Bug 108398

Summary:	[Qt] webkit crashes with sigsegv at JSC::CopyWorkList at ARM with qt5-final
Product:	WebKit	Reporter:	Ricardo <rsalveti>
Component:	New Bugs	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	abecsi, allan.jensen, hausmann, jturcotte, kenneth, loki, ossy, rgabor, zherczeg
Priority:	P1
Version:	528+ (Nightly build)
Hardware:	Other
OS:	Linux
Bug Depends on:
Bug Blocks:	108645, 79668

Description Ricardo 2013-01-30 16:09:42 PST

Using Ubuntu 12.10 at Nexus 7 (or any other ARM device), and Qt 5 final packages from https://launchpad.net/~canonical-qt5-edgers/+archive/qt5-proper/, I get a segfault when browsing with a sample Qml based browser when navigating at websites such www.cnn.com.

Steps:
1 - Install the Qt 5 proper ppa at a running Ubuntu 12.10 based ARM device (such as nexus 7, or pandaboard);
2 - Use the following sample qml to open cnn.com by default http://paste.ubuntu.com/1591367/
3 - Run with 'qmlscene browser.qml' and navigate at the website, by clicking into a few links (it usually happens when loading the second link).
4 - Wait for the crash.

Backtrace (http://paste.ubuntu.com/1586241/):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x46eff460 (LWP 654)]
JSC::CopyWorkList::~CopyWorkList (this=0xfffffffb, __in_chrg=<optimized out>) at heap/CopyWorkList.h:139
139	heap/CopyWorkList.h: No such file or directory.
(gdb) 
(gdb) bt full
#0  JSC::CopyWorkList::~CopyWorkList (this=0xfffffffb, __in_chrg=<optimized out>) at heap/CopyWorkList.h:139
No locals.
#1  0x40eaf550 in deleteOwnedPtr<JSC::CopyWorkList> (ptr=0xfffffffb) at ../WTF/wtf/OwnPtrCommon.h:60
No locals.
#2  clear (this=0x5146400c) at ../WTF/wtf/OwnPtr.h:119
        ptr = 0xfffffffb
#3  pin (this=0x51464000) at heap/CopiedBlock.h:163
No locals.
#4  pin (block=0x51464000, this=<optimized out>) at heap/CopiedSpaceInlines.h:57
No locals.
#5  copyLater (ptr=0x514645b0, this=<optimized out>, owner=<optimized out>, bytes=<optimized out>) at heap/SlotVisitorInlines.h:167
No locals.
#6  copyLater (bytes=4294967272, ptr=0x514645b0, owner=0x501c71b0, this=<optimized out>) at runtime/JSObject.cpp:204
No locals.
#7  visitButterfly (storageSize=<optimized out>, butterfly=0x51464588, visitor=..., this=0x501c71b0) at runtime/JSObject.cpp:187
        preCapacity = <optimized out>
        propertyCapacity = 4294967291
        indexingPayloadSizeInBytes = <optimized out>
        capacityInBytes = 4294967272
#8  JSC::JSObject::visitChildren (cell=0x501c71b0, visitor=...) at runtime/JSObject.cpp:217
        butterfly = 0x51464588
#9  0x40d5b3c0 in visitChildren (cell=<optimized out>, visitor=...) at heap/SlotVisitor.cpp:90
No locals.
#10 JSC::SlotVisitor::drain (this=0x453618f0) at heap/SlotVisitor.cpp:147
No locals.
#11 0x40d52576 in donateAndDrain (this=0x453618f0) at heap/SlotVisitorInlines.h:161
No locals.

Comment 1 Ricardo 2013-01-31 12:12:03 PST

I did test with an older qtwebkit revision, and got a similar issue (before the js heap work):
#0  0x40e7d862 in testAndSet (n=0, this=0x14) at ../WTF/wtf/Bitmap.h:98
        mask = 1
        index = 0
        result = <optimized out>
#1  concurrentTestAndSet (n=0, this=0x14) at ../WTF/wtf/Bitmap.h:117
No locals.
#2  testAndSetMarked (this=0x0, p=0x1) at heap/MarkedBlock.h:371
No locals.
#3  testAndSetMarked (cell=0x1) at heap/Heap.h:324
No locals.
#4  internalAppend (this=<optimized out>, cell=0x1) at runtime/Structure.h:559
No locals.
#5  internalAppend (value=..., this=<optimized out>) at heap/SlotVisitorInlines.h:82
No locals.
#6  append (count=<optimized out>, this=0x48ee08d0, slot=<optimized out>) at heap/SlotVisitorInlines.h:40
        value = @0x55f6b010: {u = {asInt64 = -21474836479, asDouble = -nan(0xffffb00000001), asBits = {payload = 1, tag = -5}}}
        i = <optimized out>
#7  appendValues (count=<optimized out>, barriers=<optimized out>, this=0x48ee08d0) at runtime/WriteBarrier.h:237
No locals.

So for some reason the value is corrupted, as cell is pointing to 0x1, which then makes the segfault to happen.

Guess it'd be ideal to trace and debug when the broken value indeed got inserted at the heap, as all the code seems to be doing here is cleaning the heap up.

Comment 2 Ricardo 2013-02-25 18:32:19 PST

Just pasting the snippet that was described at the pastebin (since it's now gone)
  

import QtQuick 2.0
import QtWebKit 3.0
import QtWebKit.experimental 1.0

Item {
    id: webViewItem
    width: 1024; height: 720
    WebView {

        id: webView
          experimental.userAgent: "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3"
        url: "http://www.cnn.com"
        anchors.fill: parent

        onLoadingChanged: {
            if (webView.url == "about:blank")
                return;

            if (loadRequest.status === WebView.LoadFailedStatus)
                webView.loadHtml("<html><body><h1>=(</h1><h2>Error: 404! File not found.</h2><h1>=~</h1></body></html>")
            }


    }

}

Tested with QtWebkit 5.0.1 + Ubuntu Raring 13.04 and was also able to reproduce the issue.

The crash is only gone when JIT is disabled, which is the current workaround we got for the Ubuntu Touch Developer Preview based images.

Comment 3 Allan Sandfeld Jensen 2013-03-25 04:34:03 PDT

This may be solved in the upcoming Qt 5.0.2 after merging the fixes from bug #105221 and bug #105339.

Comment 4 Allan Sandfeld Jensen 2013-04-26 06:53:21 PDT

I am going to assume this has been fixed by the patches to ARM in 5.0.2 and 5.1 alpha.

If the crash appears again, feel free to reopen.