228129 2021-07-20 15:03:59 -0700 [SOUP] Network process crash in soup_message_headers_set 2021-07-21 05:54:29 -0700 1 1 1 Unclassified WebKit WebKitGTK WebKit Nightly Build PC Linux RESOLVED INVALID P2 Normal --- 1 mcatanzaro webkit-unassigned bugs-noreply cgarcia mcatanzaro oldest_to_newest 1778289 0 mcatanzaro 2021-07-20 15:03:59 -0700 I've seen this crash several times recently, including twice this afternoon. It is a recent regression. This is using today's Ephy Tech Preview, so it's the very latest libsoup git master: (gdb) bt full #0 0x00007faf6190a4bb in raise () at /usr/lib/x86_64-linux-gnu/libc.so.6 #1 0x00007faf618f3867 in abort () at /usr/lib/x86_64-linux-gnu/libc.so.6 #2 0x00007faf61454c7c in g_assertion_message_expr.cold () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #3 0x00007faf614b554f in g_assertion_message_expr () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #4 0x00007faf5e11ef46 in soup_message_headers_set () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0 #5 0x00007faf5e11f11d in soup_message_headers_append_common () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0 #6 0x00007faf5e0fc626 in on_header_callback () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0 #7 0x00007faf5b628aba in session_call_on_header (nv=0x7fff35086b60, frame=0x55d2f29791c0, session=0x55d2f2979020) at ../../lib/nghttp2_session.c:3345 rv = 0 proclen = 20 rv = <optimized out> inflate_flags = 2 nv = {name = 0x7faf5b640ce0 <static_table+3840>, value = 0x55d2f297c6b0, token = 30, flags = 0 '\000'} stream = <optimized out> trailer = 0 subject_stream = 0x55d2f27d7910 hd_proclen = 24 data_readlen = <optimized out> trail_padlen = <optimized out> final = <optimized out> first = 0x7fff35086bc0 "" last = 0x7fff35086c37 "" iframe = 0x55d2f29791c0 readlen = 93 padlen = <optimized out> rv = <optimized out> busy = <optimized out> cont_hd = {length = 140734083140592, stream_id = 434582317, type = 175 '\257', flags = 127 '\177', reserved = 0 '\000'} stream = <optimized out> pri_fieldlen = <optimized out> mem = 0x55d2f29798b0 __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv" #8 inflate_header_block (call_header_cb=1, final=1, inlen=69, in=0x7fff35086be1 "\\\001\060\017\022\226\337i~\224\020\024\313m\n\b\002\n\202\r\306ݸ\027Tţ\177v\222\327\351\063\236\246\031]\325\006cΔ\326\303+\266\273_|\207\n\341Rc\236j\v@\205\035\tY\035Ʉ%\005\035\237", readlen_ptr=<synthetic pointer>, frame=0x55d2f29791c0, session=0x55d2f2979020) at ../../lib/nghttp2_session.c:3698 proclen = 20 rv = <optimized out> inflate_flags = 2 nv = {name = 0x7faf5b640ce0 <static_table+3840>, value = 0x55d2f297c6b0, token = 30, flags = 0 '\000'} stream = <optimized out> trailer = 0 subject_stream = 0x55d2f27d7910 hd_proclen = 24 data_readlen = <optimized out> trail_padlen = <optimized out> final = <optimized out> first = 0x7fff35086bc0 "" last = 0x7fff35086c37 "" iframe = 0x55d2f29791c0 readlen = 93 padlen = <optimized out> rv = <optimized out> --Type <RET> for more, q to quit, c to continue without paging--c busy = <optimized out> cont_hd = {length = 140734083140592, stream_id = 434582317, type = 175 '\257', flags = 127 '\177', reserved = 0 '\000'} stream = <optimized out> pri_fieldlen = <optimized out> mem = 0x55d2f29798b0 __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv" #9 nghttp2_session_mem_recv (session=0x55d2f2979020, in=<optimized out>, inlen=119) at ../../lib/nghttp2_session.c:6201 hd_proclen = 24 data_readlen = <optimized out> trail_padlen = <optimized out> final = <optimized out> first = 0x7fff35086bc0 "" last = 0x7fff35086c37 "" iframe = 0x55d2f29791c0 readlen = 93 padlen = <optimized out> rv = <optimized out> busy = <optimized out> cont_hd = {length = 140734083140592, stream_id = 434582317, type = 175 '\257', flags = 127 '\177', reserved = 0 '\000'} stream = <optimized out> pri_fieldlen = <optimized out> mem = 0x55d2f29798b0 __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv" #10 0x00007faf5e0fd314 in io_read () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0 #11 0x00007faf5e0fd44a in io_read_ready () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0 #12 0x00007faf6148b601 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #13 0x00007faf6148bae8 in g_main_context_iterate.constprop () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #14 0x00007faf6148bdf3 in g_main_loop_run () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #15 0x00007faf6109ed80 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:108 runLoop = @0x7faf5a7f9000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 23}, static is_always_lock_free = true}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7faf614142b8 <vtable for WTF::RunLoop+16>}, m_currentIteration = {m_start = 1, m_end = 1, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7faf092a6d00, m_capacity = 16, m_size = 0}, <No data fields>}}, m_nextIterationLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, static is_always_lock_free = true}}}, m_nextIteration = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}}, m_isFunctionDispatchSuspended = false, m_hasSuspendedFunctions = false, static s_runLoopSourceFunctions = {prepare = 0x0, check = 0x0, dispatch = 0x7faf6109ebe0 <_FUN(GSource*, GSourceFunc, gpointer)>, finalize = 0x0, closure_callback = 0x0, closure_marshal = 0x0}, m_mainContext = {m_ptr = 0x55d2f23e68b0}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop>, WTF::FastMalloc>> = {m_buffer = 0x7faf5a7f8000, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x55d2f23e7a80}, m_observers = {m_set = {m_impl = {{m_table = 0x0, m_tableForLLDB = 0x0}}}}} mainContext = 0x55d2f23e68b0 innermostLoop = 0x55d2f23e7a60 nestedMainLoop = <optimized out> #16 0x00007faf623ba4e2 in WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argc=3, argv=0x7fff35088f38, this=0x7fff35088db0) at ../Source/WebKit/Shared/AuxiliaryProcessMain.h:70 auxiliaryMain = {m_storage = {__data = "@\277\ne\257\177", '\000' <repeats 34 times>, "\267\003\000\000\000\000\000\000\001\000\000\000\000\000\000\000\022", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\000P\177Z\257\177\000", __align = {<No data fields>}}} #17 WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argv=0x7fff35088f38, argc=3, this=0x7fff35088db0) at ../Source/WebKit/Shared/AuxiliaryProcessMain.h:57 auxiliaryMain = {m_storage = {__data = "@\277\ne\257\177", '\000' <repeats 34 times>, "\267\003\000\000\000\000\000\000\001\000\000\000\000\000\000\000\022", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\000P\177Z\257\177\000", __align = {<No data fields>}}} #18 WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainSoup>(int, char**) (argc=3, argv=0x7fff35088f38) at ../Source/WebKit/Shared/AuxiliaryProcessMain.h:96 auxiliaryMain = {m_storage = {__data = "@\277\ne\257\177", '\000' <repeats 34 times>, "\267\003\000\000\000\000\000\000\001\000\000\000\000\000\000\000\022", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\000P\177Z\257\177\000", __align = {<No data fields>}}} #19 0x00007faf618f4b90 in __libc_start_main () at /usr/lib/x86_64-linux-gnu/libc.so.6 #20 0x000055d2f196e74e in _start () at ../sysdeps/x86_64/start.S:120 Unfortunately, for some reason the debuginfo for libsoup and glib both appear to be corrupted. I don't know why that might be. That's very unfortunate and not helping. 1778387 1 cgarcia 2021-07-21 04:09:08 -0700 This doesn't look like a WebKit bug, but libsoup. I haven't seen this, so I'll need more debug information or a reproducer. From the bt, I think we are hitting the g_assert (content_type != NULL) in soup_message_headers_set() so, for some reason we are failing to parse the given content type. We need the value of the Content-Type header. 1778388 2 cgarcia 2021-07-21 04:12:10 -0700 hmm, I see that parse_content_foo was modified by patrick in https://gitlab.gnome.org/GNOME/libsoup/-/commit/d9f97292b71e7f14f91158750c81f33bb8386973 so that likely introduced the regression. Let's move this to libsoup. 1778400 3 mcatanzaro 2021-07-21 05:54:29 -0700 https://gitlab.gnome.org/GNOME/libsoup/-/issues/232