Backtrace (NixOS, can't get symbols on Ubuntu for some reason): #0 0x00007fa2576e3804 in WebCore::FragmentedSharedBuffer::copy() const () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libwebkit2gtk-4.0.so.37 #1 0x00007fa25747dab4 in WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libwebkit2gtk-4.0.so.37 #2 0x00007fa2557c4b2c in WebKit::WebResourceLoader::didReceiveResponse(WebCore::ResourceResponse&&, WebKit::PrivateRelayed, bool, std::optional<WebCore::NetworkLoadMetrics>&&) () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libwebkit2gtk-4.0.so.37 #3 0x00007fa255052ed4 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveResponse, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::ResourceResponse&&, WebKit::PrivateRelayed, bool, std::optional<WebCore::NetworkLoadMetrics>&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceResponse&&, WebKit::PrivateRelayed, bool, std::optional<WebCore::NetworkLoadMetrics>&&)) [clone .isra.0] () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libwebkit2gtk-4.0.so.37 #4 0x00007fa255054ee4 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libwebkit2gtk-4.0.so.37 #5 0x00007fa25535f765 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libwebkit2gtk-4.0.so.37 #6 0x00007fa25536176a in IPC::Connection::dispatchOneIncomingMessage() () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libwebkit2gtk-4.0.so.37 #7 0x00007fa253534d92 in WTF::RunLoop::performWork() () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libjavascriptcoregtk-4.0.so.18 #8 0x00007fa2535a3b59 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libjavascriptcoregtk-4.0.so.18 #9 0x00007fa2535a45ff in WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libjavascriptcoregtk-4.0.so.18 #10 0x00007fa253b2e629 in g_main_dispatch () from /nix/store/q6jyzkl2f1capj5yc0rq65i0zfm9b82k-glib-2.78.4/lib/libglib-2.0.so.0 #11 0x00007fa253b31797 in g_main_context_iterate_unlocked.isra () from /nix/store/q6jyzkl2f1capj5yc0rq65i0zfm9b82k-glib-2.78.4/lib/libglib-2.0.so.0 #12 0x00007fa253b3204f in g_main_loop_run () from /nix/store/q6jyzkl2f1capj5yc0rq65i0zfm9b82k-glib-2.78.4/lib/libglib-2.0.so.0 #13 0x00007fa2535a4740 in WTF::RunLoop::run() () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libjavascriptcoregtk-4.0.so.18 #14 0x00007fa2558b1111 in WebKit::WebProcessMain(int, char**) () from /nix/store/8whkzcq9i7g1g5q6m23wpr17pm4lgbaj-webkitgtk-2.44.1+abi=4.0/lib/libwebkit2gtk-4.0.so.37 #15 0x00007fa24ee3d10e in __libc_start_call_main () from /nix/store/ddwyrxif62r8n6xclvskjyy6szdhvj60-glibc-2.39-5/lib/libc.so.6 #16 0x00007fa24ee3d1c9 in __libc_start_main_impl () from /nix/store/ddwyrxif62r8n6xclvskjyy6szdhvj60-glibc-2.39-5/lib/libc.so.6 #17 0x0000000000401075 in _start ()

I've determined how this bug is triggered. I have a custom MJPEG server and there are two modes. One is a very low level TCP stream that I write bytes to directly, and the other is an implementation using the `hyper` crate for Rust. The hyper crate uses HTTP 1.1 chunked streams. The raw implementation uses HTTP 1.0 normal streams. This bug is triggered when a chunked stream sends the boundary before any data has been received. If the raw implementation sends a boundary before sending any data, the program does not crash. The workaround I came up with was to move the code that sends the boundary after the code that sends the JPEG. I had initially been sending the boundary first because in 4.42.x, I had to do this to get MJPEG to work at all with chunked encoding. Sending the boundary first has always worked with the raw implementation, before and after this bug was introduced. This bug was introduced by fixing https://bugs.webkit.org/show_bug.cgi?id=263423 . I don't quite understand the implementation details but it seems that chunked encoding creates a FragmentSharedBuffer that appears to contain data but segfaults when copied.

Apologies, I used the wrong bug link. It's this one: https://webkit.org/b/36536