Bug 243978

Summary: REGRESSION(252858@main) WPE TestWebCore API tests is segfaulting at the start w
Product: WebKit Reporter: Lauro Moura <lmoura>
Component: bmallocAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bugs-noreply, ggaren, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=243868
https://bugs.webkit.org/show_bug.cgi?id=243201

Description Lauro Moura 2022-08-15 23:51:53 PDT 
Steps to reproduce:

* Build release or debug WPE build after 
* Run the tests, e.g, on gdb: gdb --args /app/webkit/Tools/glib/../../WebKitBuild/Debug/bin/TestWebKitAPI/TestWebCore
* Expected: Test runs fine
* Actual: segfault (trace below)

This isn't happening to GTK.

In the breakpoint[1], the kind variable is pas_segregated_page_config_kind_bmalloc_small_segregated and the value returned from pas_segregated_page_config_kind_get_config(kind) is null. Maybe some issue initializing/linking bmalloc/libpas in WPE?

[1] https://github.com/WebKit/WebKit/blob/main/Source/bmalloc/libpas/src/libpas/pas_segregated_size_directory.c#L1055

Trace:

Program received signal SIGSEGV, Segmentation fault.
0x000055555a267723 in pas_segregated_size_directory_num_allocator_indices ()
(gdb) bt
#0  pas_segregated_size_directory_local_allocator_size (directory=0x7fffeaadb000) at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_segregated_size_directory.c:1055
#1  0x0000555563c8acd3 in pas_segregated_size_directory_num_allocator_indices (directory=0x7fffeaadb000) at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_segregated_size_directory.c:1062
#2  0x0000555563c25b69 in set_up_range (data=0x7fffffffadc0, designated_begin=0, designated_end_inclusive=1, size=16) at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_designated_intrinsic_heap.c:100
#3  0x0000555563c2622f in pas_designated_intrinsic_heap_initialize (heap=0x5555641dfb60 <bmalloc_common_primitive_heap>, config_ptr=0x555564159660 <bmalloc_heap_config>) at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_designated_intrinsic_heap.c:179
#4  0x0000555563be91f7 in bmalloc_heap_config_activate() () at /app/webkit/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:54
#5  0x0000555563c3a8fa in pas_heap_config_activate (config=0x555564159660 <bmalloc_heap_config>) at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_heap_config.c:40
#6  0x0000555563c6c0eb in pas_segregated_heap_ensure_size_directory_for_size
    (heap=0x5555641dfb60 <bmalloc_common_primitive_heap>, size=24, alignment=1, size_lookup_mode=pas_force_size_lookup, config=0x555564159660 <bmalloc_heap_config>, cached_index=0x0, creation_mode=pas_segregated_size_directory_full_creation_mode)
    at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_segregated_heap.c:1333
#7  0x0000555563c3a7f5 in pas_heap_ensure_size_directory_for_size_slow (heap=0x5555641dfb60 <bmalloc_common_primitive_heap>, size=24, alignment=1, force_size_lookup=pas_force_size_lookup, config=0x555564159660 <bmalloc_heap_config>, cached_index=0x0)
    at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_heap.c:210
#8  0x0000555563be4470 in pas_heap_ensure_size_directory_for_size(__pas_heap*, size_t, size_t, pas_size_lookup_mode, pas_heap_config, unsigned int*, pas_allocator_counts*)
    (heap=0x5555641dfb60 <bmalloc_common_primitive_heap>, size=24, alignment=1, force_size_lookup=pas_force_size_lookup, config=..., cached_index=0x0, counts=0x555564293890 <bmalloc_allocator_counts>) at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_heap_inlines.h:76
#9  0x0000555563be45ec in pas_try_allocate_common_impl_slow(__pas_heap_ref*, pas_heap_ref_kind, size_t, size_t, pas_heap_config, pas_heap_runtime_config*, pas_allocator_counts*, pas_size_lookup_mode)
    (heap_ref=0x7fffffffca40, heap_ref_kind=pas_fake_heap_ref_kind, size=24, alignment=1, config=..., runtime_config=0x5555641e0140 <bmalloc_intrinsic_runtime_config>, allocator_counts=0x555564293890 <bmalloc_allocator_counts>, size_lookup_mode=pas_force_size_lookup)
    at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_try_allocate_common.h:149
#10 0x0000555563be912d in bmalloc_heap_config_specialized_try_allocate_common_impl_slow(__pas_heap_ref*, pas_heap_ref_kind, size_t, size_t, pas_heap_runtime_config*, pas_allocator_counts*, pas_size_lookup_mode)
    (heap_ref=0x7fffffffca40, heap_ref_kind=pas_fake_heap_ref_kind, size=24, alignment=1, runtime_config=0x5555641e0140 <bmalloc_intrinsic_runtime_config>, allocator_counts=0x555564293890 <bmalloc_allocator_counts>, size_lookup_mode=pas_force_size_lookup)
    at /app/webkit/Source/bmalloc/libpas/src/libpas/bmalloc_heap_config.c:43
#11 0x0000555563bcca4e in bmalloc_allocate_impl_impl_slow(__pas_heap_ref*, size_t, size_t) (heap_ref=0x7fffffffca40, size=24, alignment=1) at /app/webkit/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:70
#12 0x0000555563bca2c9 in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, size_t, size_t, pas_intrinsic_heap_support*, pas_heap_config, pas_try_allocate_common_fast, pas_try_allocate_common_slow, pas_intrinsic_heap_designation_mode)
    (heap=0x5555641dfb60 <bmalloc_common_primitive_heap>, size=24, alignment=1, intrinsic_support=0x555564292500 <bmalloc_common_primitive_heap_support>, config=..., try_allocate_common_fast=0x555563bcc937 <bmalloc_allocate_impl_impl_fast(pas_local_allocator*, size_t, size_t)>, try_allocate_common_slow=0x555563bcc9d6 <bmalloc_allocate_impl_impl_slow(__pas_heap_ref*, size_t, size_t)>, designation_mode=pas_intrinsic_heap_is_designated) at /app/webkit/Source/bmalloc/libpas/src/libpas/pas_try_allocate_intrinsic.h:174
#13 0x0000555563bccb00 in bmalloc_allocate_impl_casual_case(size_t, size_t) (size=24, alignment=1) at /app/webkit/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:70
#14 0x0000555563bd1537 in bmalloc_allocate_casual(size_t) (size=24) at /app/webkit/Source/bmalloc/libpas/src/libpas/bmalloc_heap.c:64
#15 0x000055555ee2e3e2 in bmalloc_allocate_inline(size_t) (size=24) at /app/webkit/WebKitBuild/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:121
#16 0x000055555ee308f8 in bmalloc::api::malloc(unsigned long, bmalloc::HeapKind) (kind=bmalloc::HeapKind::Primary, size=24) at /app/webkit/WebKitBuild/Debug/bmalloc/Headers/bmalloc/bmalloc.h:72
#17 WTF::fastMalloc(unsigned long) (size=24) at /app/webkit/Source/WTF/wtf/FastMalloc.cpp:525
#18 0x000055555e6d006a in WTF::StringImpl::operator new(unsigned long) (size=24) at /app/webkit/WebKitBuild/Debug/WTF/Headers/wtf/text/StringImpl.h:177
#19 0x000055555ef19426 in WTF::StringImpl::createWithoutCopyingNonEmpty(unsigned char const*, unsigned int) (characters=0x555555cd49db "This is a test", length=14) at /app/webkit/Source/WTF/wtf/text/StringImpl.cpp:169
#20 0x000055555cd3c7ab in WTF::StringImpl::createWithoutCopying(unsigned char const*, unsigned int) (characters=0x555555cd49db "This is a test", length=14) at /app/webkit/WebKitBuild/Debug/WTF/Headers/wtf/text/StringImpl.h:259
#21 0x000055555cd3c74f in WTF::StringImpl::create(WTF::ASCIILiteral) (literal=...) at /app/webkit/WebKitBuild/Debug/WTF/Headers/wtf/text/StringImpl.h:256
#22 0x000055555cd3c8bc in WTF::String::String(WTF::ASCIILiteral) (this=0x555564264298 <TestWebKitAPI::FileMonitorTestData>, characters=...) at /app/webkit/WebKitBuild/Debug/WTF/Headers/wtf/text/WTFString.h:453
#23 0x000055555cd96fe4 in __static_initialization_and_destruction_0(int, int) (__initialize_p=1, __priority=65535) at /app/webkit/Tools/TestWebKitAPI/Tests/WebCore/FileMonitor.cpp:47
#24 0x000055555cd977ac in _GLOBAL__sub_I__ZN13TestWebKitAPI33FileMonitorTest_DetectChange_Test10test_info_E() () at /app/webkit/Tools/TestWebKitAPI/Tests/WebCore/FileMonitor.cpp:376
#25 0x0000555563ead54d in __libc_csu_init (argc=argc@entry=1, argv=argv@entry=0x7fffffffd768, envp=0x7fffffffd778) at elf-init.c:89
#26 0x00007ffff3d10b42 in __libc_start_main (main=0x55555ce67241 <main(int, char**)>, argc=1, argv=0x7fffffffd768, init=0x555563ead500 <__libc_csu_init>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd758) at ../csu/libc-start.c:279
#27 0x000055555cd1e74e in _start () at ../sysdeps/x86_64/start.S:120
Comment 1 Lauro Moura 2022-08-17 06:39:57 PDT 
More from gdb:

Looks like `pas_segregated_page_config_kind_for_config_table` is filled with null pointers, not just for `pas_segregated_page_config_kind_bmalloc_small_segregated`

```
# null config
(gdb) print pas_segregated_page_config_kind_for_config_table[0]
$15 = (const pas_segregated_page_config *) 0x0
# pas small segregated config
(gdb) print pas_segregated_page_config_kind_for_config_table[1]
$16 = (const pas_segregated_page_config *) 0x0
# bmalloc small segregated config
(gdb) print pas_segregated_page_config_kind_for_config_table[2]
$17 = (const pas_segregated_page_config *) 0x0
(gdb) 
```

But checking the generated preprocessed code (with -save-temps), for the small_segregated_config (index 1), for example, it generates:

const pas_segregated_page_config* pas_segregated_page_config_kind_for_config_table[
...] = {
<config for null>,
(const pas_segregated_page_config*)((... {
    .small_segregated_config = {
        .base {
            .page_config_ptr = &pas_utility_heap_config.small_segregated_config.base,
            ....
        }
        ...
        }
        ...
        }).small_segregated_config).base.page_config_ptr,
...}

And in gdb, it's defined:

(gdb) print &pas_utility_heap_config.small_segregated_config.base
$20 = (pas_page_base_config *) 0x555564159fd8 <pas_utility_heap_config+56>
(gdb) print pas_utility_heap_config.small_segregated_config.base
$22 = {is_enabled = true, heap_config_ptr = 0x555564159fa0 <pas_utility_heap_config>, page_config_ptr = 0x555564159fd8 <pas_utility_heap_config+56>, page_config_kind = pas_page_config_kind_segregated, min_align_shift = 3 '\003', page_size = 16384, granule_size = 16384, 
  max_object_size = 1400, page_header_for_boundary = 0x555563caca45 <pas_utility_heap_page_header_for_boundary(void*)>, boundary_for_page_header = 0x555563caca53 <pas_utility_heap_boundary_for_page_header(pas_page_base*)>, page_header_for_boundary_remote = 0x0, 
  create_page_header = 0x555563caca61 <pas_utility_heap_create_page_header(void*, pas_page_kind, pas_lock_hold_mode)>, destroy_page_header = 0x555563cacab0 <pas_utility_heap_destroy_page_header(pas_page_base*, pas_lock_hold_mode)>}
Comment 2 Lauro Moura 2022-08-17 21:46:56 PDT 

*** This bug has been marked as a duplicate of bug 243984 ***