Bug#954355: libjavascriptcoregtk-4.0-18: WebKitWebProcess crashes on ppc64el, mprotect fails

Dmitry Shachnev Fri, 20 Mar 2020 10:58:08 -0700

Package: libjavascriptcoregtk-4.0-18
Version: 2.28.0-2
Severity: important

Dear Maintainer,


The attached very simple C program makes WebKitWebProcess crash on ppc64el.

I managed to get a stacktrace using the following steps:

(gdb) b g_subprocess_launcher_new
(gdb) r
Thread 1 "test" hit Breakpoint 1 ...
(gdb) set follow-fork-mode child
(gdb) c
Thread 2.1 "WebKitWebProces" received signal SIGABRT, Aborted.

The crash happens in:

#0  0x00007ffff3f16f58 in __libc_signal_restore_set (set=0x7fffffffd838) at 
../sysdeps/unix/sysv/linux/internal-signals.h:84
#1  __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:48
#2  0x00007ffff3ef7e8c in __GI_abort () at abort.c:79
#3  0x00007ffff2066f74 in CRASH_WITH_INFO(...) () at 
DerivedSources/ForwardingHeaders/wtf/Assertions.h:660
#4  JSC::Config::permanentlyFreeze() () at 
../Source/JavaScriptCore/runtime/JSCConfig.cpp:78
#5  0x00007ffff2284510 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType) () at 
../Source/JavaScriptCore/runtime/VM.cpp:586
#6  0x00007ffff2285764 in JSC::VM::create(JSC::HeapType) () at 
../Source/JavaScriptCore/runtime/VM.cpp:703
#7  0x00007ffff5beced8 in WebCore::commonVMSlow() () at 
../Source/WebCore/bindings/js/CommonVM.cpp:55
#8  0x00007ffff635b504 in WebCore::commonVM() () at 
../Source/WebCore/bindings/js/CommonVM.h:52

Line 78 of JSCConfig.cpp and the preceding code is:

#elif OS(LINUX)
    result = mprotect(&g_jscConfig, ConfigSizeToProtect, PROT_READ);
#elif OS(WINDOWS)
    // FIXME: Implement equivalent, maybe with VirtualProtect.
    // Also need to fix WebKitTestRunner.
#endif
    RELEASE_ASSERT(!result);

The complete stack trace is also attached.

--
Dmitry Shachnev

#include <glib.h>
#include <glib/gprintf.h>
#include <gtk/gtk.h>
#include <webkit2/webkit2.h>

void web_process_terminated(G_GNUC_UNUSED WebKitWebView *view,
                            WebKitWebProcessTerminationReason reason,
                            G_GNUC_UNUSED gpointer user_data) {
    if (reason == WEBKIT_WEB_PROCESS_CRASHED) {
        g_printf("The process crashed.\n");
    }
    gtk_main_quit();
}

int main(int argc, char **argv) {
    gtk_init(&argc, &argv);

    WebKitWebView *view = WEBKIT_WEB_VIEW(webkit_web_view_new());
    g_object_ref(view);
    g_signal_connect(view, "web-process-terminated", G_CALLBACK(web_process_terminated), NULL);

    webkit_web_view_load_html(view, "<html></html>", NULL);

    gtk_main();

    return 0;
}

#0  0x00007ffff3f16f58 in __libc_signal_restore_set (set=0x7fffffffd838) at 
../sysdeps/unix/sysv/linux/internal-signals.h:84
#1  __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:48
#2  0x00007ffff3ef7e8c in __GI_abort () at abort.c:79
#3  0x00007ffff2066f74 in CRASH_WITH_INFO(...) () at 
DerivedSources/ForwardingHeaders/wtf/Assertions.h:660
#4  JSC::Config::permanentlyFreeze() () at 
../Source/JavaScriptCore/runtime/JSCConfig.cpp:78
#5  0x00007ffff2284510 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType) () at 
../Source/JavaScriptCore/runtime/VM.cpp:586
#6  0x00007ffff2285764 in JSC::VM::create(JSC::HeapType) () at 
../Source/JavaScriptCore/runtime/VM.cpp:703
#7  0x00007ffff5beced8 in WebCore::commonVMSlow() () at 
../Source/WebCore/bindings/js/CommonVM.cpp:55
#8  0x00007ffff635b504 in WebCore::commonVM() () at 
../Source/WebCore/bindings/js/CommonVM.h:52
#9  WebCore::PageScriptDebugServer::PageScriptDebugServer(WebCore::Page&) () at 
../Source/WebCore/inspector/PageScriptDebugServer.cpp:58
#10 0x00007ffff6343c28 in 
WebCore::InspectorController::InspectorController(WebCore::Page&, 
WebCore::InspectorClient*) () at 
../Source/WebCore/inspector/InspectorController.cpp:105
#11 0x00007ffff661b9f8 in std::make_unique<WebCore::InspectorController, 
WebCore::Page&, WebCore::InspectorClient*&>(WebCore::Page&, 
WebCore::InspectorClient*&) ()
    at /usr/include/c++/9/bits/unique_ptr.h:857
#12 WTF::makeUnique<WebCore::InspectorController, WebCore::Page&, 
WebCore::InspectorClient*&>(WebCore::Page&, WebCore::InspectorClient*&) ()
    at DerivedSources/ForwardingHeaders/wtf/StdLibExtras.h:483
#13 WebCore::Page::Page(WebCore::PageConfiguration&&) () at 
../Source/WebCore/page/Page.cpp:279
#14 0x00007ffff513eff4 in std::make_unique<WebCore::Page, 
WebCore::PageConfiguration>(WebCore::PageConfiguration&&) () at 
/usr/include/c++/9/bits/unique_ptr.h:857
#15 WTF::makeUnique<WebCore::Page, 
WebCore::PageConfiguration>(WebCore::PageConfiguration&&) () at 
DerivedSources/ForwardingHeaders/wtf/StdLibExtras.h:483
#16 
WebKit::WebPage::WebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters&&) () at 
../Source/WebKit/WebProcess/WebPage/WebPage.cpp:536
#17 0x00007ffff513fdd4 in 
WebKit::WebPage::create(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters&&) ()
    at ../Source/WebKit/WebProcess/WebPage/WebPage.cpp:379
#18 0x00007ffff4eff688 in 
WebKit::WebProcess::createWebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>,
 WebKit::WebPageCreationParameters&&) ()
    at ../Source/WebKit/WebProcess/WebProcess.cpp:685
#19 0x00007ffff49c7568 in IPC::callMemberFunctionImpl<WebKit::WebProcess, void 
(WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters&&), 
std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess*, void 
(WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters&&), 
std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters>&&, std::integer_sequence<unsigned long, 0ul, 
1ul>) () at ../Source/WebKit/Platform/IPC/HandleMessage.h:41
#20 IPC::callMemberFunction<WebKit::WebProcess, void 
(WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters&&), 
std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters>, std::integer_sequence<unsigned long, 0ul, 
1ul> >(std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters>&&, WebKit::WebProcess*, void 
(WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters&&)) ()
    at ../Source/WebKit/Platform/IPC/HandleMessage.h:47
#21 IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, 
void 
(WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters&&)>(IPC::Decoder&, WebKit::WebProcess*, void 
(WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, 
WebKit::WebPageCreationParameters&&)) ()
    at ../Source/WebKit/Platform/IPC/HandleMessage.h:120
#22 0x00007ffff49bd764 in 
WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, 
IPC::Decoder&) () at DerivedSources/WebKit/WebProcessMessageReceiver.cpp:291
#23 0x00007ffff4f084dc in 
WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at 
../Source/WebKit/WebProcess/WebProcess.cpp:750
#24 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () 
at ../Source/WebKit/WebProcess/WebProcess.cpp:744
#25 0x00007ffff4b7b8a8 in IPC::Connection::dispatchMessage(IPC::Decoder&) () at 
../Source/WebKit/Platform/IPC/Connection.cpp:1008
#26 0x00007ffff4b7d5c4 in 
IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, 
std::default_delete<IPC::Decoder> >) () at 
../Source/WebKit/Platform/IPC/Connection.cpp:1077
#27 0x00007ffff4b7df54 in IPC::Connection::dispatchOneIncomingMessage() () at 
../Source/WebKit/Platform/IPC/Connection.cpp:1146
#28 0x00007ffff4b7e4a4 in operator() () at 
../Source/WebKit/Platform/IPC/Connection.cpp:985
#29 call() () at DerivedSources/ForwardingHeaders/wtf/Function.h:52
#30 0x00007ffff2357c98 in WTF::Function<void ()>::operator()() const () at 
../Source/WTF/wtf/Function.h:84
#31 WTF::RunLoop::performWork() () at ../Source/WTF/wtf/RunLoop.cpp:124
#32 0x00007ffff23bced8 in operator() () at 
../Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#33 _FUN() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#34 0x00007ffff23bcf60 in operator() () at 
../Source/WTF/wtf/glib/RunLoopGLib.cpp:45
#35 _FUN() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:46
#36 0x00007ffff2d1cab4 in g_main_dispatch (context=0x1000bcc00) at 
../../../glib/gmain.c:3309
#37 g_main_context_dispatch (context=0x1000bcc00) at ../../../glib/gmain.c:3974
#38 0x00007ffff2d1cfe8 in g_main_context_iterate (context=0x1000bcc00, 
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at 
../../../glib/gmain.c:4047
#39 0x00007ffff2d1d54c in g_main_loop_run (loop=0x1000e8cc0) at 
../../../glib/gmain.c:4241
#40 0x00007ffff23be104 in WTF::RunLoop::run() () at 
../Source/WTF/wtf/glib/RunLoopGLib.cpp:96
#41 0x00007ffff5175b94 in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, 
WebKit::WebProcessMainGtk>(int, char**) () at 
../Source/WebKit/Shared/AuxiliaryProcessMain.h:68
#42 0x00007ffff5174e88 in WebKit::WebProcessMain(int, char**) () at 
../Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:68
#43 0x00000001000007c0 in main() () at 
../Source/WebKit/WebProcess/EntryPoint/unix/WebProcessMain.cpp:45

signature.asc
Description: PGP signature

Bug#954355: libjavascriptcoregtk-4.0-18: WebKitWebProcess crashes on ppc64el, mprotect fails

Reply via email to