Bug 195532

Summary: [GTK] webkit2gtk3: magazine_chain_pop_head(): WebKitWebProcess killed by SIGSEGV
Product: WebKit Reporter: Ryan Farmer <rfarmer84>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1687186
Attachments:
Description Flags
backtrace
none
cgroup
none
core backtrace
none
cpu info
none
dso list
none
environ
none
exploitable
none
limits
none
maps
none
mountinfo
none
open fds
none
proc pid status none

Ryan Farmer
Reported 2019-03-10 11:53:58 PDT
Created attachment 364183 [details] backtrace This is a copy of this bug on fedora's Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1687186 Description of problem: Watching the video about GTA V on this page causes the webkit process to crash. https://laptoping.com/gpus/product/intel-hd-620-review-graphics-of-7th-gen-core-u-series-kaby-lake-cpus/ Version-Release number of selected component: webkit2gtk3-2.22.7-1.fc29 Additional info: reporter: libreport-2.10.0 backtrace_rating: 4 cmdline: /usr/libexec/webkit2gtk-4.0/WebKitWebProcess 7 48 crash_function: magazine_chain_pop_head executable: /usr/libexec/webkit2gtk-4.0/WebKitWebProcess journald_cursor: s=4bef19b253e44f9a824ad7e1702ab37d;i=3c41fb;b=033ea9e0094343ae98629c679432c48a;m=924e437c;t=583c17a75cb42;x=c4f7f5a6bf153a75 kernel: 4.20.14-200.fc29.x86_64 rootdir: / runlevel: N 5 type: CCpp uid: 1000 Truncated backtrace: Thread no. 1 (10 frames) #0 magazine_chain_pop_head at gslice.c:538 #1 thread_memory_magazine1_alloc at gslice.c:841 #2 g_slice_alloc at gslice.c:1015 #3 gst_buffer_new at gstbuffer.c:798 #4 WebCore::AppendPipeline::pushNewBuffer at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/Source/WebCore/platform/graphics/gstreamer/mse/AppendPipeline.cpp:808 #5 WebCore::MediaSourceClientGStreamerMSE::append at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/Source/WebCore/platform/graphics/gstreamer/mse/MediaSourceClientGStreamerMSE.cpp:150 #6 WebCore::SourceBufferPrivateGStreamer::append at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/RefCounted.h:46 #7 WebCore::SourceBuffer::appendBufferTimerFired at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:41 #9 WebCore::ThreadTimers::sharedTimerFiredInternal at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/Source/WebCore/platform/ThreadTimers.h:101 #11 WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp:170
Attachments
backtrace (32.34 KB, text/plain)
2019-03-10 11:53 PDT, Ryan Farmer 		no flags
Details
cgroup (345 bytes, text/plain)
2019-03-10 11:54 PDT, Ryan Farmer 		no flags
Details
core backtrace (137.42 KB, text/plain)
2019-03-10 11:55 PDT, Ryan Farmer 		no flags
Details
cpu info (1.40 KB, text/plain)
2019-03-10 11:55 PDT, Ryan Farmer 		no flags
Details
dso list (19.58 KB, text/plain)
2019-03-10 11:56 PDT, Ryan Farmer 		no flags
Details
environ (3.56 KB, text/plain)
2019-03-10 11:57 PDT, Ryan Farmer 		no flags
Details
exploitable (82 bytes, text/plain)
2019-03-10 11:57 PDT, Ryan Farmer 		no flags
Details
limits (1.29 KB, text/plain)
2019-03-10 11:57 PDT, Ryan Farmer 		no flags
Details
maps (189.62 KB, text/plain)
2019-03-10 11:58 PDT, Ryan Farmer 		no flags
Details
mountinfo (3.88 KB, text/plain)
2019-03-10 11:58 PDT, Ryan Farmer 		no flags
Details
open fds (4.99 KB, text/plain)
2019-03-10 11:59 PDT, Ryan Farmer 		no flags
Details
proc pid status (1.30 KB, text/plain)
2019-03-10 11:59 PDT, Ryan Farmer 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ryan Farmer
Comment 1 2019-03-10 11:54:29 PDT
Created attachment 364184 [details] cgroup
Ryan Farmer
Comment 2 2019-03-10 11:55:01 PDT
Created attachment 364185 [details] core backtrace
Ryan Farmer
Comment 3 2019-03-10 11:55:41 PDT
Created attachment 364186 [details] cpu info
Ryan Farmer
Comment 4 2019-03-10 11:56:34 PDT
Created attachment 364187 [details] dso list
Ryan Farmer
Comment 5 2019-03-10 11:57:03 PDT
Created attachment 364188 [details] environ
Ryan Farmer
Comment 6 2019-03-10 11:57:21 PDT
Created attachment 364189 [details] exploitable
Ryan Farmer
Comment 7 2019-03-10 11:57:56 PDT
Created attachment 364190 [details] limits
Ryan Farmer
Comment 8 2019-03-10 11:58:15 PDT
Created attachment 364191 [details] maps
Ryan Farmer
Comment 9 2019-03-10 11:58:38 PDT
Created attachment 364192 [details] mountinfo
Ryan Farmer
Comment 10 2019-03-10 11:59:13 PDT
Created attachment 364193 [details] open fds
Ryan Farmer
Comment 11 2019-03-10 11:59:40 PDT
Created attachment 364194 [details] proc pid status
Michael Catanzaro
Comment 12 2019-03-12 09:31:48 PDT
I can't reproduce. I wrote in the downstream bug: Web process memory corruption. This is going to be hard or impossible to debug. :/ * If you're able to reproduce the crash somehow, that gives us only a vague chance of tracking this down. Otherwise: no chance. * Actual code bug might be in the surrounding GStreamer MediaPlayer code, or it might be somewhere completely unrelated and the GStreamer code is just getting unlucky. No way to know from the backtrace. * To catch memory corruption, we can use asan or valgrind. I believe asan is currently broken with WebKit. That means instructing the WebKit UI process to launch the web process under valgrind, which requires a debug build of WebKit (not provided by Fedora, and no guarantee the crash would even occur in a custom build, either) and messing with debug environment variables. Memory corruption is the absolute worst. Sadly there's nothing actionable here, and getting anything actionable would be hard.
Note You need to log in before you can comment on or make changes to this bug.