Bug 124817

Taking a look...

(In reply to comment #0) > WebKitGTK 2.2.2 is crashing while browsing http://www.pressure.co.uk/store/PS82/lee-perry-the-upsetters-roaring-lion/ > > I can reproduce this in epiphany and it's also reported to crash in Midori. ... I can reproduce this with ephy from Debian testing and webkitgtk: $ dpkg -l | grep webkit ii libwebkit2gtk-3.0-25 2.2.1-2 amd64 Web content engine library for GTK+ ii libwebkit2gtk-3.0-25-dbg 2.2.1-2 amd64 Web content engine library for GTK+ - Debugging symbols ii libwebkitgtk-3.0-0 2.2.1-2 amd64 Web content engine library for GTK+ ii libwebkitgtk-3.0-0-dbg 2.2.1-2 amd64 Web content engine library for GTK+ - Debugging symbols ii libwebkitgtk-3.0-common 2.2.1-2 all Web content engine library for GTK+ - data files $ dpkg -l | grep javascriptcore ii libjavascriptcoregtk-3.0-0 2.2.1-2 amd64 Javascript engine library for GTK+ ii libjavascriptcoregtk-3.0-0-dbg 2.2.1-2 amd64 Javascript engine library for GTK+ > I haven't had the time to look into it yes, but it looks related to this: > > ** (WebKitWebProcess:29957): WARNING **: uri_tester_compile_regexp: Error while compiling regular expression /cdn-cgi/pe/bag\?r[]=.*cpalead.com at char 34: missing terminating ] for character class > > (WebKitWebProcess:29957): GLib-CRITICAL **: g_regex_unref: assertion `regex != NULL' failed It doesn't look like. This WARNING and CRITICAL are happening all the time and are coming from the adblock, which downloads the strings from: https://easylist-downloads.adblockplus.org/easylist.txt You can see that uri there. Also, uri_tester_compile_regexp is epiphany's API. I will issue a bug there if there is none yet.

(In reply to comment #2) > Also, uri_tester_compile_regexp is epiphany's API. I will issue a bug there if there is none yet. Reported at https://bugzilla.gnome.org/show_bug.cgi?id=719399

I'm probably misunderstanding, but http://www.pressure.co.uk/store/PS82/lee-perry-the-upsetters-roaring-lion/ crashes for me with the "Advertisement blocker" extension disabled in midori.

(In reply to comment #4) > I'm probably misunderstanding, but http://www.pressure.co.uk/store/PS82/lee-perry-the-upsetters-roaring-lion/ crashes for me with the "Advertisement blocker" extension disabled in midori. As explained in comment #2 and comment #3, the WARNING and CRITICAL have been moved and solved in Epiphany at https://bugzilla.gnome.org/show_bug.cgi?id=719399 The SIGSEV is coming from WebKitGTK WebProcess, though.

SIGSEV confirmed in stable branch http://svn.webkit.org/repository/webkit/releases/WebKitGTK/webkit-2.2 Using MiniBrowser and a "release" build. GDB's backtrace is not really informative: <pre> $ (gdb) bt #0 0x00007fdd3a05bf33 in ?? () #1 0x00007fdd10495d40 in ?? () #2 0x000000000000000a in ?? () #3 0x00007fdd101b6920 in ?? () #4 0x00007fdd1031a010 in ?? () #5 0x00007fdd3a030e48 in ?? () #6 0x00007fdd10055090 in ?? () #7 0x00007fdd8c11b018 in ?? () #8 0x00007fdd8c11b018 in ?? () #9 0x00007fdd8c11b018 in ?? () #10 0x00007fdd3a00b8e0 in ?? () #11 0x00007fdd8c0f5e28 in ?? () #12 0x00007fdd297ea368 in ?? () #13 0x0000000000000000 in ?? () </pre>

Now, with a "debug" build and MiniBrowser, we have a SIGTRAP: Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007f114f94e5fc in ?? () (gdb) bt #0 0x00007f114f94e5fc in ?? () #1 0x00007f114c1d0058 in ?? () #2 0x000000000000000a in ?? () #3 0x00000000020b3680 in ?? () #4 0x00007f113410a2b0 in ?? () #5 0x00007f118f8feda8 in ?? () #6 0x00007f1136e95d40 in ?? () #7 0x00007fffcae33f70 in ?? () #8 0x00007f11a3bc3f4a in JSC::MacroAssemblerCodeRef::operator! (this=0x7f119ed97f2a <WebCore::JSDOMWindowBase::supportsRichSourceInfo(JSC::JSGlobalObject const*)>) at ../../Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:409 #9 0x00007f11a3bc38a8 in JSC::JITCode::execute (this=0x2084760, stack=0x1acb2d8, callFrame=0x7f114c1d0058, vm=0x1b21180) at ../../Source/JavaScriptCore/jit/JITCode.cpp:46 #10 0x00007f11a3baec75 in JSC::Interpreter::execute (this=0x1acb2c0, program=0x7f113433bff0, callFrame=0x7f114c06f9e0, thisObj=0x7f11a45bffd8) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:766 #11 0x00007f11a3c93116 in JSC::evaluate (exec=0x7f114c06f9e0, source=..., thisValue=..., returnedException=0x7fffcae34c90) at ../../Source/JavaScriptCore/runtime/Completion.cpp:83 #12 0x00007f119edc3d79 in WebCore::JSMainThreadExecState::evaluate (exec=0x7f114c06f9e0, source=..., thisValue=..., exception=0x7fffcae34c90) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:74 #13 0x00007f119edf1253 in WebCore::ScriptController::evaluateInWorld (this=0x1a02e50, sourceCode=..., world=0x1b1d230) at ../../Source/WebCore/bindings/js/ScriptController.cpp:142 #14 0x00007f119edf135c in WebCore::ScriptController::evaluate (this=0x1a02e50, sourceCode=...) at ../../Source/WebCore/bindings/js/ScriptController.cpp:158 #15 0x00007f119f0d0c4e in WebCore::ScriptElement::executeScript (this=0x20843b8, sourceCode=...) at ../../Source/WebCore/dom/ScriptElement.cpp:317 #16 0x00007f119f0d0444 in WebCore::ScriptElement::prepareScript (this=0x20843b8, scriptStartPosition=..., supportLegacyTypes=WebCore::ScriptElement::DisallowLegacyTypeInTypeAttribute) at ../../Source/WebCore/dom/ScriptElement.cpp:246 #17 0x00007f119f2deee1 in WebCore::HTMLScriptRunner::runScript (this=0x1c3e7e0, script=0x2084350, scriptStartPosition=...) at ../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:312 #18 0x00007f119f2de678 in WebCore::HTMLScriptRunner::execute (this=0x1c3e7e0, scriptElement=..., scriptStartPosition=...) at ../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:181 #19 0x00007f119f2c9a0f in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0x1c3dac0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:271 #20 0x00007f119f2c9afa in WebCore::HTMLDocumentParser::canTakeNextToken (this=0x1c3dac0, mode=WebCore::HTMLDocumentParser::AllowYield, session=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:290 #21 0x00007f119f2ca11c in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x1c3dac0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:535 #22 0x00007f119f2c9906 in WebCore::HTMLDocumentParser::resumeParsingAfterYield (this=0x1c3dac0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:259 #23 0x00007f119f2dae44 in WebCore::HTMLParserScheduler::continueNextChunkTimerFired (this=0x1c3e970, timer=0x1c3e988) at ../../Source/WebCore/html/parser/HTMLParserScheduler.cpp:124 #24 0x00007f119f2db313 in WebCore::Timer<WebCore::HTMLParserScheduler>::fired (this=0x1c3e988) at ../../Source/WebCore/platform/Timer.h:114 #25 0x00007f11a027c7b7 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x1ac5090) at ../../Source/WebCore/platform/ThreadTimers.cpp:129 #26 0x00007f11a027c6a7 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:105 #27 0x00007f11a0297357 in WebCore::timeout_cb () at ../../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49 #28 0x00007f119b77b4c3 in g_timeout_dispatch (source=0x1b34e90, source@entry=0xffff000000000002, callback=<optimized out>, user_data=<optimized out>) at gmain.c:4413 #29 0x00007f119b77a966 in g_main_dispatch (context=0x1811660) at gmain.c:3054 #30 g_main_context_dispatch (context=context@entry=0x1811660) at gmain.c:3630 #31 0x00007f119b77acb8 in g_main_context_iterate (context=0x1811660, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3701 #32 0x00007f119b77b0ba in g_main_loop_run (loop=0x182d2b0) at gmain.c:3895 #33 0x00007f11a0295b96 in WebCore::RunLoop::run () at ../../Source/WebCore/platform/gtk/RunLoopGtk.cpp:61 #34 0x00007f119ebe6aff in WebKit::WebProcessMainGtk (argc=2, argv=0x7fffcae35668) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:78 #35 0x000000000040096d in main (argc=2, argv=0x7fffcae35668) at ../../Source/WebKit2/gtk/MainGtk.cpp:31 (gdb)

The executed JS crashing code seems to be this one: <script type="text/javascript"> <!--// function buyItem(element, type, code, formatTitle) { $('#order-summary').load( 'http://www.pressure.co.uk/store/add/'+type+'/'+code+'/'); $('#'+element).addClass('bought'); } $('a.buy-tip').each(function() { $(this).qtip({ content: $(this).attr('name')+' was added to your order<br /><a href="https://www.pressure.co.uk/store/view-order/">View order</a>', position: { at: "bottom center", my: "top center" }, show: { event: 'click', solo: true, delay: 0 }, hide: { fixed: true, delay: 1000, effect: true, event: "mouseleave" }, style: { tip: { corner: "topMiddle", width: 12, height: 6 }, classes: "ui-tooltip-ps" } }); }); //--> </script>

(In reply to comment #8) > The executed JS crashing code seems to be this one: [...] This is supposed to working in master, so there should be a commit fixing it. I don't know if it rings a bell, Carlos?

I've bisected the problem and this commits is fixing it: https://trac.webkit.org/changeset/155201 I suppose it is worth integrating it in the webkit branch. Added proposal to: https://trac.webkit.org/wiki/WebKitGTK/2.2.x Maybe it is worth reassigning to Carlos García Campos.

Merged in the stable branch, thank you guys for reporting and bisecting.

(In reply to comment #10) > I've bisected the problem and this commits is fixing it: > https://trac.webkit.org/changeset/155201 Awesome, thanks!

(In reply to comment #11) > Merged in the stable branch, thank you guys for reporting and bisecting. Thank you for taking the time integrating! (In reply to comment #12) > (In reply to comment #10) > > I've bisected the problem and this commits is fixing it: > > https://trac.webkit.org/changeset/155201 > > Awesome, thanks! Thanks to you for reporting! :)