[Webkit-unassigned] [Bug 186431] New: [GTK] Crash when calling JSEvaluateScript and a JS exception is thrown

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 8 08:24:45 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=186431

            Bug ID: 186431
           Summary: [GTK] Crash when calling JSEvaluateScript and a JS
                    exception is thrown
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Keywords: Gtk
          Severity: Normal
          Priority: P3
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mike at vee.net
                CC: bugs-noreply at webkitgtk.org

I'm getting various crashes in Geary when calling JSEvaluateScript from a WebExtension and the JS script being evaluated throws an error, using WebKitGTK 2.20.2.

The JSEvaluateScript call is pretty conventional — a short script that calls a method on a global object loaded via a user content manager. The vala source is here: https://gitlab.gnome.org/GNOME/geary/blob/master/src/client/web-process/web-process-extension.vala#L139 (see GearyWebExtension.execute_script).

The crash is occurring afterwards, when free'ing the JSValueRef passed as the last param (the JS exception) to JSEvaluateScript:

Thread 1 (Thread 0x7ffff7f94280 (LWP 12197)):
#0  0x00007ffff4de9e97 in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
        set = {__val = {0, 93824992947760, 0, 80, 112, 140737301972894, 0, 511101108348, 18374686479671623680, 0, 0, 0, 0, 0, 18446744069414584320, 0}}
        pid = <optimised out>
        tid = <optimised out>
#1  0x00007ffff4deb801 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x2, sa_sigaction = 0x2}, sa_mask = {__val = {0 <repeats 14 times>, 140737488340592, 140737488340880}}, sa_flags = -14736, sa_restorer = 0x1000}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007ffff4e34897 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7ffff4f61b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
        ap = {{gp_offset = 24, fp_offset = 32767, overflow_arg_area = 0x7fffffffc7a0, reg_save_area = 0x7fffffffc730}}
        fd = <optimised out>
        list = <optimised out>
        nlist = <optimised out>
        cp = <optimised out>
        written = <optimised out>
#3  0x00007ffff4e3b90a in malloc_printerr (str=str at entry=0x7ffff4f63870 "double free or corruption (out)") at malloc.c:5350
#4  0x00007ffff4e42e75 in _int_free (have_lock=0, p=0x7fff8d860030, av=0x7ffff5196c40 <main_arena>) at malloc.c:4278
        fb = <optimised out>
        nextsize = <optimised out>
        nextinuse = <optimised out>
        prevsize = <optimised out>
        fwd = <optimised out>
        size = <optimised out>
        nextchunk = <optimised out>
        bck = <optimised out>
        ar_ptr = 0x7ffff5196c40 <main_arena>
        p = 0x7fff8d860030
        hook = <optimised out>
        mem = 0x7fff8d860040
        hook = <optimised out>
#5  0x00007ffff4e42e75 in __GI___libc_free (mem=0x7fff8d860040) at malloc.c:3124
        ar_ptr = 0x7ffff5196c40 <main_arena>
        p = 0x7fff8d860030
        hook = <optimised out>
        mem = 0x7fff8d860040
        hook = <optimised out>
#6  0x00007fff8e581319 in geary_web_extension_execute_script (self=0x555555a10810 [GearyWebExtension], context=0x7fff8d8dc058, script=0x7fff8e586524 "geary.selectionChanged();", line=0, error=0x7fffffffc908) at /home/mjg/Projects/GNOME/geary/src/client/web-process/web-process-extension.vala:144
        result = 0x0
        js_script = 0x7fffe01fbed0
        _tmp0_ = 0x7fffe01fbed0
        js_source = 0x7fffe01fbee8
        _tmp1_ = 0x7fffe01fbee8
        err = 0x7fff8d860040
        _inner_error_ = 0x555555a8d170
        __func__ = "geary_web_extension_execute_script"
[snip]

I thought that initially it was a vala bindings issue, but now I'm not so sure since if I pass in null to the exception parameter instead, I still get a segfault, but I'm not sure where since it also scrambles the stack:

Thread 1 (Thread 0x7ffff7f94280 (LWP 676)):
#0  0x00007ffff6a92420 in  () at /usr/lib/x86_64-linux-gnu/libwebkit2gtk-4.0.so.37
#1  0x00007ffff6a99423 in  () at /usr/lib/x86_64-linux-gnu/libwebkit2gtk-4.0.so.37
#2  0x00007ffff6506234 in  () at /usr/lib/x86_64-linux-gnu/libwebkit2gtk-4.0.so.37
#3  0x00007ffff65148b0 in  () at /usr/lib/x86_64-linux-gnu/libwebkit2gtk-4.0.so.37
#4  0x00007ffff1870adb in JSC::JSObject::hasPropertyGeneric(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot::InternalMethodType) const () at /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-4.0.so.18
#5  0x00007ffff17a04d7 in  () at /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-4.0.so.18
#6  0x00007ffff1656bf1 in  () at /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-4.0.so.18
#7  0x0000085f0108b94c in  ()
#8  0x0000000000000000 in  ()

^-- that's literally everything that gdb prints out for the thread.

This does not happen when the JS code being evaluated does not raise an exception, which is usually the case.

I'll post a version of that second stack with symbols here ASAP, but downloading the dbgsym packages will currently take a few hours and I need to crash for the night. Let me know if you want to see any of the generated C code for the two different versions of the call.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180608/05b412ea/attachment.html>

More information about the webkit-unassigned mailing list