Bug 210579

Summary: Infinite loop while closing tab (infinite loop in HashTable::inlineLookup)
Product: WebKit Reporter: Benjamin Berg <benjamin>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
bt + stepping showing where it returns to the top of the while (1) loop none

Benjamin Berg
Reported 2020-04-15 16:26:05 PDT
Created attachment 396588 [details] bt + stepping showing where it returns to the top of the while (1) loop I triggered this lockup by trying to close a youtube tab that was playing a video. The lookup infinite loops, it seems this is because in my case: i == 64 k == 0x7bc24d15 sizeMask = 0x48 and "i = (i + k) & sizeMask" cannot change i … Really, looks like a memory corruption. I have a full coredump locally (3.1 GiB), in case one may be able to fish out more information. Full backtrace and some stepping around attached. This is with webkit2gtk3-2.28.0-7.fc31.x86_64
Attachments
bt + stepping showing where it returns to the top of the while (1) loop (20.08 KB, text/plain)
2020-04-15 16:26 PDT, Benjamin Berg 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Note You need to log in before you can comment on or make changes to this bug.