Bug 304053
| Summary: | [SOUP] NetworkProcess process crash due to heap corruption "malloc_consolidate(): unaligned fastbin chunk detected" | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Vitaly Dyackhov <vitaly> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | REOPENED | ||
| Severity: | Normal | CC: | fujii.hironori, mcatanzaro, webkit-bug-importer, zimmermann |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: |
https://bugs.webkit.org/show_bug.cgi?id=268281 https://bugs.webkit.org/show_bug.cgi?id=267992 |
||
Vitaly Dyackhov
Thread 1 (Thread 0x7f701961c5c0 (LWP 1618706)):
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007f7020c3327e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007f7020c168ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007f7020c177b6 in __libc_message_impl (fmt=fmt@entry=0x7f7020dbc8d7 "%s\n") at ../sysdeps/posix/libc_fatal.c:134
#6 0x00007f7020c96ff5 in malloc_printerr (str=str@entry=0x7f7020dbf8a0 "malloc_consolidate(): unaligned fastbin chunk detected") at ./malloc/malloc.c:5772
#7 0x00007f7020c97d4c in malloc_consolidate (av=av@entry=0x7f7020df1ac0 <main_arena>) at ./malloc/malloc.c:4846
#8 0x00007f7020c99a90 in _int_malloc (av=av@entry=0x7f7020df1ac0 <main_arena>, bytes=bytes@entry=4096) at ./malloc/malloc.c:4041
#9 0x00007f7020c9b6f4 in __GI___libc_malloc (bytes=bytes@entry=4096) at ./malloc/malloc.c:3336
#10 0x00007f7020c731b5 in __GI__IO_file_doallocate (fp=0x5565b1b07140) at ./libio/filedoalloc.c:101
#11 0x00007f7020c83524 in __GI__IO_doallocbuf (fp=fp@entry=0x5565b1b07140) at ./libio/libioP.h:1030
#12 0x00007f7020c81f4c in __GI__IO_file_xsgetn (fp=0x5565b1b07140, data=0x7ffe42cf2f20, n=44) at ./libio/fileops.c:1288
#13 0x00007f7020c7f604 in __GI___fread_unlocked (buf=buf@entry=0x7ffe42cf2f20, size=size@entry=44, count=count@entry=1, fp=fp@entry=0x5565b1b07140) at ./libio/iofread_u.c:40
#14 0x00007f7020ccf592 in __tzfile_read (file=<optimized out>, file@entry=0x7ffe42cf56c7 "PST8PDT", extra=extra@entry=0, extrap=extrap@entry=0x0) at ./time/tzfile.c:187
#15 0x00007f7020cce6f6 in tzset_internal (always=<optimized out>) at ./time/tzset.c:405
#16 0x00007f7020ccf18b in __tz_convert (timer=1765525086, use_localtime=1, tp=0x7ffe42cf30e0) at ./time/tzset.c:577
#17 0x00007f701fdab372 in g_log_writer_format_fields () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x00007f701fdabea1 in g_log_writer_standard_streams () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x00007f701fdac704 in g_log_writer_default () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#20 0x00007f701fda4054 in g_log_structured_array () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#21 0x00007f701fda43dc in g_log_default_handler () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#22 0x00007f701fda4680 in g_logv () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x00007f701fda4963 in g_log () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x00007f701fdaee2a in g_atomic_ref_count_dec () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#25 0x00007f701fd67572 in g_atomic_rc_box_release_full () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x00007f701ffa2d21 in ??? () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#27 0x00007f701feaf61d in g_object_unref () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#28 0x00007f701fd95735 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#29 0x00007f701fd9dcbb in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#30 0x00007f701fd9f502 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#31 0x00007f701fd9f710 in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#32 0x00007f70254ba717 in WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) () at /home/buildbot-worker/WPE-Linux-64-bit-Release-Build/build/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#33 0x00007f70254bab22 in WTF::RunLoop::run() () at /home/buildbot-worker/WPE-Linux-64-bit-Release-Build/build/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#34 0x00007f70231318ab in int WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainSoup>(int, char**) () at /home/buildbot-worker/WPE-Linux-64-bit-Release-Build/build/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#35 0x00007f7020c181ca in __libc_start_call_main (main=main@entry=0x5565930b6800 <main>, argc=argc@entry=3, argv=argv@entry=0x7ffe42cf3948) at ../sysdeps/nptl/libc_start_call_main.h:58
#36 0x00007f7020c1828b in __libc_star
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Vitaly Dyackhov
Pull request: https://github.com/WebKit/WebKit/pull/55301
EWS
Test gardening commit 304351@main (ea02ed60096d): <https://commits.webkit.org/304351@main>
Reviewed commits have been landed. Closing PR #55301 and removing active labels.
Nikolas Zimmermann
Very same crash here: https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/304475@main%20(17735)/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/anonymous-iframe/local-storage.tentative.https.window-crash-log.txt
Nikolas Zimmermann
Another crash here: https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/304475@main%20(17735)/imported/w3c/web-platform-tests/speculation-rules/speculation-tags/cross-site-to-same-site-redirection-prefetch.https-crash-log.txt
Nikolas Zimmermann
Gardened imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/anonymous-iframe/local-storage.tentative.https.window.html and imported/w3c/web-platform-tests/speculation-rules/speculation-tags/cross-site-to-same-site-redirection-prefetch.https.html in https://commits.webkit.org/304545@main.
Fujii Hironori
The test is passing these days.
https://results.webkit.org/?platform=GTK&platform=WPE&suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Ftrusted-types%2FSharedWorker-eval.html
305009@main unmarked the test.
Radar WebKit Bug Importer
<rdar://problem/167350245>
Fujii Hironori
NetworkProcess process is still randomly crashing for http tests or wpt tests. Reopened.
https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/305152@main%20(17815)/results.html
Fujii Hironori
Another backtrace.
https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/305152@main%20(17815)/imported/w3c/web-platform-tests/speculation-rules/speculation-tags/deduped-and-sorted-tags.https_type=prerender-crash-log.txt
Thread 1 (Thread 0x7f3324a6cec0 (LWP 257772)):
#0 0x00007f332beb36b1 in g_logv () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1 0x00007f332beb3963 in g_log () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2 0x00007f332bebde2a in g_atomic_ref_count_dec () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007f332be76572 in g_atomic_rc_box_release_full () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007f33330d2d21 in ??? () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#5 0x00007f3331fa561d in g_object_unref () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6 0x00007f332bea4735 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7 0x00007f332beaccbb in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#8 0x00007f332beae502 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#9 0x00007f332beae710 in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00007f3331bab1d9 in WTF::RunLoop::runGLibMainLoopIteration (this=0x7f331a01c110, mayBlock=WTF::RunLoop::MayBlock::Yes) at ../../../Source/WTF/wtf/glib/RunLoopGLib.cpp:190
#11 0x00007f3331bab248 in WTF::RunLoop::runGLibMainLoop (this=0x7f331a01c110) at ../../../Source/WTF/wtf/glib/RunLoopGLib.cpp:199
#12 0x00007f3331bab310 in WTF::RunLoop::run () at ../../../Source/WTF/wtf/glib/RunLoopGLib.cpp:212
#13 0x00007f3342b9a3e4 in WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess, false>::run (this=0x7ffd60b0d1d0, argc=3, argv=0x7ffd60b0d3a8) at ../../../Source/WebKit/Shared/AuxiliaryProcessMain.h:77
#14 0x00007f3342b951d0 in WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainSoup> (argc=3, argv=0x7ffd60b0d3a8) at ../../../Source/WebKit/Shared/AuxiliaryProcessMain.h:103
#15 0x00007f3342b90450 in WebKit::NetworkProcessMain (argc=3, argv=0x7ffd60b0d3a8) at ../../../Source/WebKit/NetworkProcess/soup/NetworkProcessMainSoup.cpp:66
#16 0x00005604859167ed in main (argc=3, argv=0x7ffd60b0d3a8) at ../../../Source/WebKit/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:31
Fujii Hironori
error messages:
> STDERR: malloc_consolidate(): unaligned fastbin chunk detected
> STDERR: (process:257772): GLib-CRITICAL **: 09:52:12.319: g_atomic_ref_count_dec: assertion 'old_value > 0' failed
Fujii Hironori
(In reply to Fujii Hironori from comment #10)
> > STDERR: (process:257772): GLib-CRITICAL **: 09:52:12.319: g_atomic_ref_count_dec: assertion 'old_value > 0' failed
bug#268281 is tracking the problem.
Fujii Hironori
Another error message.
https://build.webkit.org/results/WPE-Linux-64-bit-Release-Tests/305168%40main%20%2824494%29/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-crash-log.txt
> STDERR: corrupted double-linked list
Thread 1 (Thread 0x7fb2564a9540 (LWP 2827874)):
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007fb25dc3327e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007fb25dc168ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007fb25dc177b6 in __libc_message_impl (fmt=fmt@entry=0x7fb25ddbc8d7 "%s\n") at ../sysdeps/posix/libc_fatal.c:134
#6 0x00007fb25dc96ff5 in malloc_printerr (str=str@entry=0x7fb25ddba605 "corrupted double-linked list") at ./malloc/malloc.c:5772
#7 0x00007fb25dc97b7c in unlink_chunk (p=<optimized out>, av=<optimized out>) at ./malloc/malloc.c:1617
#8 0x00007fb25dc97d2b in malloc_consolidate (av=av@entry=0x7fb25ddf1ac0 <main_arena>) at ./malloc/malloc.c:4876
#9 0x00007fb25dc99a90 in _int_malloc (av=av@entry=0x7fb25ddf1ac0 <main_arena>, bytes=bytes@entry=4096) at ./malloc/malloc.c:4041
#10 0x00007fb25dc9b6f4 in __GI___libc_malloc (bytes=bytes@entry=4096) at ./malloc/malloc.c:3336
#11 0x00007fb25dc731b5 in __GI__IO_file_doallocate (fp=0x5606826cc270) at ./libio/filedoalloc.c:101
#12 0x00007fb25dc83524 in __GI__IO_doallocbuf (fp=fp@entry=0x5606826cc270) at ./libio/libioP.h:1030
#13 0x00007fb25dc81f4c in __GI__IO_file_xsgetn (fp=0x5606826cc270, data=0x7fff172ddd20, n=44) at ./libio/fileops.c:1288
#14 0x00007fb25dc7f604 in __GI___fread_unlocked (buf=buf@entry=0x7fff172ddd20, size=size@entry=44, count=count@entry=1, fp=fp@entry=0x5606826cc270) at ./libio/iofread_u.c:40
#15 0x00007fb25dccf592 in __tzfile_read (file=<optimized out>, file@entry=0x7fff172e089d "PST8PDT", extra=extra@entry=0, extrap=extrap@entry=0x0) at ./time/tzfile.c:187
#16 0x00007fb25dcce6f6 in tzset_internal (always=<optimized out>) at ./time/tzset.c:405
#17 0x00007fb25dccf18b in __tz_convert (timer=1767732264, use_localtime=1, tp=0x7fff172ddee0) at ./time/tzset.c:577
#18 0x00007fb25cc01372 in g_log_writer_format_fields () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#19 0x00007fb25cc01ea1 in g_log_writer_standard_streams () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#20 0x00007fb25cc02704 in g_log_writer_default () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#21 0x00007fb25cbfa054 in g_log_structured_array () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#22 0x00007fb25cbfa3dc in g_log_default_handler () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x00007fb25cbfa680 in g_logv () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x00007fb25cbfa963 in g_log () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#25 0x00007fb25cc04e2a in g_atomic_ref_count_dec () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x00007fb25cbbd572 in g_atomic_rc_box_release_full () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#27 0x00007fb25cdf8d21 in ??? () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#28 0x00007fb25cd0561d in g_object_unref () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#29 0x00007fb25cbeb735 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#30 0x00007fb25cbf3cbb in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#31 0x00007fb25cbf5502 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#32 0x00007fb25cbf5710 in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#33 0x00007fb2625103e7 in WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) () at /sdk/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#34 0x00007fb2625107e2 in WTF::RunLoop::run() () at /sdk/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#35 0x00007fb260124acb in int WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainSoup>(int, char**) () at /sdk/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#36 0x00007fb25dc181ca in __libc_start_call_main (main=main@entry=0x5606527167d0 <main>, argc=argc@entry=3, argv=argv@entry=0x7fff172de748) at ../sysdeps/nptl/libc_start_call_main.h:58
#37 0x00007fb25dc1828b in __libc_start_main_impl (main=0x5606527167d0 <main>, argc=3, argv=0x7fff172de748, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff172de738) at ../csu/libc-start.c:360
#38 0x0000560652716705 in _start ()
Fujii Hironori
(In reply to Fujii Hironori from comment #12)
> > STDERR: corrupted double-linked list
Is it bug#267992?
Michael Catanzaro
For bugs like this, we really need to catch it under valgrind or asan. And asan EWS would be wonderful. Alas. :(
Fujii Hironori
Another error message:
> STDERR: malloc(): unsorted double linked list corrupted
https://build.webkit.org/results/GTK-Linux-64-bit-Debug-Tests/305790@main%20(17895)/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-crash-log.txt