RESOLVED FIXED 108398
[Qt] webkit crashes with sigsegv at JSC::CopyWorkList at ARM with qt5-final 
https://bugs.webkit.org/show_bug.cgi?id=108398
Summary [Qt] webkit crashes with sigsegv at JSC::CopyWorkList at ARM with qt5-final
Ricardo
Reported 2013-01-30 16:09:42 PST
Using Ubuntu 12.10 at Nexus 7 (or any other ARM device), and Qt 5 final packages from https://launchpad.net/~canonical-qt5-edgers/+archive/qt5-proper/, I get a segfault when browsing with a sample Qml based browser when navigating at websites such www.cnn.com. Steps: 1 - Install the Qt 5 proper ppa at a running Ubuntu 12.10 based ARM device (such as nexus 7, or pandaboard); 2 - Use the following sample qml to open cnn.com by default http://paste.ubuntu.com/1591367/ 3 - Run with 'qmlscene browser.qml' and navigate at the website, by clicking into a few links (it usually happens when loading the second link). 4 - Wait for the crash. Backtrace (http://paste.ubuntu.com/1586241/): Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x46eff460 (LWP 654)] JSC::CopyWorkList::~CopyWorkList (this=0xfffffffb, __in_chrg=<optimized out>) at heap/CopyWorkList.h:139 139 heap/CopyWorkList.h: No such file or directory. (gdb) (gdb) bt full #0 JSC::CopyWorkList::~CopyWorkList (this=0xfffffffb, __in_chrg=<optimized out>) at heap/CopyWorkList.h:139 No locals. #1 0x40eaf550 in deleteOwnedPtr<JSC::CopyWorkList> (ptr=0xfffffffb) at ../WTF/wtf/OwnPtrCommon.h:60 No locals. #2 clear (this=0x5146400c) at ../WTF/wtf/OwnPtr.h:119 ptr = 0xfffffffb #3 pin (this=0x51464000) at heap/CopiedBlock.h:163 No locals. #4 pin (block=0x51464000, this=<optimized out>) at heap/CopiedSpaceInlines.h:57 No locals. #5 copyLater (ptr=0x514645b0, this=<optimized out>, owner=<optimized out>, bytes=<optimized out>) at heap/SlotVisitorInlines.h:167 No locals. #6 copyLater (bytes=4294967272, ptr=0x514645b0, owner=0x501c71b0, this=<optimized out>) at runtime/JSObject.cpp:204 No locals. #7 visitButterfly (storageSize=<optimized out>, butterfly=0x51464588, visitor=..., this=0x501c71b0) at runtime/JSObject.cpp:187 preCapacity = <optimized out> propertyCapacity = 4294967291 indexingPayloadSizeInBytes = <optimized out> capacityInBytes = 4294967272 #8 JSC::JSObject::visitChildren (cell=0x501c71b0, visitor=...) at runtime/JSObject.cpp:217 butterfly = 0x51464588 #9 0x40d5b3c0 in visitChildren (cell=<optimized out>, visitor=...) at heap/SlotVisitor.cpp:90 No locals. #10 JSC::SlotVisitor::drain (this=0x453618f0) at heap/SlotVisitor.cpp:147 No locals. #11 0x40d52576 in donateAndDrain (this=0x453618f0) at heap/SlotVisitorInlines.h:161 No locals.
Attachments
Add attachment proposed patch, testcase, etc.
Ricardo
Comment 1 2013-01-31 12:12:03 PST
I did test with an older qtwebkit revision, and got a similar issue (before the js heap work): #0 0x40e7d862 in testAndSet (n=0, this=0x14) at ../WTF/wtf/Bitmap.h:98 mask = 1 index = 0 result = <optimized out> #1 concurrentTestAndSet (n=0, this=0x14) at ../WTF/wtf/Bitmap.h:117 No locals. #2 testAndSetMarked (this=0x0, p=0x1) at heap/MarkedBlock.h:371 No locals. #3 testAndSetMarked (cell=0x1) at heap/Heap.h:324 No locals. #4 internalAppend (this=<optimized out>, cell=0x1) at runtime/Structure.h:559 No locals. #5 internalAppend (value=..., this=<optimized out>) at heap/SlotVisitorInlines.h:82 No locals. #6 append (count=<optimized out>, this=0x48ee08d0, slot=<optimized out>) at heap/SlotVisitorInlines.h:40 value = @0x55f6b010: {u = {asInt64 = -21474836479, asDouble = -nan(0xffffb00000001), asBits = {payload = 1, tag = -5}}} i = <optimized out> #7 appendValues (count=<optimized out>, barriers=<optimized out>, this=0x48ee08d0) at runtime/WriteBarrier.h:237 No locals. So for some reason the value is corrupted, as cell is pointing to 0x1, which then makes the segfault to happen. Guess it'd be ideal to trace and debug when the broken value indeed got inserted at the heap, as all the code seems to be doing here is cleaning the heap up.
Ricardo
Comment 2 2013-02-25 18:32:19 PST
Just pasting the snippet that was described at the pastebin (since it's now gone) import QtQuick 2.0 import QtWebKit 3.0 import QtWebKit.experimental 1.0 Item { id: webViewItem width: 1024; height: 720 WebView { id: webView experimental.userAgent: "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3" url: "http://www.cnn.com" anchors.fill: parent onLoadingChanged: { if (webView.url == "about:blank") return; if (loadRequest.status === WebView.LoadFailedStatus) webView.loadHtml("<html><body><h1>=(</h1><h2>Error: 404! File not found.</h2><h1>=~</h1></body></html>") } } } Tested with QtWebkit 5.0.1 + Ubuntu Raring 13.04 and was also able to reproduce the issue. The crash is only gone when JIT is disabled, which is the current workaround we got for the Ubuntu Touch Developer Preview based images.
Allan Sandfeld Jensen
Comment 3 2013-03-25 04:34:03 PDT
This may be solved in the upcoming Qt 5.0.2 after merging the fixes from bug #105221 and bug #105339.
Allan Sandfeld Jensen
Comment 4 2013-04-26 06:53:21 PDT
I am going to assume this has been fixed by the patches to ARM in 5.0.2 and 5.1 alpha. If the crash appears again, feel free to reopen.
Note You need to log in before you can comment on or make changes to this bug.