Bug 22778 - Segmentation fault
Summary: Segmentation fault
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Critical
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-10 06:07 PST by Luca Ferretti
Modified: 2009-07-25 15:58 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Luca Ferretti 2008-12-10 06:07:03 PST 
Sorry for bad summary, but I've segfault in all webkit based application I'm testing (epiphany, devhelp, yelp, GtkLauncher)

WebKit is 2 days ago rebuild from git (5bb66bb946449ad9e549a6d2c7fa54f42fcb890c)

Here is the stack running Yelp and clicking on a11y guide link:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb50306c0 (LWP 15332)]
0xb55cee8e in IA__g_object_unref (_object=0x1000000) at gobject.c:2370
2370	  g_return_if_fail (G_IS_OBJECT (object));
(gdb) thread apply all bt

Thread 6 (Thread 0xb47ebb90 (LWP 16224)):
#0  0xb7ff0430 in __kernel_vsyscall ()
#1  0xb5d553a2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2  0xb5f0407d in g_cond_timed_wait_posix_impl (cond=0x95ff540, entered_mutex=0x80, abs_time=0x5)
    at gthread-posix.c:242
#3  0xb54f5229 in g_async_queue_pop_intern_unlocked (queue=0x91cd580, try=<value optimized out>, 
    end_time=0xb47eb374) at gasyncqueue.c:365
#4  0xb54f5327 in IA__g_async_queue_timed_pop (queue=0x91cd580, end_time=0xb47eb374) at gasyncqueue.c:491
#5  0xb5547d63 in g_thread_pool_thread_proxy (data=0x94644d0) at gthreadpool.c:121
#6  0xb554675f in g_thread_create_proxy (data=0x94868c0) at gthread.c:635
#7  0xb5d5150f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#8  0xb53557ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 1 (Thread 0xb50306c0 (LWP 15332)):
#0  0xb55cee8e in IA__g_object_unref (_object=0x1000000) at gobject.c:2370
#1  0xb74f5de4 in WebCore::cleanupGioOperation () from /opt/gnome2/lib/libwebkit-1.0.so.1
#2  0xb74f8f01 in WebCore::queryInfoCallback () from /opt/gnome2/lib/libwebkit-1.0.so.1
#3  0xb58c4187 in IA__g_simple_async_result_complete (simple=0x92832f0) at gsimpleasyncresult.c:554
#4  0xb58c41be in complete_in_idle_cb (data=0x92832f0) at gsimpleasyncresult.c:564
#5  0xb5519a51 in g_idle_dispatch (source=0x97727f0, callback=0x1000000, user_data=0x92832f0)
    at gmain.c:3924
#6  0xb551b988 in IA__g_main_context_dispatch (context=0x91a93a0) at gmain.c:1814
#7  0xb551f033 in g_main_context_iterate (context=0x91a93a0, block=1, dispatch=1, self=0x9178528)
    at gmain.c:2448
#8  0xb551f552 in IA__g_main_loop_run (loop=0x93a8498) at gmain.c:2656
#9  0xb5adc1e9 in IA__gtk_main () at gtkmain.c:1200
#10 0x0805d0d5 in main (argc=-1258234520, argv=0xbfdf0134) at yelp-main.c:121
Comment 1 Luca Ferretti 2008-12-10 06:19:11 PST 
Stack trace for Epiphany (just started, loading http://planet.gnome.org)

Thread 1 (Thread 0xb54356c0 (LWP 29022)):
#0  0xb7bde2dc in JSC::Interpreter::cti_op_get_by_id_proto_list () from /opt/gnome2/lib/libwebkit-1.0.so.1
#1  0xb4b8fc6a in ?? ()
#2  0xb7c6ef38 in JSC::evaluate () from /opt/gnome2/lib/libwebkit-1.0.so.1
#3  0xb764bebe in WebCore::ScriptController::evaluate () from /opt/gnome2/lib/libwebkit-1.0.so.1
#4  0xb785519e in WebCore::FrameLoader::executeScript () from /opt/gnome2/lib/libwebkit-1.0.so.1
#5  0xb77fd812 in WebCore::HTMLTokenizer::scriptExecution () from /opt/gnome2/lib/libwebkit-1.0.so.1
#6  0xb77ff0e8 in WebCore::HTMLTokenizer::notifyFinished () from /opt/gnome2/lib/libwebkit-1.0.so.1
#7  0xb77fc5f8 in WebCore::HTMLTokenizer::executeScriptsWaitingForStylesheets ()
   from /opt/gnome2/lib/libwebkit-1.0.so.1
#8  0xb76e4b52 in WebCore::Document::removePendingSheet () from /opt/gnome2/lib/libwebkit-1.0.so.1
#9  0xb77dacbd in WebCore::HTMLLinkElement::sheetLoaded () from /opt/gnome2/lib/libwebkit-1.0.so.1
#10 0xb76bdda9 in WebCore::CSSStyleSheet::checkLoaded () from /opt/gnome2/lib/libwebkit-1.0.so.1
#11 0xb77db640 in WebCore::HTMLLinkElement::setCSSStyleSheet () from /opt/gnome2/lib/libwebkit-1.0.so.1
#12 0xb782af13 in WebCore::CachedCSSStyleSheet::checkNotify () from /opt/gnome2/lib/libwebkit-1.0.so.1
#13 0xb782b73f in WebCore::CachedCSSStyleSheet::data () from /opt/gnome2/lib/libwebkit-1.0.so.1
#14 0xb7873f84 in WebCore::Loader::Host::didFinishLoading () from /opt/gnome2/lib/libwebkit-1.0.so.1
#15 0xb7867510 in WebCore::SubresourceLoader::didFinishLoading () from /opt/gnome2/lib/libwebkit-1.0.so.1
#16 0xb7862421 in WebCore::ResourceLoader::didFinishLoading () from /opt/gnome2/lib/libwebkit-1.0.so.1
#17 0xb79e97e4 in WebCore::finishedCallback () from /opt/gnome2/lib/libwebkit-1.0.so.1
#18 0xb748f66b in final_finished (req=0xb539ea00, user_data=0x8c6f6c0) at soup-session-async.c:329
#19 0xb57d9c24 in IA__g_cclosure_marshal_VOID__VOID (closure=0x8c9af40, return_value=0x0, n_param_values=1,     param_values=0x8c75668, invocation_hint=0xbfd7c05c, marshal_data=0xb748f5c0) at gmarshal.c:77
#20 0xb57cbd1b in IA__g_closure_invoke (closure=0x8c9af40, return_value=0x0, n_param_values=1, 
    param_values=0x8c75668, invocation_hint=0xbfd7c05c) at gclosure.c:767
#21 0xb57e3c40 in signal_emit_unlocked_R (node=0x8c70450, detail=0, instance=0x8c43f70, 
    emission_return=0x0, instance_and_params=0x8c75668) at gsignal.c:3314
#22 0xb57e4e0e in IA__g_signal_emit_valist (instance=0x8c43f70, signal_id=407, detail=0, 
    var_args=0xbfd7c1fc "&#65533;&#65533;I&#65533;\031\026H&#65533;&#65533;&#65533;I&#65533;(&#65533;&#1535;&#65533;bH&#65533;p?&#65533;\bh&#65533;&#65533;\b8y&#65533;\b|bH&#65533;&#65533;&#65533;\177&#65533;piH&#65533;H&#65533;&#1535;$\234}&#65533;\200h&#65533;\bp?&#65533;\bX&#65533;&#1535;&#65533;&#65533;\177&#65533;p&#65533;&#65533;\b\002") at gsignal.c:2977
#23 0xb57e52b6 in IA__g_signal_emit (instance=0x8c43f70, signal_id=407, detail=0) at gsignal.c:3034
#24 0xb748163f in soup_message_finished (msg=0x8c43f70) at soup-message.c:840
#25 0xb74862cb in soup_message_io_finished (msg=0x8c43f70) at soup-message-io.c:172
#26 0xb57d9c24 in IA__g_cclosure_marshal_VOID__VOID (closure=0x8c9a570, return_value=0x0, n_param_values=1, 
    param_values=0x8c75838, invocation_hint=0xbfd7c3bc, marshal_data=0xb7486970) at gmarshal.c:77
#27 0xb57cbd1b in IA__g_closure_invoke (closure=0x8c9a570, return_value=0x0, n_param_values=1, 
    param_values=0x8c75838, invocation_hint=0xbfd7c3bc) at gclosure.c:767
#28 0xb57e36fd in signal_emit_unlocked_R (node=0x8c71450, detail=0, instance=0x8c76880, 
    emission_return=0x0, instance_and_params=0x8c75838) at gsignal.c:3244
#29 0xb57e4e0e in IA__g_signal_emit_valist (instance=0x8c76880, signal_id=411, detail=0, 
    var_args=0xbfd7c55c "&#65533;\017|&#65533;&#65533;\017|&#65533;x &#65533;\b\210&#65533;&#1535;&#65533;&#65533;u&#65533;P^&#65533;\b\001") at gsignal.c:2977
#30 0xb57e52b6 in IA__g_signal_emit (instance=0x8c76880, signal_id=411, detail=0) at gsignal.c:3034
#31 0xb7491472 in socket_read_watch (chan=0x8c75e50, cond=<value optimized out>, user_data=0x8c76880)
    at soup-socket.c:1049
#32 0xb575aebd in g_io_unix_dispatch (source=0x8c72078, callback=0xb7491420 <socket_read_watch>, 
user_data=0x8c76880) at giounix.c:162
#33 0xb5723988 in IA__g_main_context_dispatch (context=0x874dfa8) at gmain.c:1814
#34 0xb5727033 in g_main_context_iterate (context=0x874dfa8, block=1, dispatch=1, self=0x871f0a8)
    at gmain.c:2448
#35 0xb5727552 in IA__g_main_loop_run (loop=0x87ab398) at gmain.c:2656
#36 0xb5fa61e9 in IA__gtk_main () at gtkmain.c:1200
#37 0x0806f760 in main (argc=Cannot access memory at address 0xa01bf4
) at ephy-main.c:771
Comment 2 Xan Lopez 2009-03-01 22:36:17 PST 
This looks an awful lot like one of the crashes we recently fixed in the soup code. Can you check if it still happens with 1.1.1/trunk?
Comment 3 Luke Kenneth Casson Leighton 2009-07-25 09:07:00 PDT 
(In reply to comment #2)
> This looks an awful lot like one of the crashes we recently fixed in the soup
> code. Can you check if it still happens with 1.1.1/trunk?

 xan, just raised this - https://bugs.webkit.org/show_bug.cgi?id=27679 - which is likewise a soup segfault.  #27679 is a repro case: happens every time.

 l.
Comment 4 Luca Ferretti 2009-07-25 09:45:06 PDT 
(In reply to comment #2)
> This looks an awful lot like one of the crashes we recently fixed in the soup
> code. Can you check if it still happens with 1.1.1/trunk?

Using webkitgtk 1.1.11
 * Epiphany (trunk) and GtkLauncher works fine
 * Yelp (webkit branch) crashes loading pages (bug-buddy can't fetch a stacktrace, I'll run gdb manually)
 * Devhelp (trunk) fails to build :(

(In reply to comment #3)
> xan, just raised this - https://bugs.webkit.org/show_bug.cgi?id=27679 - which
> is likewise a soup segfault.  #27679 is a repro case: happens every time.

I tried to load the test page linked in this bug in Epiphany. No crash, but the progress bar disappears in the middle of loading and page content appears after more then 1 minute.
Comment 5 Luke Kenneth Casson Leighton 2009-07-25 14:30:00 PDT 
(In reply to comment #4)
> (In reply to comment #2)
> > This looks an awful lot like one of the crashes we recently fixed in the soup
> > code. Can you check if it still happens with 1.1.1/trunk?
> 
> Using webkitgtk 1.1.11
>  * Epiphany (trunk) and GtkLauncher works fine

 confirmed, gtklauncher works fine, from latest svn r46395 and absolute latest git of libsoup, on the test page http://pyjs.org/examples/kitchensink/output/KitchenSink.html
Comment 6 Jan Alonzo 2009-07-25 15:58:27 PDT 
(In reply to comment #5)
> (In reply to comment #4)
> > (In reply to comment #2)
> > > This looks an awful lot like one of the crashes we recently fixed in the soup
> > > code. Can you check if it still happens with 1.1.1/trunk?
> > 
> > Using webkitgtk 1.1.11
> >  * Epiphany (trunk) and GtkLauncher works fine
> 
>  confirmed, gtklauncher works fine, from latest svn r46395 and absolute latest
> git of libsoup, on the test page
> http://pyjs.org/examples/kitchensink/output/KitchenSink.html

Closing, given this works in recent WebKitGtk and libsoup.