Bug 228129

Summary:	[SOUP] Network process crash in soup_message_headers_set
Product:	WebKit	Reporter:	Michael Catanzaro <mcatanzaro>
Component:	WebKitGTK	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED INVALID
Severity:	Normal	CC:	bugs-noreply, cgarcia, mcatanzaro
Priority:	P2
Version:	WebKit Nightly Build
Hardware:	PC
OS:	Linux

Description Michael Catanzaro 2021-07-20 15:03:59 PDT

I've seen this crash several times recently, including twice this afternoon. It is a recent regression. This is using today's Ephy Tech Preview, so it's the very latest libsoup git master:

(gdb) bt full
#0  0x00007faf6190a4bb in raise () at /usr/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007faf618f3867 in abort () at /usr/lib/x86_64-linux-gnu/libc.so.6
#2  0x00007faf61454c7c in g_assertion_message_expr.cold () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007faf614b554f in g_assertion_message_expr () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007faf5e11ef46 in soup_message_headers_set () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0
#5  0x00007faf5e11f11d in soup_message_headers_append_common () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0
#6  0x00007faf5e0fc626 in on_header_callback () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0
#7  0x00007faf5b628aba in session_call_on_header (nv=0x7fff35086b60, frame=0x55d2f29791c0, session=0x55d2f2979020)
    at ../../lib/nghttp2_session.c:3345
        rv = 0
        proclen = 20
        rv = <optimized out>
        inflate_flags = 2
        nv = {name = 0x7faf5b640ce0 <static_table+3840>, value = 0x55d2f297c6b0, token = 30, flags = 0 '\000'}
        stream = <optimized out>
        trailer = 0
        subject_stream = 0x55d2f27d7910
        hd_proclen = 24
        data_readlen = <optimized out>
        trail_padlen = <optimized out>
        final = <optimized out>
        first = 0x7fff35086bc0 ""
        last = 0x7fff35086c37 ""
        iframe = 0x55d2f29791c0
        readlen = 93
        padlen = <optimized out>
        rv = <optimized out>
        busy = <optimized out>
        cont_hd = 
          {length = 140734083140592, stream_id = 434582317, type = 175 '\257', flags = 127 '\177', reserved = 0 '\000'}
        stream = <optimized out>
        pri_fieldlen = <optimized out>
        mem = 0x55d2f29798b0
        __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv"
#8  inflate_header_block
    (call_header_cb=1, final=1, inlen=69, in=0x7fff35086be1 "\\\001\060\017\022\226\337i~\224\020\024\313m\n\b\002\n\202\r\306ݸ\027Tţ\177v\222\327\351\063\236\246\031]\325\006cΔ\326\303+\266\273_|\207\n\341Rc\236j\v@\205\035\tY\035Ʉ%\005\035\237", readlen_ptr=<synthetic pointer>, frame=0x55d2f29791c0, session=0x55d2f2979020)
    at ../../lib/nghttp2_session.c:3698
        proclen = 20
        rv = <optimized out>
        inflate_flags = 2
        nv = {name = 0x7faf5b640ce0 <static_table+3840>, value = 0x55d2f297c6b0, token = 30, flags = 0 '\000'}
        stream = <optimized out>
        trailer = 0
        subject_stream = 0x55d2f27d7910
        hd_proclen = 24
        data_readlen = <optimized out>
        trail_padlen = <optimized out>
        final = <optimized out>
        first = 0x7fff35086bc0 ""
        last = 0x7fff35086c37 ""
        iframe = 0x55d2f29791c0
        readlen = 93
        padlen = <optimized out>
        rv = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--c
        busy = <optimized out>
        cont_hd = {length = 140734083140592, stream_id = 434582317, type = 175 '\257', flags = 127 '\177', reserved = 0 '\000'}
        stream = <optimized out>
        pri_fieldlen = <optimized out>
        mem = 0x55d2f29798b0
        __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv"
#9  nghttp2_session_mem_recv (session=0x55d2f2979020, in=<optimized out>, inlen=119) at ../../lib/nghttp2_session.c:6201
        hd_proclen = 24
        data_readlen = <optimized out>
        trail_padlen = <optimized out>
        final = <optimized out>
        first = 0x7fff35086bc0 ""
        last = 0x7fff35086c37 ""
        iframe = 0x55d2f29791c0
        readlen = 93
        padlen = <optimized out>
        rv = <optimized out>
        busy = <optimized out>
        cont_hd = {length = 140734083140592, stream_id = 434582317, type = 175 '\257', flags = 127 '\177', reserved = 0 '\000'}
        stream = <optimized out>
        pri_fieldlen = <optimized out>
        mem = 0x55d2f29798b0
        __PRETTY_FUNCTION__ = "nghttp2_session_mem_recv"
#10 0x00007faf5e0fd314 in io_read () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0
#11 0x00007faf5e0fd44a in io_read_ready () at /usr/lib/x86_64-linux-gnu/libsoup-3.0.so.0
#12 0x00007faf6148b601 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007faf6148bae8 in g_main_context_iterate.constprop () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x00007faf6148bdf3 in g_main_loop_run () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x00007faf6109ed80 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:108
        runLoop = @0x7faf5a7f9000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 23}, static is_always_lock_free = true}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7faf614142b8 <vtable for WTF::RunLoop+16>}, m_currentIteration = {m_start = 1, m_end = 1, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7faf092a6d00, m_capacity = 16, m_size = 0}, <No data fields>}}, m_nextIterationLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, static is_always_lock_free = true}}}, m_nextIteration = {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}}, m_isFunctionDispatchSuspended = false, m_hasSuspendedFunctions = false, static s_runLoopSourceFunctions = {prepare = 0x0, check = 0x0, dispatch = 0x7faf6109ebe0 <_FUN(GSource*, GSourceFunc, gpointer)>, finalize = 0x0, closure_callback = 0x0, closure_marshal = 0x0}, m_mainContext = {m_ptr = 0x55d2f23e68b0}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop>, WTF::FastMalloc>> = {m_buffer = 0x7faf5a7f8000, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x55d2f23e7a80}, m_observers = {m_set = {m_impl = {{m_table = 0x0, m_tableForLLDB = 0x0}}}}}
        mainContext = 0x55d2f23e68b0
        innermostLoop = 0x55d2f23e7a60
        nestedMainLoop = <optimized out>
#16 0x00007faf623ba4e2 in WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argc=3, argv=0x7fff35088f38, this=0x7fff35088db0) at ../Source/WebKit/Shared/AuxiliaryProcessMain.h:70
        auxiliaryMain = {m_storage = {__data = "@\277\ne\257\177", '\000' <repeats 34 times>, "\267\003\000\000\000\000\000\000\001\000\000\000\000\000\000\000\022", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\000P\177Z\257\177\000", __align = {<No data fields>}}}
#17 WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run(int, char**) (argv=0x7fff35088f38, argc=3, this=0x7fff35088db0) at ../Source/WebKit/Shared/AuxiliaryProcessMain.h:57
        auxiliaryMain = {m_storage = {__data = "@\277\ne\257\177", '\000' <repeats 34 times>, "\267\003\000\000\000\000\000\000\001\000\000\000\000\000\000\000\022", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\000P\177Z\257\177\000", __align = {<No data fields>}}}
#18 WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainSoup>(int, char**) (argc=3, argv=0x7fff35088f38) at ../Source/WebKit/Shared/AuxiliaryProcessMain.h:96
        auxiliaryMain = {m_storage = {__data = "@\277\ne\257\177", '\000' <repeats 34 times>, "\267\003\000\000\000\000\000\000\001\000\000\000\000\000\000\000\022", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000\000P\177Z\257\177\000", __align = {<No data fields>}}}
#19 0x00007faf618f4b90 in __libc_start_main () at /usr/lib/x86_64-linux-gnu/libc.so.6
#20 0x000055d2f196e74e in _start () at ../sysdeps/x86_64/start.S:120

Unfortunately, for some reason the debuginfo for libsoup and glib both appear to be corrupted. I don't know why that might be. That's very unfortunate and not helping.

Comment 1 Carlos Garcia Campos 2021-07-21 04:09:08 PDT

This doesn't look like a WebKit bug, but libsoup. I haven't seen this, so I'll need more debug information or a reproducer. From the bt, I think we are hitting the g_assert (content_type != NULL) in soup_message_headers_set() so, for some reason we are failing to parse the given content type. We need the value of the Content-Type header.

Comment 2 Carlos Garcia Campos 2021-07-21 04:12:10 PDT

hmm, I see that parse_content_foo was modified by patrick in https://gitlab.gnome.org/GNOME/libsoup/-/commit/d9f97292b71e7f14f91158750c81f33bb8386973 so that likely introduced the regression. Let's move this to libsoup.

Comment 3 Michael Catanzaro 2021-07-21 05:54:29 PDT

https://gitlab.gnome.org/GNOME/libsoup/-/issues/232