Package: libwebkitgtk-3.0-0 Version: 1.8.1-3.3 Severity: serious Tags: patch
Machine: Dell PowerEdge 3250 Processor: 2x Itanium Madison 1.5GHz 6M Memory: 16G I realized this bug while working on bug#642750. Some assertions fail on the debug build of webkit: at Source/JavaScriptCore/wtf/RefCounted.h:53 ASSERT(m_verifier.isSafeToUse()); at Source/JavaScriptCore/wtf/RefCounted.h:122 ASSERT(m_verifier.isSafeToUse()); Stacktraces were: Breakpoint 1, WTFReportAssertionFailure ( file=0x20000000056983c0 "../Source/JavaScriptCore/wtf/RefCounted.h", line=53, function=0x2000000005699638 "void WTF::RefCountedBase::ref()", assertion=0x20000000056983f0 "m_verifier.isSafeToUse()") at ../Source/JavaScriptCore/wtf/Assertions.cpp:219 219 if (assertion) #0 WTFReportAssertionFailure ( file=0x20000000056983c0 "../Source/JavaScriptCore/wtf/RefCounted.h", line=53, function=0x2000000005699638 "void WTF::RefCountedBase::ref()", assertion=0x20000000056983f0 "m_verifier.isSafeToUse()") at ../Source/JavaScriptCore/wtf/Assertions.cpp:219 #1 0x2000000001e90ba0 in WTF::RefCountedBase::ref (this=0x2000000010033a00) at ../Source/JavaScriptCore/wtf/RefCounted.h:53 #2 0x2000000001f43be0 in WTF::refIfNotNull<WebCore::SharedBuffer> ( ptr=0x2000000010033a00) at ../Source/JavaScriptCore/wtf/PassRefPtr.h:46 #3 0x200000000341e8d0 in WTF::RefPtr<WebCore::SharedBuffer>::operator= ( this=0x60000000008d0920, optr=0x2000000010033a00) at ../Source/JavaScriptCore/wtf/RefPtr.h:132 #4 0x200000000388e190 in WebCore::BMPImageReader::setData ( this=0x60000000008d0910, data=0x2000000010033a00) at ../Source/WebCore/platform/image-decoders/bmp/BMPImageReader.h:72 #5 0x20000000038a9ce0 in WebCore::ICOImageDecoder::decodeAtIndex ( this=0x20000000100468c0, index=0) at ../Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:203 #6 0x20000000038a9370 in WebCore::ICOImageDecoder::decode ( this=0x20000000100468c0, index=0, onlySize=false) at ../Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:168 #7 0x20000000038a8b10 in WebCore::ICOImageDecoder::frameBufferAtIndex ( this=0x20000000100468c0, index=0) at ../Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:125 #8 0x20000000037e79c0 in WebCore::ImageSource::createFrameAtIndex ( this=0x2000000010046838, index=0) at ../Source/WebCore/platform/graphics/ImageSource.cpp:138 #9 0x20000000036d7cb0 in WebCore::BitmapImage::cacheFrame ( this=0x2000000010046800, index=0) at ../Source/WebCore/platform/graphics/BitmapImage.cpp:127 #10 0x20000000036d96c0 in WebCore::BitmapImage::frameAtIndex ( this=0x2000000010046800, index=0) at ../Source/WebCore/platform/graphics/BitmapImage.cpp:266 #11 0x20000000055f1690 in WebCore::BitmapImage::getGdkPixbuf ( this=0x2000000010046800) at ../Source/WebCore/platform/graphics/gtk/ImageGtk.cpp:115 #12 0x2000000001ef89b0 in getIconPixbufSynchronously ( database=0x60000000000781c0, pageURL=..., iconSize=...) at ../Source/WebKit/gtk/webkit/webkitfavicondatabase.cpp:401 #13 0x2000000001ef9090 in webkit_favicon_database_try_get_favicon_pixbuf ( database=0x60000000000781c0, pageURI=0x6000000000076cd0 "http://www.gmx.net/", width=16, height=16) at ../Source/WebKit/gtk/webkit/webkitfavicondatabase.cpp:442 #14 0x4000000000091360 in set_row_in_model (row=0x6000000000858660, position=1, model=0x600000000018cca0) at ephy-completion-model.c:213 #15 replace_rows_in_model (new_rows=0x600000000088ada0, model=0x600000000018cca0) at ephy-completion-model.c:244 #16 query_completed_cb (service=0x60000000001abb70, success=1, result_data=0x60000000001f0ec0, user_data=0x60000000008fe560) at ephy-completion-model.c:411 #17 0x40000000000fc670 in ephy_history_service_execute_job_callback ( data=0x60000000008c09e0) at ephy-history-service.c:435 #18 0x200000000980aa00 in g_idle_dispatch () from /lib/ia64-linux-gnu/libglib-2.0.so.0 #19 0x2000000009810f20 in g_main_context_dispatch () from /lib/ia64-linux-gnu/libglib-2.0.so.0 #20 0x2000000009811740 in ?? () from /lib/ia64-linux-gnu/libglib-2.0.so.0 #21 0x2000000009811ad0 in g_main_context_iteration () from /lib/ia64-linux-gnu/libglib-2.0.so.0 #22 0x2000000009384d00 in g_application_run () from /usr/lib/ia64-linux-gnu/libgio-2.0.so.0 #23 0x4000000000040020 in main (argc=1, argv=0x60000fffffffb458) at ephy-main.c:483 No symbol "m_verifier" in current context. #1 0x2000000001e90ba0 in WTF::RefCountedBase::ref (this=0x2000000010033a00) at ../Source/JavaScriptCore/wtf/RefCounted.h:53 53 ASSERT(m_verifier.isSafeToUse()); $3 = {m_mode = WTF::ThreadRestrictionVerifier::MutexVerificationMode, m_shared = true, m_owningThread = 0, m_mutex = 0x600000000024e7d8} Continuing. Breakpoint 1, WTFReportAssertionFailure ( file=0x2000000005683b80 "../Source/JavaScriptCore/wtf/RefCounted.h", line=122, function=0x2000000005683cf0 "bool WTF::RefCountedBase::derefBase()", assertion=0x2000000005683be0 "m_verifier.isSafeToUse()") at ../Source/JavaScriptCore/wtf/Assertions.cpp:219 219 if (assertion) #0 WTFReportAssertionFailure ( file=0x2000000005683b80 "../Source/JavaScriptCore/wtf/RefCounted.h", line=122, function=0x2000000005683cf0 "bool WTF::RefCountedBase::derefBase()", assertion=0x2000000005683be0 "m_verifier.isSafeToUse()") at ../Source/JavaScriptCore/wtf/Assertions.cpp:219 #1 0x2000000001e548d0 in WTF::RefCountedBase::derefBase ( this=0x2000000010033a00) at ../Source/JavaScriptCore/wtf/RefCounted.h:122 #2 0x2000000001f2b940 in WTF::RefCounted<WebCore::SharedBuffer>::deref ( this=0x2000000010033a00) at ../Source/JavaScriptCore/wtf/RefCounted.h:182 #3 0x2000000001f2b560 in WTF::derefIfNotNull<WebCore::SharedBuffer> ( ptr=0x2000000010033a00) at ../Source/JavaScriptCore/wtf/PassRefPtr.h:52 #4 0x2000000001f2b100 in WTF::RefPtr<WebCore::SharedBuffer>::~RefPtr ( this=0x60000000008d0920, __in_chrg=<optimized out>) at ../Source/JavaScriptCore/wtf/RefPtr.h:58 #5 0x200000000388f0e0 in WebCore::BMPImageReader::~BMPImageReader ( this=0x60000000008d0910, __in_chrg=<optimized out>) at ../Source/WebCore/platform/image-decoders/bmp/BMPImageReader.h:41 #6 0x200000000388f160 in WTF::deleteOwnedPtr<WebCore::BMPImageReader> ( ptr=0x60000000008d0910) at ../Source/JavaScriptCore/wtf/OwnPtrCommon.h:54 #7 0x200000000388ea80 in WTF::OwnPtr<WebCore::BMPImageReader>::clear ( this=0x2000000010033820) at ../Source/JavaScriptCore/wtf/OwnPtr.h:100 #8 0x20000000038a95d0 in WebCore::ICOImageDecoder::decode ( this=0x20000000100468c0, index=0, onlySize=false) at ../Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:174 #9 0x20000000038a8b10 in WebCore::ICOImageDecoder::frameBufferAtIndex ( this=0x20000000100468c0, index=0) at ../Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:125 #10 0x20000000037e79c0 in WebCore::ImageSource::createFrameAtIndex ( this=0x2000000010046838, index=0) at ../Source/WebCore/platform/graphics/ImageSource.cpp:138 #11 0x20000000036d7cb0 in WebCore::BitmapImage::cacheFrame ( this=0x2000000010046800, index=0) at ../Source/WebCore/platform/graphics/BitmapImage.cpp:127 #12 0x20000000036d96c0 in WebCore::BitmapImage::frameAtIndex ( this=0x2000000010046800, index=0) at ../Source/WebCore/platform/graphics/BitmapImage.cpp:266 #13 0x20000000055f1690 in WebCore::BitmapImage::getGdkPixbuf ( this=0x2000000010046800) at ../Source/WebCore/platform/graphics/gtk/ImageGtk.cpp:115 #14 0x2000000001ef89b0 in getIconPixbufSynchronously ( database=0x60000000000781c0, pageURL=..., iconSize=...) at ../Source/WebKit/gtk/webkit/webkitfavicondatabase.cpp:401 #15 0x2000000001ef9090 in webkit_favicon_database_try_get_favicon_pixbuf ( database=0x60000000000781c0, pageURI=0x6000000000076cd0 "http://www.gmx.net/", width=16, height=16) at ../Source/WebKit/gtk/webkit/webkitfavicondatabase.cpp:442 #16 0x4000000000091360 in set_row_in_model (row=0x6000000000858660, position=1, model=0x600000000018cca0) at ephy-completion-model.c:213 #17 replace_rows_in_model (new_rows=0x600000000088ada0, model=0x600000000018cca0) at ephy-completion-model.c:244 #18 query_completed_cb (service=0x60000000001abb70, success=1, result_data=0x60000000001f0ec0, user_data=0x60000000008fe560) at ephy-completion-model.c:411 #19 0x40000000000fc670 in ephy_history_service_execute_job_callback ( data=0x60000000008c09e0) at ephy-history-service.c:435 #20 0x200000000980aa00 in g_idle_dispatch () from /lib/ia64-linux-gnu/libglib-2.0.so.0 #21 0x2000000009810f20 in g_main_context_dispatch () from /lib/ia64-linux-gnu/libglib-2.0.so.0 #22 0x2000000009811740 in ?? () from /lib/ia64-linux-gnu/libglib-2.0.so.0 #23 0x2000000009811ad0 in g_main_context_iteration () from /lib/ia64-linux-gnu/libglib-2.0.so.0 #24 0x2000000009384d00 in g_application_run () from /usr/lib/ia64-linux-gnu/libgio-2.0.so.0 #25 0x4000000000040020 in main (argc=1, argv=0x60000fffffffb458) at ephy-main.c:483 #1 0x2000000001e548d0 in WTF::RefCountedBase::derefBase ( this=0x2000000010033a00) at ../Source/JavaScriptCore/wtf/RefCounted.h:122 122 ASSERT(m_verifier.isSafeToUse()); $4 = {m_mode = WTF::ThreadRestrictionVerifier::MutexVerificationMode, m_shared = true, m_owningThread = 0, m_mutex = 0x600000000024e7d8} Continuing.This indicates that there is some thread-unsafe code related to the icon database; it can (and will) cause data corruption, sporadic crashes which are impossible to understand with the debugger.
This is WebKit bug#67582; the problem is already fixed in the upstream: https://bugs.webkit.org/show_bug.cgi?id=67582The bug affects all archs, but the trouble is more likely on archs that have a weak cache coherency model, for example, ia64.
The attached patch is a backport of the upstream's fix. You can find a link to the built debs on Debian bug report#642750. Stephan
thread-safe-icon-db.patch
Description: thread-safe-icon-db.patch