186033 – [GTK] [2.21.2] WTF::CrashOnOverflow::crash() when using the 32-bit (x86) JIT

RESOLVED FIXED 186033

[GTK] [2.21.2] WTF::CrashOnOverflow::crash() when using the 32-bit (x86) JIT

https://bugs.webkit.org/show_bug.cgi?id=186033

Summary [GTK] [2.21.2] WTF::CrashOnOverflow::crash() when using the 32-bit (x86) JIT

Alberto Garcia

Reported 2018-05-28 04:08:18 PDT

I can crash WebKitGTK+ 2.21.2 in x86 easily with this command: $ MiniBrowser https://www.couchsurfing.com/dashboard The problem can be worked around by disabling the JIT compiler (JavaScriptCoreUseJIT=0). Here's the backtrace: Thread 1 "WebKitWebProces" received signal SIGSEGV, Segmentation fault. WTFCrash () at ./Source/WTF/wtf/Assertions.cpp:267 267 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 WTFCrash () at ./Source/WTF/wtf/Assertions.cpp:267 #1 0xf341d145 in WTF::CrashOnOverflow::crash () at ./obj-i686-linux-gnu/DerivedSources/ForwardingHeaders/wtf/CheckedArithmetic.h:85 #2 WTF::CrashOnOverflow::overflowed () at ./obj-i686-linux-gnu/DerivedSources/ForwardingHeaders/wtf/CheckedArithmetic.h:78 #3 WTF::Vector<JSC::JITGetByIdGenerator, 0u, WTF::CrashOnOverflow, 16u>::at () at ./obj-i686-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Vector.h:691 #4 WTF::Vector<JSC::JITGetByIdGenerator, 0u, WTF::CrashOnOverflow, 16u>::operator[] () at ./obj-i686-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Vector.h:711 #5 JSC::JIT::emitSlow_op_get_by_id () at ./Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp:679 #6 0xf33d0457 in JSC::JIT::privateCompileSlowCases () at ./Source/JavaScriptCore/jit/JIT.cpp:525 #7 0xf33d507d in JSC::JIT::compileWithoutLinking () at ./Source/JavaScriptCore/jit/JIT.cpp:724 #8 0xf34359ae in JSC::JITWorklist::Plan::compileInThread () at ./Source/JavaScriptCore/jit/JITWorklist.cpp:48 #9 JSC::JITWorklist::Plan::compileNow () at ./Source/JavaScriptCore/jit/JITWorklist.cpp:89 #10 0xf343284a in JSC::JITWorklist::compileLater () at ./Source/JavaScriptCore/jit/JITWorklist.cpp:233 #11 0xf345e93e in JSC::LLInt::jitCompileAndSetHeuristics () at ./Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:356 #12 0xf345d444 in entryOSR () at ./Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:378 #13 0xf3445b7e in llint_entry () from /usr/lib/i386-linux-gnu/libjavascriptcoregtk-4.0.so.18 #14 0xf344a2f7 in llint_entry () from /usr/lib/i386-linux-gnu/libjavascriptcoregtk-4.0.so.18 #15 0xf344a2f7 in llint_entry () from /usr/lib/i386-linux-gnu/libjavascriptcoregtk-4.0.so.18 #16 0xf344a53c in llint_entry () from /usr/lib/i386-linux-gnu/libjavascriptcoregtk-4.0.so.18 #17 0xf344a2f7 in llint_entry () from /usr/lib/i386-linux-gnu/libjavascriptcoregtk-4.0.so.18 #18 0xf344a2f7 in llint_entry () from /usr/lib/i386-linux-gnu/libjavascriptcoregtk-4.0.so.18 #19 0xf3444e1d in vmEntryToJavaScript () from /usr/lib/i386-linux-gnu/libjavascriptcoregtk-4.0.so.18 #20 0xf33bfd8c in JSC::JITCode::execute () at ./Source/JavaScriptCore/jit/JITCodeInlines.h:38 #21 JSC::Interpreter::executeProgram () at ./Source/JavaScriptCore/interpreter/Interpreter.cpp:956 #22 0xf35afe34 in JSC::evaluate () at ./Source/JavaScriptCore/runtime/Completion.cpp:103 #23 0xf35aff95 in JSC::profiledEvaluate () at ./Source/JavaScriptCore/runtime/Completion.cpp:118 #24 0xf5f928e6 in WebCore::JSMainThreadExecState::profiledEvaluate () at ./Source/WebCore/bindings/js/JSMainThreadExecState.h:78 #25 WebCore::ScriptController::evaluateInWorld () at ./Source/WebCore/bindings/js/ScriptController.cpp:130 #26 0xf5f92af8 in WebCore::ScriptController::evaluate () at ./Source/WebCore/bindings/js/ScriptController.cpp:146 #27 0xf61e4b63 in WebCore::ScriptElement::executeClassicScript () at ./Source/WebCore/dom/ScriptElement.cpp:387 #28 0xf61b3731 in WebCore::LoadableClassicScript::execute () at ./Source/WebCore/dom/LoadableClassicScript.cpp:123 #29 0xf61f08ba in WebCore::ScriptElement::executeScriptAndDispatchEvent () at ./Source/WebCore/dom/ScriptElement.cpp:426 #30 0xf61f09dd in WebCore::ScriptElement::executePendingScript () at ./Source/WebCore/dom/ScriptElement.cpp:434 #31 0xf64146fe in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent () at ./Source/WebCore/html/parser/HTMLScriptRunner.cpp:114 #32 0xf641a70b in WebCore::HTMLScriptRunner::executeParsingBlockingScripts () at ./Source/WebCore/html/parser/HTMLScriptRunner.cpp:164 #33 0xf641b90e in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::DumbPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&) () at ./Source/WebCore/html/parser/HTMLScriptRunner.cpp:148 #34 0xf6407318 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder () at ./Source/WebCore/html/parser/HTMLDocumentParser.cpp:212 #35 0xf640813e in WebCore::HTMLDocumentParser::pumpTokenizerLoop () at ./Source/WebCore/html/parser/HTMLDocumentParser.cpp:231 #36 0xf640828d in WebCore::HTMLDocumentParser::pumpTokenizer () at ./Source/WebCore/html/parser/HTMLDocumentParser.cpp:281 #37 0xf640848d in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible () at ./Source/WebCore/html/parser/HTMLDocumentParser.cpp:172 #38 0xf6408c9e in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution () at ./Source/WebCore/html/parser/HTMLDocumentParser.cpp:500 #39 0xf6408ef5 in WebCore::HTMLDocumentParser::executeScriptsWaitingForStylesheets () at ./Source/WebCore/html/parser/HTMLDocumentParser.cpp:568 #40 0xf61f3245 in WebCore::ScriptableDocumentParser::scriptsWaitingForStylesheetsExecutionTimerFired () at ./Source/WebCore/dom/ScriptableDocumentParser.cpp:67 #41 0xf66f5350 in WebCore::ThreadTimers::sharedTimerFiredInternal () at ./Source/WebCore/platform/ThreadTimers.cpp:117 #42 0xf66f540f in operator() () at ./Source/WebCore/platform/ThreadTimers.cpp:69 #43 call () at ./obj-i686-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Function.h:101 #44 0xf384bbae in operator() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:170 #45 _FUN () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:176 #46 0xf3fabd94 in g_main_context_dispatch () from /usr/lib/i386-linux-gnu/libglib-2.0.so.0 #47 0xf3fac1a9 in ?? () from /usr/lib/i386-linux-gnu/libglib-2.0.so.0 #48 0xf3fac559 in g_main_loop_run () from /usr/lib/i386-linux-gnu/libglib-2.0.so.0 #49 0xf384c069 in WTF::RunLoop::run () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:96 #50 0xf58e029a in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> () at ./Source/WebKit/Shared/unix/ChildProcessMain.h:61 #51 0xf58dff7c in WebProcessMainUnix () at ./Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:67 #52 0x5661073a in main () at ./Source/WebKit/WebProcess/EntryPoint/unix/WebProcessMain.cpp:52

Attachments
Add attachment proposed patch, testcase, etc.

Alberto Garcia

Comment 1 2018-05-28 06:40:49 PDT

Ok, this seems to work fine in 2.21.3 (just released now). I'm closing this bug.

Yusuke Suzuki

Comment 2 2018-05-29 05:25:30 PDT

I think it is fixed by InById fixes.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKitGTK

Assignee

Nobody

Reported

2018-05-28 04:08 PDT

Modified

2018-05-29 05:25 PDT History

CC List

7 users Show

URL

Keywords

Depends on

Blocks