210579 – Infinite loop while closing tab (infinite loop in HashTable::inlineLookup)

NEW 210579

Infinite loop while closing tab (infinite loop in HashTable::inlineLookup)

https://bugs.webkit.org/show_bug.cgi?id=210579

Summary Infinite loop while closing tab (infinite loop in HashTable::inlineLookup)

Benjamin Berg

Reported 2020-04-15 16:26:05 PDT

Created attachment 396588 [details] bt + stepping showing where it returns to the top of the while (1) loop I triggered this lockup by trying to close a youtube tab that was playing a video. The lookup infinite loops, it seems this is because in my case: i == 64 k == 0x7bc24d15 sizeMask = 0x48 and "i = (i + k) & sizeMask" cannot change i … Really, looks like a memory corruption. I have a full coredump locally (3.1 GiB), in case one may be able to fish out more information. Full backtrace and some stepping around attached. This is with webkit2gtk3-2.28.0-7.fc31.x86_64

Attachments
bt + stepping showing where it returns to the top of the while (1) loop (20.08 KB, text/plain) 2020-04-15 16:26 PDT, Benjamin Berg	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKitGTK

Assignee

Nobody

Reported

2020-04-15 16:26 PDT

Modified

2020-04-15 16:29 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks