RESOLVED FIXED 165848
[GTK] WebProcess from WebKitGtk+ 2.15.2 SIGSEGVs in std::unique_ptr<SoupBuffer, WTF::GPtrDeleter<SoupBuffer> >::get() const () at /usr/include/c++/6/bits/unique_ptr.h:305 
https://bugs.webkit.org/show_bug.cgi?id=165848
Summary [GTK] WebProcess from WebKitGtk+ 2.15.2 SIGSEGVs in std::unique_ptr<SoupBuffe...
Andres Gomez Garcia
Reported 2016-12-14 07:48:48 PST
Created attachment 297087 [details] BT from gdb I'm using WebKitGtk+ with my own JHBuild setting: https://github.com/tanty/jhbuild-epiphany/tree/master Epiphany 3.20.3 and WebKit 2.15.2 with the attached patches for bug 164049, bug 165200, bug 165283 and bug 164052, applied. I'm running Epiphany with the dconf key: "process-model" = "shared-secondary-process" And the env variable: "export LIBGL_DRI3_DISABLE=1" The compilation was done with CMake args: '-DUSE_LD_GOLD=OFF -DPORT=GTK -DCMAKE_BUILD_TYPE=Release -DENABLE_MINIBROWSER=ON -DCMAKE_C_FLAGS_RELEASE="-O0 -g1 -DNDEBUG -DG_DEBUG=fatal-criticals -DG_DISABLE_CAST_CHECKS" -DCMAKE_CXX_FLAGS_RELEASE="-O0 -g1 -DNDEBUG -DG_DEBUG=fatal-criticals -DG_DISABLE_CAST_CHECKS"' After visiting several pages, eventually, the WebProcess hits a SIGSEV. This bug is not reproducible in a predictable way.
Attachments
BT from gdb (95.41 KB, text/plain)
2016-12-14 07:48 PST, Andres Gomez Garcia 		no flags
Details
Another similar BT from gdb (173.82 KB, text/plain)
2016-12-15 01:23 PST, Andres Gomez Garcia 		no flags
Details
Yet another similar BT from gdb (199.86 KB, text/plain)
2016-12-17 05:24 PST, Andres Gomez Garcia 		no flags
Details
BT from gdb for the UIProcess (122.46 KB, text/plain)
2016-12-17 05:26 PST, Andres Gomez Garcia 		no flags
Details
And yet another similar BT from gdb (223.00 KB, text/plain)
2016-12-17 16:19 PST, Andres Gomez Garcia 		no flags
Details
Another BT from gdb for the UIProcess (122.50 KB, text/plain)
2016-12-17 16:20 PST, Andres Gomez Garcia 		no flags
Details
BT from gdb, compiled with -g0 (312.52 KB, text/plain)
2016-12-19 05:45 PST, Andres Gomez Garcia 		no flags
Details
BT from gdb, compiled with -g (475.74 KB, text/plain)
2016-12-21 04:40 PST, Andres Gomez Garcia 		no flags
Details
BT from gdb for the UIProcess with -g (143.27 KB, text/plain)
2016-12-21 04:41 PST, Andres Gomez Garcia 		no flags
Details
BT from gdb with LockHolder moved (281.02 KB, text/plain)
2017-01-02 09:17 PST, Andres Gomez Garcia 		no flags
Details
Patch (4.67 KB, patch)
2017-01-05 04:13 PST, Carlos Garcia Campos 		mcatanzaro: review+
DetailsFormatted DiffDiff
BT from gdb for the WebProcess, with the new patch (222.59 KB, text/plain)
2017-01-07 14:04 PST, Andres Gomez Garcia 		no flags
Details
BT from gdb for the UIProcess, with the new patch (132.54 KB, text/plain)
2017-01-07 14:07 PST, Andres Gomez Garcia 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Andres Gomez Garcia
Comment 1 2016-12-15 01:23:26 PST
Created attachment 297186 [details] Another similar BT from gdb
Andres Gomez Garcia
Comment 2 2016-12-15 01:44:36 PST
This bug is happening very recurrently. FTR, the compilation also has '-DENABLE_THREADED_COMPOSITOR=OFF', I forgot to mention that.
Zan Dobersek
Comment 3 2016-12-16 01:51:57 PST
When you hit this again, in gdb, run these commands: $ info registers $ info proc mappings $ disassemble _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv $ disassemble _ZNK7WebCore12SharedBuffer4dataEv $ disassemble _ZNK14GIFImageReader4dataEm The SharedBuffer object on the GIFImageReader might be null.
Andres Gomez Garcia
Comment 4 2016-12-16 09:32:52 PST
(In reply to comment #3) > When you hit this again, in gdb, run these commands: > > $ info registers This is already included in the attached BTs > $ info proc mappings > $ disassemble _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv > $ disassemble _ZNK7WebCore12SharedBuffer4dataEv > $ disassemble _ZNK14GIFImageReader4dataEm I'll do this.
Andres Gomez Garcia
Comment 5 2016-12-17 05:24:22 PST
Created attachment 297401 [details] Yet another similar BT from gdb This BT additionally includes info for: $ info proc mappings $ disassemble _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv $ disassemble _ZNK7WebCore12SharedBuffer4dataEv $ disassemble _ZNK14GIFImageReader4dataEm
Andres Gomez Garcia
Comment 6 2016-12-17 05:26:49 PST
Created attachment 297402 [details] BT from gdb for the UIProcess After the last SIGSEV, the UIProcess also SIGSEVed. This is its BT. Have into account that the code was modified accordingly to the suggestion at: https://bugs.webkit.org/show_bug.cgi?id=165656#c18
Andres Gomez Garcia
Comment 7 2016-12-17 16:19:10 PST
Created attachment 297416 [details] And yet another similar BT from gdb This BT additionally includes info for: $ info proc mappings $ disassemble _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv $ disassemble _ZNK7WebCore12SharedBuffer4dataEv $ disassemble _ZNK14GIFImageReader4dataEm
Andres Gomez Garcia
Comment 8 2016-12-17 16:20:24 PST
Created attachment 297417 [details] Another BT from gdb for the UIProcess After the last SIGSEV, the UIProcess also SIGSEVed. This is its BT. Have into account that the code was modified accordingly to the suggestion at: https://bugs.webkit.org/show_bug.cgi?id=165656#c18
Zan Dobersek
Comment 9 2016-12-18 11:59:41 PST
The hope was that upon the crash the instruction pointer would stay somewhere in _ZNKSt10unique_ptrI10SoupBufferN3WTF11GPtrDeleterIS0_EEE3getEv. That doesn't happen, but the backtrace still reports the crash occurring there. Assuming the backtrace is correct, with the rdi register having the 0x20 value, it seems that the std::unique_ptr<> getter is called on a std::unique_ptr<> object that's at address 0x20. That's the same value as the offset at which the std::unique_ptr<SoupBuffer> object is positioned inside the SharedBuffer class. So I think the SharedBuffer object in the GIFImageReader class is null. Also, looking at the memory mappings -- I really want to know what you're loading in the browser, for starters.
Carlos Garcia Campos
Comment 10 2016-12-19 02:31:01 PST
Maybe this is the same I fixed in r208881
Andres Gomez Garcia
Comment 11 2016-12-19 03:18:49 PST
(In reply to comment #10) > Maybe this is the same I fixed in r208881 Sounds like it. I will apply that patch and check ...
Andres Gomez Garcia
Comment 12 2016-12-19 03:21:48 PST
(In reply to comment #11) > (In reply to comment #10) > > Maybe this is the same I fixed in r208881 > > Sounds like it. I will apply that patch and check ... Actually, this is already in 2.15.2
Andres Gomez Garcia
Comment 13 2016-12-19 03:22:20 PST
(In reply to comment #9) > Also, looking at the memory mappings -- I really want to know what you're > loading in the browser, for starters. I'll try to pass you the crashed session next time it happens.
Michael Catanzaro
Comment 14 2016-12-19 04:41:04 PST
(In reply to comment #12) > Actually, this is already in 2.15.2 Yeah, I checked that commit when I saw Zan's comment yesterday. :(
Andres Gomez Garcia
Comment 15 2016-12-19 05:45:38 PST
Created attachment 297457 [details] BT from gdb, compiled with -g0
Andres Gomez Garcia
Comment 16 2016-12-21 04:40:14 PST
Created attachment 297584 [details] BT from gdb, compiled with -g
Andres Gomez Garcia
Comment 17 2016-12-21 04:41:54 PST
Created attachment 297585 [details] BT from gdb for the UIProcess with -g
Carlos Garcia Campos
Comment 18 2016-12-21 05:15:47 PST
(In reply to comment #12) > (In reply to comment #11) > > (In reply to comment #10) > > > Maybe this is the same I fixed in r208881 > > > > Sounds like it. I will apply that patch and check ... > > Actually, this is already in 2.15.2 I didn't take into account that size() calls isSizeAvailable() that is virtual, and in the case of GIF, it's overriden and also calls decode(). I think the solution should be to make decoders thread-safe, but in the meantime, could you try moving the LockHolder locker(m_lock); in ImageDecoder::createFrameImageAtIndex() to the beginning? right before the size() call?
Andres Gomez Garcia
Comment 19 2017-01-02 09:17:24 PST
Created attachment 297900 [details] BT from gdb with LockHolder moved I already applied a patch to move LockHolder locker(m_lock); in ImageDecoder::createFrameImageAtIndex() to the beginning
Andres Gomez Garcia
Comment 20 2017-01-04 02:01:01 PST
Going to this URL and scrolling down reproduces the crash in a 100% http://wiki.inkscape.org/wiki/index.php/Release_notes/0.92#Important_changes
Zan Dobersek
Comment 21 2017-01-04 09:35:06 PST
(In reply to comment #20) > Going to this URL and scrolling down reproduces the crash in a 100% > > http://wiki.inkscape.org/wiki/index.php/Release_notes/0.92#Important_changes Confirmed with r210274.
Zan Dobersek
Comment 22 2017-01-04 09:55:28 PST
(In reply to comment #21) > (In reply to comment #20) > > Going to this URL and scrolling down reproduces the crash in a 100% > > > > http://wiki.inkscape.org/wiki/index.php/Release_notes/0.92#Important_changes > > Confirmed with r210274. That's using MiniBrowser. I get a pretty good crash rate if I remove the ~/.cache/MiniBrowser cache before each run.
Carlos Garcia Campos
Comment 23 2017-01-05 04:13:17 PST
Created attachment 298091 [details] Patch Could you please try this new patch?
Zan Dobersek
Comment 24 2017-01-05 11:40:58 PST
(In reply to comment #23) > Created attachment 298091 [details] > Patch > > Could you please try this new patch? I am not able to reproduce the crash with it, while I can still easily reproduce the crash without the patch applied.
Andres Gomez Garcia
Comment 25 2017-01-07 14:04:20 PST
Created attachment 298283 [details] BT from gdb for the WebProcess, with the new patch
Andres Gomez Garcia
Comment 26 2017-01-07 14:04:44 PST
(In reply to comment #25) > Created attachment 298283 [details] > BT from gdb for the WebProcess, with the new patch Keeps crashing ...
Andres Gomez Garcia
Comment 27 2017-01-07 14:07:33 PST
Created attachment 298284 [details] BT from gdb for the UIProcess, with the new patch Immediately after the SIGSEV in the WebProcess, we have this SIGSEV in the UIProcess. This is the message in the console: -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- The program with pid 29593 received an X Window System error. The error was 'BadDamage (invalid Damage parameter)'. -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< --
Carlos Garcia Campos
Comment 28 2017-01-08 23:50:54 PST
(In reply to comment #25) > Created attachment 298283 [details] > BT from gdb for the WebProcess, with the new patch This bt proves the patch works indeed, main thread is waiting in the mutex, while the decoder thread is the only one decoding the gif image.
Carlos Garcia Campos
Comment 29 2017-01-08 23:54:33 PST
(In reply to comment #26) > (In reply to comment #25) > > Created attachment 298283 [details] > > BT from gdb for the WebProcess, with the new patch > > Keeps crashing ... Due to an assert when accessing passed in rowBuffer: const unsigned char sourceValue = rowBuffer[(m_scaled ? m_scaledColumns[x] : x) - frameContext->xOffset]; it seems that can overflow, which looks unrelated to the threading issue, I think, I would need to look at it in more detail to be sure.
Carlos Garcia Campos
Comment 30 2017-01-08 23:55:16 PST
(In reply to comment #27) > Created attachment 298284 [details] > BT from gdb for the UIProcess, with the new patch > > Immediately after the SIGSEV in the WebProcess, we have this SIGSEV in the > UIProcess. > > This is the message in the console: > > > -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- > > The program with pid 29593 received an X Window System error. > The error was 'BadDamage (invalid Damage parameter)'. > > -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- 8< -- This is also a different issue.
Carlos Garcia Campos
Comment 31 2017-01-09 04:13:26 PST
Committed r210501: <http://trac.webkit.org/changeset/210501>
Note You need to log in before you can comment on or make changes to this bug.