Bug#954355: libjavascriptcoregtk-4.0-18: WebKitWebProcess crashes on ppc64el, mprotect fails

Dmitry Shachnev mitya57 at debian.org
Fri Mar 20 17:54:40 GMT 2020 

Package: libjavascriptcoregtk-4.0-18
Version: 2.28.0-2
Severity: important

Dear Maintainer,

The attached very simple C program makes WebKitWebProcess crash on ppc64el.

I managed to get a stacktrace using the following steps:

(gdb) b g_subprocess_launcher_new
(gdb) r
Thread 1 "test" hit Breakpoint 1 ...
(gdb) set follow-fork-mode child
(gdb) c
Thread 2.1 "WebKitWebProces" received signal SIGABRT, Aborted.

The crash happens in:

#0  0x00007ffff3f16f58 in __libc_signal_restore_set (set=0x7fffffffd838) at ../sysdeps/unix/sysv/linux/internal-signals.h:84
#1  __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:48
#2  0x00007ffff3ef7e8c in __GI_abort () at abort.c:79
#3  0x00007ffff2066f74 in CRASH_WITH_INFO(...) () at DerivedSources/ForwardingHeaders/wtf/Assertions.h:660
#4  JSC::Config::permanentlyFreeze() () at ../Source/JavaScriptCore/runtime/JSCConfig.cpp:78
#5  0x00007ffff2284510 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType) () at ../Source/JavaScriptCore/runtime/VM.cpp:586
#6  0x00007ffff2285764 in JSC::VM::create(JSC::HeapType) () at ../Source/JavaScriptCore/runtime/VM.cpp:703
#7  0x00007ffff5beced8 in WebCore::commonVMSlow() () at ../Source/WebCore/bindings/js/CommonVM.cpp:55
#8  0x00007ffff635b504 in WebCore::commonVM() () at ../Source/WebCore/bindings/js/CommonVM.h:52

Line 78 of JSCConfig.cpp and the preceding code is:

#elif OS(LINUX)
    result = mprotect(&g_jscConfig, ConfigSizeToProtect, PROT_READ);
#elif OS(WINDOWS)
    // FIXME: Implement equivalent, maybe with VirtualProtect.
    // Also need to fix WebKitTestRunner.
#endif
    RELEASE_ASSERT(!result);

The complete stack trace is also attached.

--
Dmitry Shachnev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.c
Type: text/x-csrc
Size: 758 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-webkit-maintainers/attachments/20200320/9b0c6a88/attachment.c>
-------------- next part --------------
#0  0x00007ffff3f16f58 in __libc_signal_restore_set (set=0x7fffffffd838) at ../sysdeps/unix/sysv/linux/internal-signals.h:84
#1  __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:48
#2  0x00007ffff3ef7e8c in __GI_abort () at abort.c:79
#3  0x00007ffff2066f74 in CRASH_WITH_INFO(...) () at DerivedSources/ForwardingHeaders/wtf/Assertions.h:660
#4  JSC::Config::permanentlyFreeze() () at ../Source/JavaScriptCore/runtime/JSCConfig.cpp:78
#5  0x00007ffff2284510 in JSC::VM::VM(JSC::VM::VMType, JSC::HeapType) () at ../Source/JavaScriptCore/runtime/VM.cpp:586
#6  0x00007ffff2285764 in JSC::VM::create(JSC::HeapType) () at ../Source/JavaScriptCore/runtime/VM.cpp:703
#7  0x00007ffff5beced8 in WebCore::commonVMSlow() () at ../Source/WebCore/bindings/js/CommonVM.cpp:55
#8  0x00007ffff635b504 in WebCore::commonVM() () at ../Source/WebCore/bindings/js/CommonVM.h:52
#9  WebCore::PageScriptDebugServer::PageScriptDebugServer(WebCore::Page&) () at ../Source/WebCore/inspector/PageScriptDebugServer.cpp:58
#10 0x00007ffff6343c28 in WebCore::InspectorController::InspectorController(WebCore::Page&, WebCore::InspectorClient*) () at ../Source/WebCore/inspector/InspectorController.cpp:105
#11 0x00007ffff661b9f8 in std::make_unique<WebCore::InspectorController, WebCore::Page&, WebCore::InspectorClient*&>(WebCore::Page&, WebCore::InspectorClient*&) ()
    at /usr/include/c++/9/bits/unique_ptr.h:857
#12 WTF::makeUnique<WebCore::InspectorController, WebCore::Page&, WebCore::InspectorClient*&>(WebCore::Page&, WebCore::InspectorClient*&) ()
    at DerivedSources/ForwardingHeaders/wtf/StdLibExtras.h:483
#13 WebCore::Page::Page(WebCore::PageConfiguration&&) () at ../Source/WebCore/page/Page.cpp:279
#14 0x00007ffff513eff4 in std::make_unique<WebCore::Page, WebCore::PageConfiguration>(WebCore::PageConfiguration&&) () at /usr/include/c++/9/bits/unique_ptr.h:857
#15 WTF::makeUnique<WebCore::Page, WebCore::PageConfiguration>(WebCore::PageConfiguration&&) () at DerivedSources/ForwardingHeaders/wtf/StdLibExtras.h:483
#16 WebKit::WebPage::WebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) () at ../Source/WebKit/WebProcess/WebPage/WebPage.cpp:536
#17 0x00007ffff513fdd4 in WebKit::WebPage::create(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) ()
    at ../Source/WebKit/WebProcess/WebPage/WebPage.cpp:379
#18 0x00007ffff4eff688 in WebKit::WebProcess::createWebPage(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&) ()
    at ../Source/WebKit/WebProcess/WebProcess.cpp:685
#19 0x00007ffff49c7568 in IPC::callMemberFunctionImpl<WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>&&, std::integer_sequence<unsigned long, 0ul, 1ul>) () at ../Source/WebKit/Platform/IPC/HandleMessage.h:41
#20 IPC::callMemberFunction<WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>, std::integer_sequence<unsigned long, 0ul, 1ul> >(std::tuple<WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters>&&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)) ()
    at ../Source/WebKit/Platform/IPC/HandleMessage.h:47
#21 IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)>(IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WebKit::WebPageCreationParameters&&)) ()
    at ../Source/WebKit/Platform/IPC/HandleMessage.h:120
#22 0x00007ffff49bd764 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) () at DerivedSources/WebKit/WebProcessMessageReceiver.cpp:291
#23 0x00007ffff4f084dc in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at ../Source/WebKit/WebProcess/WebProcess.cpp:750
#24 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at ../Source/WebKit/WebProcess/WebProcess.cpp:744
#25 0x00007ffff4b7b8a8 in IPC::Connection::dispatchMessage(IPC::Decoder&) () at ../Source/WebKit/Platform/IPC/Connection.cpp:1008
#26 0x00007ffff4b7d5c4 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at ../Source/WebKit/Platform/IPC/Connection.cpp:1077
#27 0x00007ffff4b7df54 in IPC::Connection::dispatchOneIncomingMessage() () at ../Source/WebKit/Platform/IPC/Connection.cpp:1146
#28 0x00007ffff4b7e4a4 in operator() () at ../Source/WebKit/Platform/IPC/Connection.cpp:985
#29 call() () at DerivedSources/ForwardingHeaders/wtf/Function.h:52
#30 0x00007ffff2357c98 in WTF::Function<void ()>::operator()() const () at ../Source/WTF/wtf/Function.h:84
#31 WTF::RunLoop::performWork() () at ../Source/WTF/wtf/RunLoop.cpp:124
#32 0x00007ffff23bced8 in operator() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#33 _FUN() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#34 0x00007ffff23bcf60 in operator() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:45
#35 _FUN() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:46
#36 0x00007ffff2d1cab4 in g_main_dispatch (context=0x1000bcc00) at ../../../glib/gmain.c:3309
#37 g_main_context_dispatch (context=0x1000bcc00) at ../../../glib/gmain.c:3974
#38 0x00007ffff2d1cfe8 in g_main_context_iterate (context=0x1000bcc00, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../../../glib/gmain.c:4047
#39 0x00007ffff2d1d54c in g_main_loop_run (loop=0x1000e8cc0) at ../../../glib/gmain.c:4241
#40 0x00007ffff23be104 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:96
#41 0x00007ffff5175b94 in WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMainGtk>(int, char**) () at ../Source/WebKit/Shared/AuxiliaryProcessMain.h:68
#42 0x00007ffff5174e88 in WebKit::WebProcessMain(int, char**) () at ../Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:68
#43 0x00000001000007c0 in main() () at ../Source/WebKit/WebProcess/EntryPoint/unix/WebProcessMain.cpp:45
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-webkit-maintainers/attachments/20200320/9b0c6a88/attachment.sig>

More information about the Pkg-webkit-maintainers mailing list