x7fffeb103328, size=400000, alignment=1, allocation_mode=pas_compact_allocation_mode, allocator_counts=<optimized out>, result_filter=<optimized out>) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/pas_try_allocate_common.h:89 #12 pas_try_allocate_common_impl (heap_ref=0x555558dcb380 <bmalloc::api::gigacageHeaps>, size=400000, alignment=1, allocation_mode=pas_compact_allocation_mode, config=..., allocator_counts=<optimized out>, result_filter=<optimized out>, slow=<optimized out>, allocator_result=...) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/pas_try_allocate_common.h:232 #13 bmalloc_try_allocate_auxiliary_impl_impl (heap_ref=0x555558dcb380 <bmalloc::api::gigacageHeaps>, size=400000, alignment=1, allocation_mode=pas_compact_allocation_mode, allocator_result=...) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:467 #14 pas_try_allocate_primitive_impl_casual_case (heap_ref=0x555558dcb380 <bmalloc::api::gigacageHeaps>, size=400000, alignment=1, config=..., allocation_mode=<optimized out>, runtime_config=<optimized out>, try_allocate_common=<optimized out>) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/pas_try_allocate_primitive.h:128 #15 bmalloc_try_allocate_auxiliary_impl_casual_case (heap_ref=0x555558dcb380 <bmalloc::api::gigacageHeaps>, size=size@entry=400000, alignment=1, allocation_mode=allocation_mode@entry=pas_compact_allocation_mode) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:467 #16 0x0000555558bfbc11 in bmalloc_try_allocate_auxiliary_impl (heap_ref=<optimized out>, size=400000, alignment=1, allocation_mode=pas_compact_allocation_mode) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:467 #17 bmalloc_try_allocate_auxiliary_zeroed_inline (heap_ref=<optimized out>, size=400000, allocation_mode=pas_compact_allocation_mode) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:514 #18 bmalloc::api::tryZeroedMalloc (size=400000, mode=bmalloc::CompactAllocationMode::Compact, kind=bmalloc::HeapKind::PrimitiveGigacage) at /JSC/0524/JSCOnly/Debug/bmalloc/Headers/bmalloc/bmalloc.h:88 #19 Gigacage::tryZeroedMalloc (kind=kind@entry=Gigacage::Primitive, size=size@entry=400000) at /JSC/Source/WTF/wtf/Gigacage.cpp:108 #20 0x0000555557e9c233 in JSC::JSArrayBufferView::ConstructionContext::ConstructionContext (this=0x7fffffffd8e0, vm=..., structure=0x7ffe00009f30, length=<optimized out>, elementSize=4006794928, mode=(unknown: 0x590feea8)) at /JSC/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp:94 #21 0x0000555556bb51e2 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::create (globalObject=globalObject@entry=0x7fffaa41a088, structure=structure@entry=0x7ffe00009f30, length=length@entry=100000) at /JSC/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:55 #22 0x0000555556a51829 in JSC::constructGenericTypedArrayViewWithArguments<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> > (globalObject=0x7fffaa41a088, structure=0x7ffe00009f30, firstValue=..., offset=0, lengthOpt=std::optional<unsigned long> [no contained value]) at /JSC/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:235 #23 0x00005555580b26c3 in JSC::constructGenericTypedArrayViewImpl<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> > (globalObject=0x3870760, callFrame=0x7fffffffdc10) at /JSC/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:297 #24 0x00005555580b1cd1 in JSC::constructInt32Array (globalObject=0x3870760, callFrame=0x0) at /JSC/Source/JavaScriptCore/runtime/JSTypedArrays.cpp:60 --Type <RET> for more, q to quit, c to continue without paging-- #25 0x00007fffab1043e7 in ?? () #26 0x00007fffffffdcc0 in ?? () #27 0x0000555558b7fc58 in llint_op_construct () #28 0x0000000000000000 in ?? ()
Attachments
poc (168 bytes, text/javascript)
2024-05-25 07:02 PDT, qbtly 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
qbtly
Comment 1 2024-05-25 07:02:48 PDT
Created attachment 471511 [details] poc
Radar WebKit Bug Importer
Comment 2 2024-05-27 10:14:57 PDT
<rdar://problem/128803581>
Yusuke Suzuki
Comment 3 2024-06-24 20:34:48 PDT
*** This bug has been marked as a duplicate of bug 275555 ***
Note You need to log in before you can comment on or make changes to this bug.