NEW 279285
JSC::IndexingHeader::preCapacity: SIGSEGV on RISC-V when built with GCC and -O2 
https://bugs.webkit.org/show_bug.cgi?id=279285
Summary JSC::IndexingHeader::preCapacity: SIGSEGV on RISC-V when built with GCC and -O2
Michael Orlitzky
Reported 2024-09-06 14:24:59 PDT
Created attachment 472483 [details] libjavascriptcoregtk-btfull.txt These crashes happen all the time: [Fri Sep 6 16:52:08 2024] [T16948] WebKitWebProces[16948]: unhandled signal 11 code 0x1 at 0x0000003fd0800004 in libjavascriptcoregtk-6.0.so.1.2.7[3ff2e00000+dd2000] Today I was finally able to get a backtrace... after about 6 hours of struggling -- this should be a lot easier: #0 0x0000003ff34b446e in JSC::IndexingHeader::preCapacity (this=0x3fe2700000, structure=<optimized out>) at /var/lib/portage/tmp/portage/net-libs/webkit-gtk-2.44.3-r600/work/webkitgtk-2.44.3/Source/JavaScriptCore/runtime/IndexingHeaderInlines.h:36 No locals. #1 JSC::Butterfly::createOrGrowPropertyStorage (oldButterfly=0x3fe2700008, vm=..., intendedOwner=0x3fe1855480, structure=<optimized out>, oldPropertyCapacity=4, newPropertyCapacity=8) at /var/lib/portage/tmp/portage/net-libs/webkit-gtk-2.44.3-r600/work/webkitgtk-2.44.3/Source/JavaScriptCore/runtime/ButterflyInlines.h:138 preCapacity = <optimized out> indexingPayloadSizeInBytes = <optimized out> hasIndexingHeader = <optimized out> result = <optimized out> __PRETTY_FUNCTION__ = <optimized out> preCapacity = <optimized out> indexingPayloadSizeInBytes = <optimized out> hasIndexingHeader = <optimized out> result = <optimized out>
Attachments
libjavascriptcoregtk-btfull.txt (224.75 KB, text/plain)
2024-09-06 14:24 PDT, Michael Orlitzky 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Orlitzky
Comment 1 2024-09-07 12:57:02 PDT
When this happens I always get a second WebKitWebProcess crash afterwards, this one from libGLESv2, in the GLContext destructor. It's probably related to the JSC crash, but just in case it is of independent interest: #0 0x0000003fb2f8ab8a in glBindFramebuffer (target=36160, framebuffer=<optimized out>) at /var/lib/portage/tmp/portage/media-libs/libglvnd-1.7.0/work/libglvnd-v1.7.0-.lp64d/src/generate/g_glapi_mapi_glesv2_tmp.h:11906 _tbl = 0x0 _func = <error reading variable _func (Cannot access memory at address 0x220)> #1 0x0000003fbd55230a in WebCore::GLContext::~GLContext (this=this@entry=0x3fb4964000, __in_chrg=<optimized out>) at /var/lib/portage/tmp/portage/net-libs/webkit-gtk-2.44.3-r600/work/webkitgtk-2.44.3/Source/WebCore/platform/graphics/egl/GLContext.cpp:401 display = 0x3fb4d19550 display = <optimized out> #2 0x0000003fbd522758 in std::default_delete<WebCore::GLContext>::operator() (this=<optimized out>, __ptr=0x3fb4964000) at /usr/lib/gcc/riscv64-unknown-linux-musl/14/include/g++-v14/bits/unique_ptr.h:93 No locals.
Radar WebKit Bug Importer
Comment 2 2024-09-13 14:25:16 PDT
<rdar://problem/135976943>
Mark Lam
Comment 3 2024-09-13 14:48:46 PDT
What are the reproduction steps for manifesting this crash? What is the website or payload that makes it crash? Do you have an isolated test case?
Michael Orlitzky
Comment 4 2024-09-13 15:06:44 PDT
It would never be that easy. First, I think it only happens with -O2, and not -O1. (I haven't tried -O3 yet). I've been running an -O1 build pretty much since I opened this bug, and haven't had a JSC crash since. I'm now rebuilding 2.44.4 at -O2 again to make sure that the crashes come back. The crashes are "random," but consistent. I have a feeling that they tend to happen more often on javascript-heavy websites like github.com, and sites that have google analytics / recaptcha. It has happened several times on e.g. https://github.com/sophgo/bootloader-riscv/blob/master/scripts/envsetup.sh but if I restart epiphany and go back to that URL, it's fine... for a while.
Michael Orlitzky
Comment 5 2024-09-13 15:20:31 PDT
The libGLESv2 thing is a red herring by the way. Those segfaults happen even when I close my browser normally (I opened a new bug for them).
Mark Lam
Comment 6 2024-09-13 17:02:18 PDT
Michael, do you by any chance have a Mac? If so, are you able to reproduce this on a Mac in Safari or MiniBrowser? I don't work on Epiphany. So, if this is an Epiphany / GTK only issue, then I'll have to leave it to the GTK folks.
Michael Orlitzky
Comment 7 2024-09-13 17:09:36 PDT
No, Linux, sorry. I don't think it has anything to do with epiphany/GTK but I can't prove it.
Mark Lam
Comment 8 2024-09-13 17:33:54 PDT
Michael C, are you seeing such crashes on Epiphany?
Michael Orlitzky
Comment 9 2024-09-13 17:44:00 PDT
Probably the path of least resistance is for me to hit Ctrl-C on that 2.44.4 build and hack -DENABLE_MINIBROWSER into the cmake invocation. I hate to lose eight hours of compile time, but at least it's the weekend.
Michael Catanzaro
Comment 10 2024-09-14 12:08:19 PDT
No, I've never seen this before. (Even if it was somehow platform-specific, which seems unlikely, WebKitGTK maintainers don't know how to help with JSC issues anyway.) The backtrace looks good though.
Michael Orlitzky
Comment 11 2024-09-14 12:57:44 PDT
MiniBrowser is trying its best to stop me, stating "The URL can't be shown" whenever I type in a URL manually, but the first URL passed to it on the CLI always works: * The crashes are back with -O2 * They happen in MiniBrowser, too * The backtrace looks about the same
Michael Catanzaro
Comment 12 2024-09-14 17:40:22 PDT
So the crashes only happen when building with -O2 and not with -O1? That's interesting. Out of curiosity, what happens if you build with Clang rather than GCC?
Michael Orlitzky
Comment 13 2024-09-16 09:13:24 PDT
(In reply to Michael Catanzaro from comment #12) > So the crashes only happen when building with -O2 and not with -O1? That's > interesting. > > Out of curiosity, what happens if you build with Clang rather than GCC? I'll keep using it, but I think the JSC crashes are gone.
Mark Lam
Comment 14 2024-09-16 17:41:48 PDT
(In reply to Michael Orlitzky from comment #13) > (In reply to Michael Catanzaro from comment #12) > > So the crashes only happen when building with -O2 and not with -O1? That's > > interesting. > > > > Out of curiosity, what happens if you build with Clang rather than GCC? > > I'll keep using it, but I think the JSC crashes are gone. Just to clarify, are you saying the crashes only manifests with GCC, and does not manifest with Clang?
Michael Orlitzky
Comment 15 2024-09-17 03:49:54 PDT
(In reply to Mark Lam from comment #14) > > Just to clarify, are you saying the crashes only manifests with GCC, and > does not manifest with Clang? Correct. Clang v18.1.8 and GCC v14.2.0.
Michael Catanzaro
Comment 16 2024-09-17 06:22:17 PDT
And specifically only at -O2 optimization level, so that narrows things down significantly. It could be a GCC bug, or it could be undefined behavior in JSC. Since almost all distros build with GCC and -O2, yet only you are complaining, it might also occur only in combination with one of the other compiler flags you use.
Michael Orlitzky
Comment 17 2024-09-17 06:52:14 PDT
(In reply to Michael Catanzaro from comment #16) > And specifically only at -O2 optimization level, so that narrows things down > significantly. It could be a GCC bug, or it could be undefined behavior in > JSC. > > Since almost all distros build with GCC and -O2, yet only you are > complaining, it might also occur only in combination with one of the other > compiler flags you use. My CFLAGS are "-O2 -pipe -mabi=lp64d -march=rv64gc -mtune=thead-c906" which should be unexciting except maybe for the -mtune=thead-c906. AFAIK it only provides a few optimization hints: https://gcc.gnu.org/pipermail/gcc-patches/2021-June/573305.html I've just upgraded to gcc-14.2.1 and was planning to re-try; I could drop the -mtune at the same time. I think the most likely explanation is that few people are using RISC-V, and fewer of those are using epiphany, and fewer of those are building their own, and fewer of those are using the latest versions of everything, and fewer of those would be willing to spend a few days rebuilding webkit to debug if it crashes. We may be down to {me}.
Michael Catanzaro
Comment 18 2024-09-17 06:59:16 PDT
You didn't mention you were using RISC-V until comment #17. Yeah, that's indeed more likely.
Michael Orlitzky
Comment 19 2024-09-17 12:16:52 PDT
One other thing that might be relevant is that I have to build with -DENABLE_JIT=OFF to work around bug 271371.
Mark Lam
Comment 20 2024-09-17 12:34:55 PDT
AFAIK, the RISC V port is not an officially supported port. For example, there are no EWS bots for it. I don't even know who the maintainers are. Looks like Zan Dobersek according to git blame. Zan, have you seen this RISC V + GCC only crash before?
Michael Orlitzky
Comment 21 2024-09-19 16:56:38 PDT
The crashes persist with gcc-14.2.1 and without the -mtune in my C(XX)FLAGS.
Note You need to log in before you can comment on or make changes to this bug.