Bug 171570 - [GTK][Stable] JSC segfault when visiting energie-developpment webpage
Summary: [GTK][Stable] JSC segfault when visiting energie-developpment webpage
Status: RESOLVED DUPLICATE of bug 173643
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-02 14:16 PDT by Cédric Bellegarde
Modified: 2017-06-24 12:53 PDT (History)
5 users (show)

See Also:

Attachments
Backtrace, registers, assembler, etc. (163.21 KB, text/plain)
2017-05-02 15:33 PDT, Michael Catanzaro 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cédric Bellegarde 2017-05-02 14:16:42 PDT 
Visiting http://energie-developpement.blogspot.fr/2017/04/programme-energie-climat-lepen-macron.html make WebKitGTK2 segfaults

Happen with Epiphany and others web browsers using WebKitGTK2
Comment 1 Michael Catanzaro 2017-05-02 15:23:14 PDT 
I've seen this before, but hadn't moved it upstream yet. Great that you found a reproducer. It looks like this crash is fairly rare; we only have 86 reports of it total in Fedora. I've got a backtrace, but unfortunately as with any JSC crash it's of quite limited value:

#0  0x00007fd5ae464660 in JSC::JSValue::isString() const (this=0x7ffd44060e00)
    at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:576
#1  0x00007fd5ae464660 in JSC::JSValue::equalSlowCaseInline(JSC::ExecState*, JSC::JSValue, JSC::JSValue) (v2=..., v1=..., exec=0x7ffd44060f80)
    at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:930
#2  0x00007fd5ae464660 in JSC::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue) (exec=0x7ffd44060f80, encodedOp1=<optimized out>, encodedOp2=<optimized out>)
    at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/jit/JITOperations.cpp:1086
#3  0x00007fd54823be14 in  ()
#4  0x00007fd4fcd44908 in  ()
#5  0xffff000000000000 in  ()
#6  0xffff000000000002 in  ()

#7  0x00007fd5482324fe in  ()
#8  0xffff000000000000 in  ()

#9  0xffff000000000000 in  ()
#10 0xffff000000000000 in  ()
#11 0x00007fd5120bbbe0 in  ()
#12 0x00007fd5107a3640 in  ()
#13 0x00007fd5ae852c5e in bmalloc::PerThreadStorage<bmalloc::Cache>::get() ()
    at /usr/src/debug/webkitgtk-2.16.1/Source/bmalloc/bmalloc/PerThread.h:94
#14 0x00007fd5ae852c5e in bmalloc::PerThread<bmalloc::Cache>::getFastCase() ()
    at /usr/src/debug/webkitgtk-2.16.1/Source/bmalloc/bmalloc/PerThread.h:118
#15 0x00007fd5ae852c5e in bmalloc::Cache::allocate(unsigned long) (size=140553723314176) at /usr/src/debug/webkitgtk-2.16.1/Source/bmalloc/bmalloc/Cache.h:77
#16 0x00007fd5ae852c5e in bmalloc::api::malloc(unsigned long) (size=140553723314176) at /usr/src/debug/webkitgtk-2.16.1/Source/bmalloc/bmalloc/bmalloc.h:43
#17 0x00007fd5ae852c5e in WTF::fastMalloc(unsigned long) (size=140553723314176)
    at /usr/src/debug/webkitgtk-2.16.1/Source/WTF/wtf/FastMalloc.cpp:256
#18 0x00007fd5ae75016a in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:53
        end = <optimized out>
#19 0x00007fd5ae75016a in JSC::PropertyTable::PropertyTable(JSC::VM&, JSC::PropertyTable const&) (this=0x7fd4ef1497a8, vm=..., other=...)
    at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/PropertyTable.cpp:77
        end = <optimized out>
#20 0xffff0000793cc336 in  ()
#21 0x0000000000000008 in  ()
#22 0x00007fd4ef181b90 in  ()
#23 0x00007fd5106d1c80 in  ()
#24 0x00007fd5107a3640 in  ()
#25 0x00007fd53697e6e0 in  ()
#26 0x00007fd5120a1260 in  ()
#27 0x00007fd5106d1c80 in  ()
#28 0x00007ffd00000000 in  ()
#29 0x00007fd400000000 in  ()
#30 0x00007fd4ef1b6920 in  ()
#31 0x00007fd4ef181b90 in  ()
#32 0x00007fd5793cc336 in  ()
#33 0x00007fd4ef181b90 in  ()
#34 0x00007fd53697e6e0 in  ()
#35 0x00007fd4ef14c9a0 in  ()
#36 0x00007fd4ef151b70 in  ()
#37 0x00007fd512422068 in  ()
#38 0x00007fd536c00000 in  ()
#39 0x00007fd52ac91460 in  ()
#40 0x00007fd4fcd44908 in  ()
#41 0xffff000000000000 in  ()
#42 0xffff000000000002 in  ()
#43 0x00007ffd44061000 in  ()
#44 0x00007fd54812df1a in  ()
#45 0x00007fd4f483b8e0 in  ()
#46 0x00007fd5121745b0 in  ()
#47 0x0000000300000003 in  ()
#48 0x00007fd512422068 in  ()
#49 0x00007fd4ef1adc20 in  ()
#50 0x00007fd4ef151b70 in  ()
#51 0x00007fd5121745b0 in  ()
#52 0x00007fd512179000 in  ()
#53 0x00007fd4ef151b70 in  ()
#54 0x00007fd512422068 in  ()
#55 0x00007fd512422068 in  ()
#56 0x00007fd4fcd44908 in  ()
#57 0xffff000000000000 in  ()
#58 0xffff000000000002 in  ()
#59 0x00007ffd44061080 in  ()
#60 0x00007fd54814f80a in  ()
#61 0x00007fd510686020 in  ()
#62 0x00007fd512179000 in  ()
#63 0x000000aa00000002 in  ()
#64 0x00007fd4ef14e8a0 in  ()
#65 0x00007fd4ef1adc20 in  ()
#66 0xffff000000000000 in  ()
#67 0x00007ffd440610e0 in  ()
#68 0x00007fd4ef151b40 in  ()
#69 0x00007fd4f48be260 in  ()
#70 0x00007fd536c00000 in  ()
#71 0x00007fd52ac91460 in  ()
#72 0x00007fd4fcd44908 in  ()
#73 0xffff000000000000 in  ()
#74 0xffff000000000002 in  ()
#75 0x00007ffd44061150 in  ()
#76 0x00007fd5481f13c6 in  ()
#77 0x00007fd4f493fb20 in  ()
#78 0x00007fd51214edd0 in  ()
#79 0x0000000000000001 in  ()
#80 0x00007fd4ef151b40 in  ()
#81 0x000000000000000a in  ()
#82 0x00007fd512422068 in  ()
#83 0x00007fd512422068 in  ()
#84 0x00007fd4ef151b40 in  ()
#85 0x00007fd4ef1adc20 in  ()
#86 0xffff000000000002 in  ()
#87 0x00007ffd44061190 in  ()
#88 0x00007fd4ef150a30 in  ()
#89 0x00007fd51067c2e0 in  ()
#90 0x00007fd5ae21ed6b in JSC::DFG::operationNewEmptyArray(JSC::ExecState*, JSC::Structure*) (exec=<optimized out>, arrayStructure=0x7fd4ef182050)
    at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/JSCellInlines.h:168
#91 0x00007fd4fcd44908 in  ()
#92 0xffff000000000000 in  ()
#93 0xffff000000000002 in  ()
#94 0x00007ffd440611e0 in  ()
#95 0x00007fd5ae4c0c91 in llint_entry ()
    at /lib64/libjavascriptcoregtk-4.0.so.18
Comment 2 Michael Catanzaro 2017-05-02 15:33:30 PDT 
Created attachment 308860 [details]
Backtrace, registers, assembler, etc.

I'm attaching the backtrace from Red Hat Bugzilla, as it shows extras like register state and assembler dump that I think could be helpful for this bug.

Note the crash is here:

#0  JSC::JSValue::isString (this=0x7ffdb95fefe0) at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:576
576	    return isCell() && asCell()->isString();
Comment 3 Michael Catanzaro 2017-05-02 15:34:56 PDT 
Also note that the Red Hat Bugzilla trace shows a *slightly* different crash, as it shows JSC::DFG::operationValueAddNotNumber at frame 36, while my trace above instead shows JSC::DFG::operationNewEmptyArray at frame 90. But I bet it's the same underlying issue.
Comment 4 Carlos Alberto Lopez Perez 2017-05-02 15:43:28 PDT 
The test page is working fine for me with the MiniBrowser on today's trunk (r216073).

So I guess this was fixed between 2.16.0=r212635 and r216073.
Comment 5 Michael Catanzaro 2017-05-02 15:52:13 PDT 
Good to know, thanks Carlos. Unfortunately that's 3438 commits to look through.

Hey JSC devs, does this trace look familiar? Maybe someone will remember fixing this recently?
Comment 6 Michael Catanzaro 2017-06-24 12:53:22 PDT 

*** This bug has been marked as a duplicate of bug 173643 ***