[Webkit-unassigned] [Bug 148622] New: [SOUP] Invalid read in webkitSoupCookieJarSqliteLoad
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Aug 30 14:50:06 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=148622
Bug ID: 148622
Summary: [SOUP] Invalid read in webkitSoupCookieJarSqliteLoad
Classification: Unclassified
Product: WebKit
Version: Other
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit2
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
Part of an investigation into why Epiphany likes to crash during startup....
The network process crashes immediately when run with asan. The problem is in webkitSoupCookieJarSqliteLoad, calling WebCore::SQLiteStatement::getColumnText. The return value of sqlite3_column_text16 [1] is invalid. I don't know why.
While investigating this I discovered bug #148620, but that is unfortunately NOT the cause of this issue.
I also tried omitting the call to sqlite3_column_bytes16, and switched to the WTF::String constructor that expects a null-terminated UTF-16 string. That also did not help.
[1] https://sqlite.org/c3ref/column_blob.html
==22362==ERROR: AddressSanitizer: unknown-crash on address 0x7f5d63813983 at pc 0x00000048530a bp 0x7ffca75e8b30 sp 0x7ffca75e82e8
WRITE of size 1408 at 0x7f5d63813983 thread T0
#0 0x485309 in __asan_memcpy (/home/mcatanzaro/jhbuild/install/libexec/webkit2gtk-4.0/WebKitNetworkProcess+0x485309)
#1 0x7f5d77d0fe79 in WTF::Ref<WTF::StringImpl> WTF::StringImpl::createInternal<unsigned short>(unsigned short const*, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/StringImpl.cpp:248:5
#2 0x7f5d77d0231d in WTF::StringImpl::create(unsigned short const*, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/StringImpl.cpp:254:12
#3 0x7f5d77d1acdb in WTF::String::String(unsigned short const*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/WTFString.cpp:56:14
#4 0x7f5d80107884 in WebCore::SQLiteStatement::getColumnText(int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebCore/platform/sql/SQLiteStatement.cpp:349:5
#5 0x7f5d7ed68311 in webkitSoupCookieJarSqliteLoad(_WebKitSoupCookieJarSqlite*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebKitSoupCookieJarSqlite.cpp:110:93
#6 0x7f5d7ed68014 in webkitSoupCookieJarSqliteNew /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebKitSoupCookieJarSqlite.cpp:222:5
#7 0x7f5d7ed6787f in WebKit::WebCookieManager::setCookiePersistentStorage(WTF::String const&, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebCookieManagerSoup.cpp:79:25
#8 0x7f5d7ee2a58e in void IPC::callMemberFunctionImpl<WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>, 0ul, 1ul>(WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>&&, std::index_sequence<0ul, 1ul>) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:16:5
#9 0x7f5d7ee2a4e8 in void IPC::callMemberFunction<WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>, std::make_index_sequence<2ul> >(std::tuple<WTF::String, unsigned int>&&, WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:22:5
#10 0x7f5d7ee2a3ad in void IPC::handleMessage<Messages::WebCookieManager::SetCookiePersistentStorage, WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)>(IPC::MessageDecoder&, WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:92:5
#11 0x7f5d7ee2975e in WebKit::WebCookieManager::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/DerivedSources/WebKit2/WebCookieManagerMessageReceiver.cpp:74:9
#12 0x7f5d7ee299ac in non-virtual thunk to WebKit::WebCookieManager::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/DerivedSources/WebKit2/WebCookieManagerMessageReceiver.cpp:81:1
#13 0x7f5d7e60ace6 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:97:9
#14 0x7f5d7ebcc110 in WebKit::NetworkProcess::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/NetworkProcess.cpp:127:9
#15 0x7f5d7e5f061c in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:898:5
#16 0x7f5d7e5e9e18 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:929:9
#17 0x7f5d7e5f077a in IPC::Connection::dispatchOneMessage() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:960:5
#18 0x7f5d7e5f0a70 in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:892:9
#19 0x7f5d7e5f08b0 in std::_Function_handler<void (), IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >)::$_10>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:1871:4
#20 0x7f5d7e54007b in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:2271:14
#21 0x7f5d81385c7e in WTF::RunLoop::performWork() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/RunLoop.cpp:121:9
#22 0x7f5d8138c780 in WTF::RunLoop::wakeUp()::$_0::operator()() const /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/RunLoopGLib.cpp:96:9
#23 0x7f5d8138c5c0 in std::_Function_handler<void (), WTF::RunLoop::wakeUp()::$_0>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:1871:4
#24 0x7f5d7e54007b in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:2271:14
#25 0x7f5d77d31f2e in WTF::GMainLoopSource::voidCallback() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/GMainLoopSource.cpp:365:5
#26 0x7f5d77d2ff1c in WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/GMainLoopSource.cpp:456:5
#27 0x7f5d736d9430 in g_idle_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:5441
#28 0x7f5d736d6a78 in g_main_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3154
#29 0x7f5d736d78bc in g_main_context_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3769
#30 0x7f5d736d7aa0 in g_main_context_iterate /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3840
#31 0x7f5d736d7ec6 in g_main_loop_run /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:4034
#32 0x7f5d8138b9e8 in WTF::RunLoop::run() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/RunLoopGLib.cpp:67:9
#33 0x7f5d7ec445a3 in int WebKit::ChildProcessMain<WebKit::NetworkProcess, WebKit::NetworkProcessMain>(int, char**) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61:5
#34 0x7f5d7ec44478 in NetworkProcessMainUnix /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/gtk/NetworkProcessMainGtk.cpp:62:12
#35 0x4b9f76 in main /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:44:12
#36 0x7f5d6cfa66ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#37 0x4b9e78 in _start (/home/mcatanzaro/jhbuild/install/libexec/webkit2gtk-4.0/WebKitNetworkProcess+0x4b9e78)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0fec2c6fa6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fec2c6fa730:[03]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==22362==ABORTING
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150830/d4cc719f/attachment-0001.html>
More information about the webkit-unassigned
mailing list