Bug 181581 - [GTK] Crash in JSC JSValueIsNumber
Summary: [GTK] Crash in JSC JSValueIsNumber
Status: RESOLVED DUPLICATE of bug 181438
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P3 Normal
Assignee: Nobody
URL:
Keywords: Gtk
Depends on:
Blocks:
 
Reported: 2018-01-11 23:05 PST by Michael Gratton
Modified: 2018-01-16 06:11 PST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Gratton 2018-01-11 23:05:18 PST 
I just noticed Geary built by flatpak against gnome-nightly (WebKitGTK+ 2.19.5) is crashing in a call to JSC:

Thread 1 "geary" received signal SIGSEGV, Segmentation fault.
0x00007f19b73c985c in WTFCrash ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/Assertions.cpp:272
272	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007f19b73c985c in WTFCrash() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/Assertions.cpp:272
#1  0x00007f19b72a3d05 in JSC::VM::updateStackLimits() ()
    at /run/build-runtime/WebKitGTK+/Source/JavaScriptCore/runtime/VM.cpp:814
#2  0x00007f19b7179dc4 in JSC::JSLock::lock(long) ()
    at /run/build-runtime/WebKitGTK+/Source/JavaScriptCore/runtime/JSLock.cpp:144
#3  0x00007f19b7179dc4 in JSC::JSLock::lock(long) ()
    at /run/build-runtime/WebKitGTK+/Source/JavaScriptCore/runtime/JSLock.cpp:121
#4  0x00007f19b68e208d in JSValueIsNumber() ()
    at /run/build-runtime/WebKitGTK+/Source/JavaScriptCore/API/JSValueRef.cpp:136
#5  0x0000000000637f3e in geary_js_to_number (context=context@entry=0x7f19219e00f8, value=0xffff000000000036, error=error@entry=0x7fff2e370968)
    at /run/build/geary/src/engine/util/util-js.vala:48
#6  0x00000000004cb203 in web_kit_util_to_number (_result_=_result_@entry=0x7f199f6fb7b0, error=error@entry=0x7fff2e370998)
    at /run/build/geary/src/client/util/util-webkit.vala:37
#7  0x0000000000457149 in _client_web_view_on_preferred_height_changed_client_web_view_java_script_message_handler (_result_=0x7f199f6fb7b0, self=0x320fd80 [ConversationWebView]) at /run/build/geary/src/client/components/client-web-view.vala:509
#8  0x0000000000457149 in _client_web_view_on_preferred_height_changed_client_web_view_java_script_message_handler (js_result=0x7f199f6fb7b0, self=0x320fd80)
    at /run/build/geary/src/client/components/client-web-view.vala:297
#12 0x00007f19bc867a2f in <emit signal script-message-received:preferredHeightChanged on instance 0x7f193c056020 [WebKitUserContentManager]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3447
    #9  0x00007f19bc84b5f5 in g_closure_invoke (closure=0x321dfc0, return_value=return_value@entry=0x0, n_param_values=2, param_values=param_values@entry=0x7fff2e370b70, invocation_hint=invocation_hint@entry=0x7fff2e370af0) at gclosure.c:804
    #10 0x00007f19bc85e8b2 in signal_emit_unlocked_R (node=node@entry=0x304bfd0, detail=detail@entry=3449, instance=instance@entry=0x7f193c056020, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fff2e370b70)
    at gsignal.c:3635
    #11 0x00007f19bc867648 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fff2e370d30)
    at gsignal.c:3391
#13 0x00007f19b7feac09 in ScriptMessageClientGtk::didPostMessage(WebKit::WebPageProxy&, WebKit::FrameInfoData const&, WebCore::SerializedScriptValue&) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp:194
#14 0x00007f19b7e69b6d in WebKit::WebUserContentControllerProxy::didPostMessage(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/UIProcess/UserContent/WebUserContentControllerProxy.cpp:323
#15 0x00007f19b81790c6 in IPC::handleMessage<Messages::WebUserContentControllerProxy::Did---Type <return> to continue, or q <return> to quit---
PostMessage, WebKit::WebUserContentControllerProxy, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebUserContentControllerProxy*, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/HandleMessage.h:82
#16 0x00007f19b81790c6 in IPC::handleMessage<Messages::WebUserContentControllerProxy::DidPostMessage, WebKit::WebUserContentControllerProxy, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebUserContentControllerProxy*, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/HandleMessage.h:88
#17 0x00007f19b81790c6 in IPC::handleMessage<Messages::WebUserContentControllerProxy::DidPostMessage, WebKit::WebUserContentControllerProxy, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebUserContentControllerProxy*, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/HandleMessage.h:165
#18 0x00007f19b8178bfe in WebKit::WebUserContentControllerProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ()
    at /run/build-runtime/WebKitGTK+/DerivedSources/WebKit/WebUserContentControllerProxyMessageReceiver.cpp:40
#19 0x00007f19b7cf9f79 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:123
#20 0x00007f19b7df6ad2 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/UIProcess/WebProcessProxy.cpp:593
#21 0x00007f19b7cf4040 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/Connection.cpp:901
#22 0x00007f19b7cf4040 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/Connection.cpp:928
#23 0x00007f19b7cf4a18 in IPC::Connection::dispatchOneMessage() ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/Connection.cpp:959
#24 0x00007f19ba2d27a7 in WTF::RunLoop::performWork() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/Function.h:56
#25 0x00007f19ba2d27a7 in WTF::RunLoop::performWork() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/RunLoop.cpp:106
#26 0x00007f19ba316cc9 in _FUN() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/glib/RunLoopGLib.cpp:68
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) bt full
#0  0x00007f19b73c985c in WTFCrash() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/Assertions.cpp:272
#1  0x00007f19b72a3d05 in JSC::VM::updateStackLimits() ()
    at /run/build-runtime/WebKitGTK+/Source/JavaScriptCore/runtime/VM.cpp:814
#2  0x00007f19b7179dc4 in JSC::JSLock::lock(long) ()
    at /run/build-runtime/WebKitGTK+/Source/JavaScriptCore/runtime/JSLock.cpp:144
#3  0x00007f19b7179dc4 in JSC::JSLock::lock(long) ()
    at /run/build-runtime/WebKitGTK+/Source/JavaScriptCore/runtime/JSLock.cpp:121
#4  0x00007f19b68e208d in JSValueIsNumber() ()
    at /run/build-runtime/WebKitGTK+/Source/JavaScriptCore/API/JSValueRef.cpp:136
#5  0x0000000000637f3e in geary_js_to_number (context=context@entry=0x7f19219e00f8, value=0xffff000000000036, error=error@entry=0x7fff2e370968)
    at /run/build/geary/src/engine/util/util-js.vala:48
        result = 0
        _tmp0_ = 0x7f19219e00f8
        _tmp1_ = <optimized out>
        err = 0x0
        number = 0
        _tmp5_ = <optimized out>
        _tmp6_ = 0x0
        _tmp7_ = <optimized out>
        _tmp8_ = <optimized out>
        _tmp10_ = <optimized out>
        _tmp11_ = <optimized out>
        _inner_error_ = 0x0
#6  0x00000000004cb203 in web_kit_util_to_number (_result_=_result_@entry=0x7f199f6fb7b0, error=error@entry=0x7fff2e370998)
    at /run/build/geary/src/client/util/util-webkit.vala:37
        _tmp0_ = 0
        _tmp1_ = 0x7f199f6fb7b0
        _tmp2_ = 0x7f19219e00f8
        _tmp4_ = <optimized out>
        _tmp5_ = <optimized out>
        _inner_error_ = 0x0
        __func__ = "web_kit_util_to_number"
#7  0x0000000000457149 in _client_web_view_on_preferred_height_changed_client_web_view_java_script_message_handler (_result_=0x7f199f6fb7b0, self=0x320fd80 [ConversationWebView]) at /run/build/geary/src/client/components/client-web-view.vala:509
        _tmp1_ = 0x7f199f6fb7b0
        _tmp3_ = <optimized out>
        _tmp0_ = 0
        _tmp2_ = <optimized out>
        height = 0
        _tmp4_ = <optimized out>
        _inner_error_ = 0x0
---Type <return> to continue, or q <return> to quit---
#8  0x0000000000457149 in _client_web_view_on_preferred_height_changed_client_web_view_java_script_message_handler (js_result=0x7f199f6fb7b0, self=0x320fd80)
    at /run/build/geary/src/client/components/client-web-view.vala:297
#12 0x00007f19bc867a2f in <emit signal script-message-received:preferredHeightChanged on instance 0x7f193c056020 [WebKitUserContentManager]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3447
Python Exception <class 'gdb.error'> Attempt to dereference a generic pointer.: 
#13 0x00007f19b7feac09 in ScriptMessageClientGtk::didPostMessage(WebKit::WebPageProxy&, WebKit::FrameInfoData const&, WebCore::SerializedScriptValue&) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/UIProcess/API/glib/WebKitUserContentManager.cpp:194
#14 0x00007f19b7e69b6d in WebKit::WebUserContentControllerProxy::didPostMessage(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/UIProcess/UserContent/WebUserContentControllerProxy.cpp:323
#15 0x00007f19b81790c6 in IPC::handleMessage<Messages::WebUserContentControllerProxy::DidPostMessage, WebKit::WebUserContentControllerProxy, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebUserContentControllerProxy*, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/HandleMessage.h:82
#16 0x00007f19b81790c6 in IPC::handleMessage<Messages::WebUserContentControllerProxy::DidPostMessage, WebKit::WebUserContentControllerProxy, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebUserContentControllerProxy*, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/HandleMessage.h:88
#17 0x00007f19b81790c6 in IPC::handleMessage<Messages::WebUserContentControllerProxy::DidPostMessage, WebKit::WebUserContentControllerProxy, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebUserContentControllerProxy*, void (WebKit::WebUserContentControllerProxy::*)(IPC::Connection&, unsigned long, WebKit::FrameInfoData const&, unsigned long, IPC::DataReference const&)) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/HandleMessage.h:165
#18 0x00007f19b8178bfe in WebKit::WebUserContentControllerProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ()
    at /run/build-runtime/WebKitGTK+/DerivedSources/WebKit/WebUserContentControllerProxyMessageReceiver.cpp:40
#19 0x00007f19b7cf9f79 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:123
#20 0x00007f19b7df6ad2 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IP---Type <return> to continue, or q <return> to quit---
C::Decoder&) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/UIProcess/WebProcessProxy.cpp:593
#21 0x00007f19b7cf4040 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/Connection.cpp:901
#22 0x00007f19b7cf4040 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/Connection.cpp:928
#23 0x00007f19b7cf4a18 in IPC::Connection::dispatchOneMessage() ()
    at /run/build-runtime/WebKitGTK+/Source/WebKit/Platform/IPC/Connection.cpp:959
#24 0x00007f19ba2d27a7 in WTF::RunLoop::performWork() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/Function.h:56
#25 0x00007f19ba2d27a7 in WTF::RunLoop::performWork() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/RunLoop.cpp:106
#26 0x00007f19ba316cc9 in _FUN() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#27 0x00007f19ba316cc9 in _FUN() ()
    at /run/build-runtime/WebKitGTK+/Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#28 0x00007f19bc5701da in g_main_context_dispatch (context=0x1dc8060) at gmain.c:3200
        dispatch = 0x7f19ba316ce0 <_FUN()>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x7f199f6f9000
        callback = 0x7f19ba316cc0 <_FUN()>
        cb_funcs = <optimized out>
        cb_data = 0x1eda7d0
        need_destroy = <optimized out>
        source = 0x1eb7290
        current = 0x1def600
        i = 0
#29 0x00007f19bc5701da in g_main_context_dispatch (context=context@entry=0x1dc8060)
    at gmain.c:3853
#30 0x00007f19bc570598 in g_main_context_iterate (context=context@entry=0x1dc8060, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3926
        max_priority = 100
        timeout = 0
        some_ready = 1
        nfds = 5
        allocated_nfds = 5
        fds = <optimized out>
#31 0x00007f19bc57064c in g_main_context_iteration (context=context@entry=0x1dc8060, may_block=may_block@entry=1) at gmain.c:3987
        retval = <optimized out>
#32 0x00007f19bbce3cbd in g_application_run (application=0x1dc91d0 [GearyApplication], argc=argc@entry=2, argv=argv@entry=0x7fff2e371488) at gapplication.c:2482
---Type <return> to continue, or q <return> to quit---
        arguments = 0x1dc8d80
        status = 0
        context = 0x1dc8060
        acquired_context = <optimized out>
        __func__ = "g_application_run"
#33 0x0000000000424723 in _vala_main (args=0x7fff2e371488, args_length1=2)
    at /run/build/geary/src/client/application/main.vala:33
        result = 0
        app = 0x1dc91d0 [GearyApplication]
        _tmp0_ = 0x1dc91d0 [GearyApplication]
        ec = 0
        _tmp1_ = 0x7fff2e371488
        _tmp1__length1 = 2
        _tmp2_ = <optimized out>
#34 0x0000003c65a20291 in __libc_start_main (main=
    0x4245b0 <main>, argc=2, argv=0x7fff2e371488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff2e371478)
    at /usr/src/debug/glibc/2.24-r0/git/csu/libc-start.c:289
        result = <optimized out>
        unwind_buf = 
              {cancel_jmp_buf = {{jmp_buf = {0, 8760660604672724399, 4343232, 140733968749696, 0, 0, -8761116703833272913, 8785632185294310831}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fff2e3714a0, 0x3c65824170}, data = {prev = 0x0, cleanup = 0x0, canceltype = 775361696}}}
        not_first_call = <optimized out>
#35 0x00000000004245ea in _start () at ../sysdeps/x86_64/start.S:120
Comment 1 Michael Gratton 2018-01-12 02:46:17 PST 
Apparently 0xbbadbeef might indicate a gigacage issue? Setting GIGACAGE_ENABLED=0 at runtime didn't help though.
Comment 2 Michael Catanzaro 2018-01-12 07:49:00 PST 
2.19.5 is super broken, sorry!

See bug #179914 for the original problem, and bug #181438 (which I'm working on today) for why my solution to that was a bad idea.

*** This bug has been marked as a duplicate of bug 181438 ***
Comment 3 Michael Catanzaro 2018-01-16 06:11:04 PST 
OK, it took a few days, but this should be fixed next time you run 'flatpak update'.

P.S. Unrelated: that means you should be able to review https://bugzilla.gnome.org/show_bug.cgi?id=791230 now. ;)