Bug 165848

Summary:

[GTK] WebProcess from WebKitGtk+ 2.15.2 SIGSEGVs in std::unique_ptr<SoupBuffer, WTF::GPtrDeleter<SoupBuffer> >::get() const () at /usr/include/c++/6/bits/unique_ptr.h:305

Product:

WebKit

Reporter:

Andres Gomez Garcia <agomez>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bugs-noreply, cgarcia, clopez, mcatanzaro, sabouhallawa, zan

Priority:

Version:

WebKit Nightly Build

Hardware:

OS:

Linux

See Also:

https://bugs.webkit.org/show_bug.cgi?id=166838

Attachments:

Description	Flags
BT from gdb	none
Another similar BT from gdb	none
Yet another similar BT from gdb	none
BT from gdb for the UIProcess	none
And yet another similar BT from gdb	none
Another BT from gdb for the UIProcess	none
BT from gdb, compiled with -g0	none
BT from gdb, compiled with -g	none
BT from gdb for the UIProcess with -g	none
BT from gdb with LockHolder moved	none
Patch	mcatanzaro: review+
BT from gdb for the WebProcess, with the new patch	none
BT from gdb for the UIProcess, with the new patch	none

Andres Gomez Garcia

Reported 2016-12-14 07:48:48 PST

Created attachment 297087 [details] BT from gdb I'm using WebKitGtk+ with my own JHBuild setting: https://github.com/tanty/jhbuild-epiphany/tree/master Epiphany 3.20.3 and WebKit 2.15.2 with the attached patches for bug 164049, bug 165200, bug 165283 and bug 164052, applied. I'm running Epiphany with the dconf key: "process-model" = "shared-secondary-process" And the env variable: "export LIBGL_DRI3_DISABLE=1" The compilation was done with CMake args: '-DUSE_LD_GOLD=OFF -DPORT=GTK -DCMAKE_BUILD_TYPE=Release -DENABLE_MINIBROWSER=ON -DCMAKE_C_FLAGS_RELEASE="-O0 -g1 -DNDEBUG -DG_DEBUG=fatal-criticals -DG_DISABLE_CAST_CHECKS" -DCMAKE_CXX_FLAGS_RELEASE="-O0 -g1 -DNDEBUG -DG_DEBUG=fatal-criticals -DG_DISABLE_CAST_CHECKS"' After visiting several pages, eventually, the WebProcess hits a SIGSEV. This bug is not reproducible in a predictable way.

Attachments
BT from gdb (95.41 KB, text/plain) 2016-12-14 07:48 PST, Andres Gomez Garcia	no flags	Details
Another similar BT from gdb (173.82 KB, text/plain) 2016-12-15 01:23 PST, Andres Gomez Garcia	no flags	Details
Yet another similar BT from gdb (199.86 KB, text/plain) 2016-12-17 05:24 PST, Andres Gomez Garcia	no flags	Details
BT from gdb for the UIProcess (122.46 KB, text/plain) 2016-12-17 05:26 PST, Andres Gomez Garcia	no flags	Details
And yet another similar BT from gdb (223.00 KB, text/plain) 2016-12-17 16:19 PST, Andres Gomez Garcia	no flags	Details
Another BT from gdb for the UIProcess (122.50 KB, text/plain) 2016-12-17 16:20 PST, Andres Gomez Garcia	no flags	Details
BT from gdb, compiled with -g0 (312.52 KB, text/plain) 2016-12-19 05:45 PST, Andres Gomez Garcia	no flags	Details
BT from gdb, compiled with -g (475.74 KB, text/plain) 2016-12-21 04:40 PST, Andres Gomez Garcia	no flags	Details
BT from gdb for the UIProcess with -g (143.27 KB, text/plain) 2016-12-21 04:41 PST, Andres Gomez Garcia	no flags	Details
BT from gdb with LockHolder moved (281.02 KB, text/plain) 2017-01-02 09:17 PST, Andres Gomez Garcia	no flags	Details
Patch (4.67 KB, patch) 2017-01-05 04:13 PST, Carlos Garcia Campos	mcatanzaro: review+	Details Formatted Diff Diff
BT from gdb for the WebProcess, with the new patch (222.59 KB, text/plain) 2017-01-07 14:04 PST, Andres Gomez Garcia	no flags	Details
BT from gdb for the UIProcess, with the new patch (132.54 KB, text/plain) 2017-01-07 14:07 PST, Andres Gomez Garcia	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Andres Gomez Garcia

Comment 1 2016-12-15 01:23:26 PST

Created attachment 297186 [details] Another similar BT from gdb

Andres Gomez Garcia

Comment 2 2016-12-15 01:44:36 PST

This bug is happening very recurrently. FTR, the compilation also has '-DENABLE_THREADED_COMPOSITOR=OFF', I forgot to mention that.

Zan Dobersek

Comment 3 2016-12-16 01:51:57 PST

When you hit this again, in gdb, run these commands: $ info registers $ info proc mappings $ disassemble _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv $ disassemble _ZNK7WebCore12SharedBuffer4dataEv $ disassemble _ZNK14GIFImageReader4dataEm The SharedBuffer object on the GIFImageReader might be null.

Andres Gomez Garcia

Comment 4 2016-12-16 09:32:52 PST

(In reply to comment #3) > When you hit this again, in gdb, run these commands: > > $ info registers This is already included in the attached BTs > $ info proc mappings > $ disassemble _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv > $ disassemble _ZNK7WebCore12SharedBuffer4dataEv > $ disassemble _ZNK14GIFImageReader4dataEm I'll do this.

Andres Gomez Garcia

Comment 5 2016-12-17 05:24:22 PST

Created attachment 297401 [details] Yet another similar BT from gdb This BT additionally includes info for: $ info proc mappings $ disassemble _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv $ disassemble _ZNK7WebCore12SharedBuffer4dataEv $ disassemble _ZNK14GIFImageReader4dataEm

Andres Gomez Garcia

Comment 6 2016-12-17 05:26:49 PST

Created attachment 297402 [details] BT from gdb for the UIProcess After the last SIGSEV, the UIProcess also SIGSEVed. This is its BT. Have into account that the code was modified accordingly to the suggestion at: https://bugs.webkit.org/show_bug.cgi?id=165656#c18

Andres Gomez Garcia

Comment 7 2016-12-17 16:19:10 PST

Created attachment 297416 [details] And yet another similar BT from gdb This BT additionally includes info for: $ info proc mappings $ disassemble _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv $ disassemble _ZNK7WebCore12SharedBuffer4dataEv $ disassemble _ZNK14GIFImageReader4dataEm

Andres Gomez Garcia

Comment 8 2016-12-17 16:20:24 PST

Created attachment 297417 [details] Another BT from gdb for the UIProcess After the last SIGSEV, the UIProcess also SIGSEVed. This is its BT. Have into account that the code was modified accordingly to the suggestion at: https://bugs.webkit.org/show_bug.cgi?id=165656#c18

Zan Dobersek

Comment 9 2016-12-18 11:59:41 PST

The hope was that upon the crash the instruction pointer would stay somewhere in _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv. That doesn't happen, but the backtrace still reports the crash occurring there. Assuming the backtrace is correct, with the rdi register having the 0x20 value, it seems that the std::unique_ptr<> getter is called on a std::unique_ptr<> object that's at address 0x20. That's the same value as the offset at which the std::unique_ptr<SoupBuffer> object is positioned inside the SharedBuffer class. So I think the SharedBuffer object in the GIFImageReader class is null. Also, looking at the memory mappings -- I really want to know what you're loading in the browser, for starters.

Carlos Garcia Campos

Comment 10 2016-12-19 02:31:01 PST

Maybe this is the same I fixed in r208881

Andres Gomez Garcia

Comment 11 2016-12-19 03:18:49 PST

(In reply to comment #10) > Maybe this is the same I fixed in r208881 Sounds like it. I will apply that patch and check ...

Andres Gomez Garcia

Comment 12 2016-12-19 03:21:48 PST

(In reply to comment #11) > (In reply to comment #10) > > Maybe this is the same I fixed in r208881 > > Sounds like it. I will apply that patch and check ... Actually, this is already in 2.15.2

Andres Gomez Garcia

Comment 13 2016-12-19 03:22:20 PST

(In reply to comment #9) > Also, looking at the memory mappings -- I really want to know what you're > loading in the browser, for starters. I'll try to pass you the crashed session next time it happens.

Michael Catanzaro

Comment 14 2016-12-19 04:41:04 PST

(In reply to comment #12) > Actually, this is already in 2.15.2 Yeah, I checked that commit when I saw Zan's comment yesterday. :(

Andres Gomez Garcia

Comment 15 2016-12-19 05:45:38 PST

Created attachment 297457 [details] BT from gdb, compiled with -g0

Andres Gomez Garcia

Comment 16 2016-12-21 04:40:14 PST

Created attachment 297584 [details] BT from gdb, compiled with -g

Andres Gomez Garcia

Comment 17 2016-12-21 04:41:54 PST

Created attachment 297585 [details] BT from gdb for the UIProcess with -g

Carlos Garcia Campos

Comment 18 2016-12-21 05:15:47 PST

(In reply to comment #12) > (In reply to comment #11) > > (In reply to comment #10) > > > Maybe this is the same I fixed in r208881 > > > > Sounds like it. I will apply that patch and check ... > > Actually, this is already in 2.15.2 I didn't take into account that size() calls isSizeAvailable() that is virtual, and in the case of GIF, it's overriden and also calls decode(). I think the solution should be to make decoders thread-safe, but in the meantime, could you try moving the LockHolder locker(m_lock); in ImageDecoder::createFrameImageAtIndex() to the beginning? right before the size() call?

Andres Gomez Garcia

Comment 19 2017-01-02 09:17:24 PST

Created attachment 297900 [details] BT from gdb with LockHolder moved I already applied a patch to move LockHolder locker(m_lock); in ImageDecoder::createFrameImageAtIndex() to the beginning

Andres Gomez Garcia

Comment 20 2017-01-04 02:01:01 PST

Going to this URL and scrolling down reproduces the crash in a 100% http://wiki.inkscape.org/wiki/index.php/Release_notes/0.92#Important_changes

Zan Dobersek

Comment 21 2017-01-04 09:35:06 PST

(In reply to comment #20) > Going to this URL and scrolling down reproduces the crash in a 100% > > http://wiki.inkscape.org/wiki/index.php/Release_notes/0.92#Important_changes Confirmed with r210274.

Zan Dobersek

Comment 22 2017-01-04 09:55:28 PST

(In reply to comment #21) > (In reply to comment #20) > > Going to this URL and scrolling down reproduces the crash in a 100% > > > > http://wiki.inkscape.org/wiki/index.php/Release_notes/0.92#Important_changes > > Confirmed with r210274. That's using MiniBrowser. I get a pretty good crash rate if I remove the ~/.cache/MiniBrowser cache before each run.

Carlos Garcia Campos

Comment 23 2017-01-05 04:13:17 PST

Created attachment 298091 [details] Patch Could you please try this new patch?

Zan Dobersek

Comment 24 2017-01-05 11:40:58 PST

(In reply to comment #23) > Created attachment 298091 [details] > Patch > > Could you please try this new patch? I am not able to reproduce the crash with it, while I can still easily reproduce the crash without the patch applied.

Andres Gomez Garcia

Comment 25 2017-01-07 14:04:20 PST

Created attachment 298283 [details] BT from gdb for the WebProcess, with the new patch

Andres Gomez Garcia

Comment 26 2017-01-07 14:04:44 PST

(In reply to comment #25) > Created attachment 298283 [details] > BT from gdb for the WebProcess, with the new patch Keeps crashing ...

Andres Gomez Garcia

Comment 27 2017-01-07 14:07:33 PST

Created attachment 298284 [details] BT from gdb for the UIProcess, with the new patch Immediately after the SIGSEV in the WebProcess, we have this SIGSEV in the UIProcess. This is the message in the console: -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- The program with pid 29593 received an X Window System error. The error was 'BadDamage (invalid Damage parameter)'. -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< --

Carlos Garcia Campos

Comment 28 2017-01-08 23:50:54 PST

(In reply to comment #25) > Created attachment 298283 [details] > BT from gdb for the WebProcess, with the new patch This bt proves the patch works indeed, main thread is waiting in the mutex, while the decoder thread is the only one decoding the gif image.

Carlos Garcia Campos

Comment 29 2017-01-08 23:54:33 PST

(In reply to comment #26) > (In reply to comment #25) > > Created attachment 298283 [details] > > BT from gdb for the WebProcess, with the new patch > > Keeps crashing ... Due to an assert when accessing passed in rowBuffer: const unsigned char sourceValue = rowBuffer[(m_scaled ? m_scaledColumns[x] : x) - frameContext->xOffset]; it seems that can overflow, which looks unrelated to the threading issue, I think, I would need to look at it in more detail to be sure.

Carlos Garcia Campos

Comment 30 2017-01-08 23:55:16 PST

(In reply to comment #27) > Created attachment 298284 [details] > BT from gdb for the UIProcess, with the new patch > > Immediately after the SIGSEV in the WebProcess, we have this SIGSEV in the > UIProcess. > > This is the message in the console: > > > -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- > > The program with pid 29593 received an X Window System error. > The error was 'BadDamage (invalid Damage parameter)'. > > -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- This is also a different issue.

Carlos Garcia Campos

Comment 31 2017-01-09 04:13:26 PST

Committed r210501: <http://trac.webkit.org/changeset/210501>

Note You need to log in before you can comment on or make changes to this bug.