Bug 195532 - [GTK] webkit2gtk3: magazine_chain_pop_head(): WebKitWebProcess killed by SIGSEGV
Summary: [GTK] webkit2gtk3: magazine_chain_pop_head(): WebKitWebProcess killed by SIGSEGV
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-10 11:53 PDT by Ryan Farmer
Modified: 2019-03-12 09:31 PDT (History)
2 users (show)

See Also:


Attachments
backtrace (32.34 KB, text/plain)
2019-03-10 11:53 PDT, Ryan Farmer
no flags Details
cgroup (345 bytes, text/plain)
2019-03-10 11:54 PDT, Ryan Farmer
no flags Details
core backtrace (137.42 KB, text/plain)
2019-03-10 11:55 PDT, Ryan Farmer
no flags Details
cpu info (1.40 KB, text/plain)
2019-03-10 11:55 PDT, Ryan Farmer
no flags Details
dso list (19.58 KB, text/plain)
2019-03-10 11:56 PDT, Ryan Farmer
no flags Details
environ (3.56 KB, text/plain)
2019-03-10 11:57 PDT, Ryan Farmer
no flags Details
exploitable (82 bytes, text/plain)
2019-03-10 11:57 PDT, Ryan Farmer
no flags Details
limits (1.29 KB, text/plain)
2019-03-10 11:57 PDT, Ryan Farmer
no flags Details
maps (189.62 KB, text/plain)
2019-03-10 11:58 PDT, Ryan Farmer
no flags Details
mountinfo (3.88 KB, text/plain)
2019-03-10 11:58 PDT, Ryan Farmer
no flags Details
open fds (4.99 KB, text/plain)
2019-03-10 11:59 PDT, Ryan Farmer
no flags Details
proc pid status (1.30 KB, text/plain)
2019-03-10 11:59 PDT, Ryan Farmer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Farmer 2019-03-10 11:53:58 PDT
Created attachment 364183 [details]
backtrace

This is a copy of this bug on fedora's Bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1687186

Description of problem:
Watching the video about GTA V on this page causes the webkit process to crash.

https://laptoping.com/gpus/product/intel-hd-620-review-graphics-of-7th-gen-core-u-series-kaby-lake-cpus/

Version-Release number of selected component:
webkit2gtk3-2.22.7-1.fc29

Additional info:
reporter:       libreport-2.10.0
backtrace_rating: 4
cmdline:        /usr/libexec/webkit2gtk-4.0/WebKitWebProcess 7 48
crash_function: magazine_chain_pop_head
executable:     /usr/libexec/webkit2gtk-4.0/WebKitWebProcess
journald_cursor: s=4bef19b253e44f9a824ad7e1702ab37d;i=3c41fb;b=033ea9e0094343ae98629c679432c48a;m=924e437c;t=583c17a75cb42;x=c4f7f5a6bf153a75
kernel:         4.20.14-200.fc29.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 magazine_chain_pop_head at gslice.c:538
 #1 thread_memory_magazine1_alloc at gslice.c:841
 #2 g_slice_alloc at gslice.c:1015
 #3 gst_buffer_new at gstbuffer.c:798
 #4 WebCore::AppendPipeline::pushNewBuffer at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/Source/WebCore/platform/graphics/gstreamer/mse/AppendPipeline.cpp:808
 #5 WebCore::MediaSourceClientGStreamerMSE::append at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/Source/WebCore/platform/graphics/gstreamer/mse/MediaSourceClientGStreamerMSE.cpp:150
 #6 WebCore::SourceBufferPrivateGStreamer::append at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/RefCounted.h:46
 #7 WebCore::SourceBuffer::appendBufferTimerFired at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:41
 #9 WebCore::ThreadTimers::sharedTimerFiredInternal at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/Source/WebCore/platform/ThreadTimers.h:101
 #11 WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() at /usr/src/debug/webkit2gtk3-2.22.7-1.fc29.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp:170
Comment 1 Ryan Farmer 2019-03-10 11:54:29 PDT
Created attachment 364184 [details]
cgroup
Comment 2 Ryan Farmer 2019-03-10 11:55:01 PDT
Created attachment 364185 [details]
core backtrace
Comment 3 Ryan Farmer 2019-03-10 11:55:41 PDT
Created attachment 364186 [details]
cpu info
Comment 4 Ryan Farmer 2019-03-10 11:56:34 PDT
Created attachment 364187 [details]
dso list
Comment 5 Ryan Farmer 2019-03-10 11:57:03 PDT
Created attachment 364188 [details]
environ
Comment 6 Ryan Farmer 2019-03-10 11:57:21 PDT
Created attachment 364189 [details]
exploitable
Comment 7 Ryan Farmer 2019-03-10 11:57:56 PDT
Created attachment 364190 [details]
limits
Comment 8 Ryan Farmer 2019-03-10 11:58:15 PDT
Created attachment 364191 [details]
maps
Comment 9 Ryan Farmer 2019-03-10 11:58:38 PDT
Created attachment 364192 [details]
mountinfo
Comment 10 Ryan Farmer 2019-03-10 11:59:13 PDT
Created attachment 364193 [details]
open fds
Comment 11 Ryan Farmer 2019-03-10 11:59:40 PDT
Created attachment 364194 [details]
proc pid status
Comment 12 Michael Catanzaro 2019-03-12 09:31:48 PDT
I can't reproduce.

I wrote in the downstream bug:

Web process memory corruption. This is going to be hard or impossible to debug. :/

* If you're able to reproduce the crash somehow, that gives us only a vague chance of tracking this down. Otherwise: no chance.

* Actual code bug might be in the surrounding GStreamer MediaPlayer code, or it might be somewhere completely unrelated and the GStreamer code is just getting unlucky. No way to know from the backtrace.

* To catch memory corruption, we can use asan or valgrind. I believe asan is currently broken with WebKit. That means instructing the WebKit UI process to launch the web process under valgrind, which requires a debug build of WebKit (not provided by Fedora, and no guarantee the crash would even occur in a custom build, either) and messing with debug environment variables.

Memory corruption is the absolute worst. Sadly there's nothing actionable here, and getting anything actionable would be hard.