Bug 207853 - [WPE][GTK] UI process crash in WebKit::IconDatabase::iconIDForIconURL
Summary: [WPE][GTK] UI process crash in WebKit::IconDatabase::iconIDForIconURL
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-17 12:41 PST by Michael Catanzaro
Modified: 2020-02-17 12:41 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2020-02-17 12:41:44 PST 
Hit this random crash with 2.27.90. Looks like we're passing bogus pointers into sqlite... not sure how it could happen unless the IconDatabase was somehow freed before executing the callback, which shouldn't happen because it seems to be protected where required.

#0  0x00007f4b2d5e9515 in __memmove_avx_unaligned_erms ()
    at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:436
#1  0x00007f4b2812f437 in memcpy (__len=65174, __src=0x44, __dest=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
        nAlloc = 65174
        nByte = 65174
        iLimit = <optimized out>
        flags = <optimized out>
#2  0x00007f4b2812f437 in sqlite3VdbeMemSetStr
    (pMem=pMem@entry=0x7f4a0001e268, z=z@entry=0x44 <error: Cannot access memory at address 0x44>, n=n@entry=65174, enc=enc@entry=2 '\002', xDel=xDel@entry=0xffffffffffffffff) at ../sqlite3.c:10077
        nAlloc = 65174
        nByte = 65174
        iLimit = <optimized out>
        flags = <optimized out>
#3  0x00007f4b2813b192 in bindText
    (encoding=<optimized out>, xDel=0xffffffffffffffff, nData=65174, zData=0x44, i=<optimized out>, pStmt=0x7f4a00023818) at ../sqlite3.c:82848
        pVar = 0x7f4a0001e268
        rc = <optimized out>
        p = 0x7f4a00023818
        rc = 0
#4  0x00007f4b2813b192 in bindText
    (pStmt=0x7f4a00023818, i=<optimized out>, zData=0x44, nData=65174, xDel=0xffffffffffffffff, encoding=<optimized out>) at ../sqlite3.c:17296
        p = 0x7f4a00023818
        rc = 0
#5  0x00007f4b2b9ea053 in WebCore::SQLiteStatement::bindText(int, WTF::String const&)
    (this=0x7f4b226d3048, index=index@entry=1, text=...)
    at DerivedSources/ForwardingHeaders/wtf/text/StringImpl.h:281
        upconvertedCharacters = 
          {m_upconvertedCharacters = {<WTF::VectorBuffer<char16_t, 32, WTF::FastMalloc>> = {<WTF::VectorBufferBase<char16_t, WTF::FastMalloc>> = {m_buffer = 0x7f4a13ffe740 u"", m_capacity = 32, m_size = 0}, m_inlineBuffer = {{__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000\265", __align = {<No data fields>}}, {__data = "T\213", __align = {<No data fields>}}, {__data = "\365", <incomplete sequence \320>, __align = {<No data fields>}}, {__data = "\312", <incomplete sequence \303>, __align = {<No data fields>}}, {__data = "80", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "J\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\210\004", __align = {<No data fields>}}, {__data = "\002", __align = {<No data fields>}}, {__data = "J\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "80", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "J\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "m\"", __align = {<No data fields>}}, {__data = "K\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\001", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\320", <incomplete sequence \347>, __align = {<No data fields>}}, {__data = "\377\023", __align = {<No data fields>}}, {__data = "J\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}}}, <No data fields>}, m_characters = 0x44 <error: Cannot access memory at address 0x44>}
        anyCharacter = 0 u'\000'
        characters = <optimized out>
#6  0x00007f4b2a500144 in WebKit::IconDatabase::iconIDForIconURL(WTF::String const&, bool&)
    (this=0x7f4b226da000, iconURL=..., expired=@0x7f4a13ffe847: false)
    at ../Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:309
        result = <optimized out>
#7  0x00007f4b2a503118 in WebKit::IconDatabase::<lambda()>::operator() (__closure=0x7f49b58a2388) at ../Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:560
        expired = false
        canWriteToDatabase = <optimized out>
        iconID = {<WTF::constexpr_Optional_base<long>> = {init_ = false, storage_ = {dummy_ = 0 '\000', value_ = 0}}, <No data fields>}
        iconData = {<WTF::VectorBuffer<char, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<char, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}
        iconURL = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x7f49b5d2f108}}
        this = 0x7f4b226da000
        completionHandler = {m_function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void, WTF::RefPtr<_cairo_surface, WTF::DumbPtrTraits<_cairo_surface> >&&>> = {get() = 0x7f49b5d0bcf0}}}
        timestamp = {m_value = 1581970944.7113521}
        allowDatabaseWrite = WebKit::IconDatabase::AllowDatabaseWrite::Yes
        pageURL = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x7f49b5d2e540}}
        protectedThis = {static isRef = <error reading variable: Missing ELF symbol "WTF::Ref<WebKit::IconDatabase, WTF::DumbPtrTraits<WebKit::IconDatabase> >::isRef".>, m_ptr = 0x7f4b226da000}
#8  0x00007f4b2a503118 in WTF::Detail::CallableWrapper<WebKit::IconDatabase::loadIconForPageURL(const WTF::String&, WebKit::IconDatabase::AllowDatabaseWrite, WTF::CompletionHandler<void(WTF::RefPtr<_cairo_surface>&&)>&&)::<lambda()>, void>::call(void) (this=0x7f49b58a2380) at DerivedSources/ForwardingHeaders/wtf/Function.h:52
#9  0x00007f4b29734adc in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Function.h:81
        function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f49b5d0bd08}}
        functionsHandled = 109
        functionsToHandle = 118
#10 0x00007f4b29734adc in WTF::RunLoop::performWork() (this=0x7f4b226d8000) at ../Source/WTF/wtf/RunLoop.cpp:124
        function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f49b5d0bd08}}
        functionsHandled = 109
        functionsToHandle = 118
#11 0x00007f4b2978354d in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#12 0x00007f4b2978354d in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#13 0x00007f4b2d886bce in g_main_dispatch (context=0x7f4a00000b60) at ../glib/gmain.c:3309
        dispatch = 0x7f4b29783560 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x7f4b226d8000
        callback = 0x7f4b29783540 <WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer)>
        cb_funcs = 0x7f4b2d95c280 <g_source_callback_funcs>
        cb_data = 0x7f4a00002e30
        need_destroy = <optimized out>
        source = 0x7f4a00002dc0
        current = 0x7f4a00002eb0
        i = 0
        __func__ = "g_main_dispatch"
#14 0x00007f4b2d886bce in g_main_context_dispatch (context=context@entry=0x7f4a00000b60) at ../glib/gmain.c:3974
#15 0x00007f4b2d886f80 in g_main_context_iterate (context=0x7f4a00000b60, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4047
        max_priority = 100
        timeout = 0
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0x7f4a00002e90
#16 0x00007f4b2d887273 in g_main_loop_run (loop=0x7f4a00002da0) at ../glib/gmain.c:4241
        __func__ = "g_main_loop_run"
#17 0x00007f4b29783fe0 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:96
        runLoop = @0x7f4b226d8000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 2}, static is_always_lock_free = true}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7f4b29a8e240 <vtable for WTF::RunLoop+16>}, m_functionQueueLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, static is_always_lock_free = true}}}, m_functionQueue = {m_start = 195, m_end = 203, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7f4aa4349000, m_capacity = 214, m_size = 0}, <No data fields>}}, m_mainContext = {m_ptr = 0x7f4a00000b60}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop>, WTF::FastMalloc>> = {m_buffer = 0x7f4b226d7000, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x7f4a00002dc0}}
        mainContext = 0x7f4a00000b60
        innermostLoop = 0x7f4a00002da0
        nestedMainLoop = <optimized out>
#18 0x00007f4b29736148 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Function.h:81
        function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f4b226f7228}}
#19 0x00007f4b29736148 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (newThreadContext=0x7f4b226f0120) at ../Source/WTF/wtf/Threading.cpp:148
        function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f4b226f7228}}
#20 0x00007f4b2978544d in WTF::wtfThreadEntryPoint(void*) (context=<optimized out>) at ../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:200
#21 0x00007f4b27bac5e2 in start_thread (arg=<optimized out>) at pthread_create.c:479
        ret = <optimized out>
        pd = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139956139849472, -260418948970155262, 140723808642638, 140723808642639, 139956139846464, 139956139849472, 213614938648376066, 212937116766204674}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#22 0x00007f4b2d583413 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95