RESOLVED WONTFIX 148622
[SOUP] Invalid read in webkitSoupCookieJarSqliteLoad 
https://bugs.webkit.org/show_bug.cgi?id=148622
Summary [SOUP] Invalid read in webkitSoupCookieJarSqliteLoad
Michael Catanzaro
Reported 2015-08-30 14:50:06 PDT
Part of an investigation into why Epiphany likes to crash during startup.... The network process crashes immediately when run with asan. The problem is in webkitSoupCookieJarSqliteLoad, calling WebCore::SQLiteStatement::getColumnText. The return value of sqlite3_column_text16 [1] is invalid. I don't know why. While investigating this I discovered bug #148620, but that is unfortunately NOT the cause of this issue. I also tried omitting the call to sqlite3_column_bytes16, and switched to the WTF::String constructor that expects a null-terminated UTF-16 string. That also did not help. [1] https://sqlite.org/c3ref/column_blob.html ==22362==ERROR: AddressSanitizer: unknown-crash on address 0x7f5d63813983 at pc 0x00000048530a bp 0x7ffca75e8b30 sp 0x7ffca75e82e8 WRITE of size 1408 at 0x7f5d63813983 thread T0 #0 0x485309 in __asan_memcpy (/home/mcatanzaro/jhbuild/install/libexec/webkit2gtk-4.0/WebKitNetworkProcess+0x485309) #1 0x7f5d77d0fe79 in WTF::Ref<WTF::StringImpl> WTF::StringImpl::createInternal<unsigned short>(unsigned short const*, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/StringImpl.cpp:248:5 #2 0x7f5d77d0231d in WTF::StringImpl::create(unsigned short const*, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/StringImpl.cpp:254:12 #3 0x7f5d77d1acdb in WTF::String::String(unsigned short const*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/WTFString.cpp:56:14 #4 0x7f5d80107884 in WebCore::SQLiteStatement::getColumnText(int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebCore/platform/sql/SQLiteStatement.cpp:349:5 #5 0x7f5d7ed68311 in webkitSoupCookieJarSqliteLoad(_WebKitSoupCookieJarSqlite*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebKitSoupCookieJarSqlite.cpp:110:93 #6 0x7f5d7ed68014 in webkitSoupCookieJarSqliteNew /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebKitSoupCookieJarSqlite.cpp:222:5 #7 0x7f5d7ed6787f in WebKit::WebCookieManager::setCookiePersistentStorage(WTF::String const&, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebCookieManagerSoup.cpp:79:25 #8 0x7f5d7ee2a58e in void IPC::callMemberFunctionImpl<WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>, 0ul, 1ul>(WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>&&, std::index_sequence<0ul, 1ul>) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:16:5 #9 0x7f5d7ee2a4e8 in void IPC::callMemberFunction<WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>, std::make_index_sequence<2ul> >(std::tuple<WTF::String, unsigned int>&&, WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:22:5 #10 0x7f5d7ee2a3ad in void IPC::handleMessage<Messages::WebCookieManager::SetCookiePersistentStorage, WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)>(IPC::MessageDecoder&, WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:92:5 #11 0x7f5d7ee2975e in WebKit::WebCookieManager::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/DerivedSources/WebKit2/WebCookieManagerMessageReceiver.cpp:74:9 #12 0x7f5d7ee299ac in non-virtual thunk to WebKit::WebCookieManager::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/DerivedSources/WebKit2/WebCookieManagerMessageReceiver.cpp:81:1 #13 0x7f5d7e60ace6 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:97:9 #14 0x7f5d7ebcc110 in WebKit::NetworkProcess::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/NetworkProcess.cpp:127:9 #15 0x7f5d7e5f061c in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:898:5 #16 0x7f5d7e5e9e18 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:929:9 #17 0x7f5d7e5f077a in IPC::Connection::dispatchOneMessage() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:960:5 #18 0x7f5d7e5f0a70 in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:892:9 #19 0x7f5d7e5f08b0 in std::_Function_handler<void (), IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >)::$_10>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:1871:4 #20 0x7f5d7e54007b in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:2271:14 #21 0x7f5d81385c7e in WTF::RunLoop::performWork() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/RunLoop.cpp:121:9 #22 0x7f5d8138c780 in WTF::RunLoop::wakeUp()::$_0::operator()() const /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/RunLoopGLib.cpp:96:9 #23 0x7f5d8138c5c0 in std::_Function_handler<void (), WTF::RunLoop::wakeUp()::$_0>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:1871:4 #24 0x7f5d7e54007b in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:2271:14 #25 0x7f5d77d31f2e in WTF::GMainLoopSource::voidCallback() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/GMainLoopSource.cpp:365:5 #26 0x7f5d77d2ff1c in WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/GMainLoopSource.cpp:456:5 #27 0x7f5d736d9430 in g_idle_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:5441 #28 0x7f5d736d6a78 in g_main_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3154 #29 0x7f5d736d78bc in g_main_context_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3769 #30 0x7f5d736d7aa0 in g_main_context_iterate /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3840 #31 0x7f5d736d7ec6 in g_main_loop_run /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:4034 #32 0x7f5d8138b9e8 in WTF::RunLoop::run() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/RunLoopGLib.cpp:67:9 #33 0x7f5d7ec445a3 in int WebKit::ChildProcessMain<WebKit::NetworkProcess, WebKit::NetworkProcessMain>(int, char**) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61:5 #34 0x7f5d7ec44478 in NetworkProcessMainUnix /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/gtk/NetworkProcessMainGtk.cpp:62:12 #35 0x4b9f76 in main /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:44:12 #36 0x7f5d6cfa66ff in __libc_start_main (/lib64/libc.so.6+0x206ff) #37 0x4b9e78 in _start (/home/mcatanzaro/jhbuild/install/libexec/webkit2gtk-4.0/WebKitNetworkProcess+0x4b9e78) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: unknown-crash ??:0 __asan_memcpy Shadow bytes around the buggy address: 0x0fec2c6fa6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fec2c6fa730:[03]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fec2c6fa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe ==22362==ABORTING
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2015-08-30 16:43:17 PDT
Hm, the issue goes away after when turning off bmalloc, after I implemented bug #148623. So... shrug.
Note You need to log in before you can comment on or make changes to this bug.