Bug 126687

Summary: Crash opening Pocket in gnome-control-center
Product: WebKit Reporter: Bastien Nocera <bugzilla>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: bugs-noreply, cgarcia, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
test.c
none
test.c
none
test.c none

Description Bastien Nocera 2014-01-09 02:46:57 PST 
When running "gnome-conbtrol-center online-accounts" with Pocket support under valgrind:

==16384== Invalid write of size 4
==16384==    at 0x7CFF81C: WTFCrash (Assertions.cpp:342)
==16384==    by 0x7AEA2C4: JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (VMStackBounds.h:60)
==16384==    by 0x7C055D7: JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) (Completion.cpp:83)
==16384==    by 0x5B4393D: WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) (JSMainThreadExecState.h:74)
==16384==    by 0x5B43CC2: WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) (ScriptController.cpp:158)
==16384==    by 0x5D3E9D4: WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (ScriptElement.cpp:317)
==16384==    by 0x5F2E723: WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) (HTMLScriptRunner.cpp:150)
==16384==    by 0x5F2ED8A: WebCore::HTMLScriptRunner::executeParsingBlockingScript() (HTMLScriptRunner.cpp:122)
==16384==    by 0x5F2F0D6: WebCore::HTMLScriptRunner::executeParsingBlockingScripts() (HTMLScriptRunner.cpp:201)
==16384==    by 0x5F1A20E: WebCore::HTMLDocumentParser::executeScriptsWaitingForStylesheets() (HTMLDocumentParser.cpp:960)
==16384==    by 0x5CCE32D: WebCore::Document::didRemoveAllPendingStylesheet() (Document.cpp:2798)
==16384==    by 0x5EBE038: WebCore::HTMLLinkElement::sheetLoaded() (HTMLLinkElement.cpp:357)
==16384==  Address 0xbbadbeef is not stack'd, malloc'd or (recently) free'd
==16384== 
==16384== 
==16384== Process terminating with default action of signal 11 (SIGSEGV)
==16384==  Access not within mapped region at address 0xBBADBEEF
==16384==    at 0x7CFF81C: WTFCrash (Assertions.cpp:342)
==16384==    by 0x7AEA2C4: JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (VMStackBounds.h:60)
==16384==    by 0x7C055D7: JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) (Completion.cpp:83)
==16384==    by 0x5B4393D: WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) (JSMainThreadExecState.h:74)
==16384==    by 0x5B43CC2: WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) (ScriptController.cpp:158)
==16384==    by 0x5D3E9D4: WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (ScriptElement.cpp:317)
==16384==    by 0x5F2E723: WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) (HTMLScriptRunner.cpp:150)
==16384==    by 0x5F2ED8A: WebCore::HTMLScriptRunner::executeParsingBlockingScript() (HTMLScriptRunner.cpp:122)
==16384==    by 0x5F2F0D6: WebCore::HTMLScriptRunner::executeParsingBlockingScripts() (HTMLScriptRunner.cpp:201)
==16384==    by 0x5F1A20E: WebCore::HTMLDocumentParser::executeScriptsWaitingForStylesheets() (HTMLDocumentParser.cpp:960)
==16384==    by 0x5CCE32D: WebCore::Document::didRemoveAllPendingStylesheet() (Document.cpp:2798)
==16384==    by 0x5EBE038: WebCore::HTMLLinkElement::sheetLoaded() (HTMLLinkElement.cpp:357)
Comment 1 Bastien Nocera 2014-01-09 06:19:30 PST 
Created attachment 220720 [details]
test.c

Test app to generate the URL to reproduce the bug.

The user-agent used is:
Mozilla/5.0 (GNOME; not Android) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
Comment 2 Bastien Nocera 2014-01-09 06:32:39 PST 
Created attachment 220723 [details]
test.c

Self-contained test case. Simply right click on the "login" button to get the inspector, and boom.
Comment 3 Bastien Nocera 2014-01-09 06:49:46 PST 
Using "JavaScriptCoreUseJIT=0" as an envvar fixes the crash.
Comment 4 Bastien Nocera 2018-03-30 06:49:25 PDT 
Created attachment 336851 [details]
test.c

Updated patch for WebKitGTK+ 2.18
Comment 5 Bastien Nocera 2018-03-30 06:50:09 PDT 
This new test throws warnings because I did the minimum required to test it, but it doesn't crash anymore.