[Webkit-unassigned] [Bug 185558] New: [GTK] Javascript on page causes total browser crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 11 12:54:53 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=185558

            Bug ID: 185558
           Summary: [GTK] Javascript on page causes total browser crash
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: beau.adkins at lightpointsecurity.com

If you browse to http://www.rowaytonpta.org/ in WebKitGTK, the Web process will crash after a few seconds. Unfortunately, the stack trace does not show much useful info:

Program received signal SIGSEGV, Segmentation fault.
0xac3ebc20 in ?? ()
(gdb) bt
#0  0xac3ebc20 in ?? ()
#1  0xac5d40e7 in ?? ()
#2  0xac3ca558 in ?? ()
#3  0xac3ed6d8 in ?? ()
#4  0xac5d5a38 in ?? ()
#5  0xac36bcd5 in ?? ()
#6  0xac5d5838 in ?? ()
#7  0xac400606 in ?? ()
#8  0xac20475d in ?? ()
#9  0xac5d395f in ?? ()
#10 0xac3b1e31 in ?? ()
#11 0xac3310c4 in ?? ()
#12 0xb33e8712 in llint_entry ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#13 0xb33e8712 in llint_entry ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#14 0xb33e8712 in llint_entry ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#15 0xb33e8712 in llint_entry ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#16 0xb33e8712 in llint_entry ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#17 0xac37ec88 in ?? ()
#18 0xb33e8712 in llint_entry ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#19 0xac2eb27f in ?? ()
#20 0xac2ec558 in ?? ()
#21 0xac338978 in ?? ()
#22 0xac2e3300 in ?? ()
#23 0xac2f04e5 in ?? ()
#24 0xac338865 in ?? ()
#25 0xac339878 in ?? ()
#26 0xac4751b8 in ?? ()
#27 0xac475720 in ?? ()
#28 0xac238a98 in ?? ()
#29 0xac47b19f in ?? ()
#30 0xb33e3a8d in vmEntryToJavaScript ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#31 0xb3367792 in JSC::JITCode::execute (this=this at entry=0x986e6510, 
    vm=vm at entry=0xa87f4000, protoCallFrame=protoCallFrame at entry=0xbfac37f4)
    at ../../Source/JavaScriptCore/jit/JITCode.cpp:81
#32 0xb331f713 in JSC::Interpreter::executeCall (this=0xae3fc300, 
    callFrame=callFrame at entry=0xa7fdf8d0, function=function at entry=0xa048dfe0, 
    callType=callType at entry=<incomplete type>, callData=..., thisValue=..., 
    args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:941
#33 0xb35104d5 in JSC::call (exec=exec at entry=0xa7fdf8d0, functionObject=..., 
    callType=callType at entry=<incomplete type>, callData=..., thisValue=..., 
    args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:39
#34 0xb3510555 in JSC::call (exec=exec at entry=0xa7fdf8d0, functionObject=..., 
    callType=callType at entry=<incomplete type>, callData=..., thisValue=..., 
    args=..., returnedException=...)
    at ../../Source/JavaScriptCore/runtime/CallData.cpp:46
#35 0xb3510870 in JSC::profiledCall (exec=0xa7fdf8d0, reason=JSC::Other, 
    functionObject=..., callType=<incomplete type>, callData=..., 
    thisValue=..., args=..., returnedException=...)
    at ../../Source/JavaScriptCore/runtime/CallData.cpp:65
#36 0xb5790e6e in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#37 0xb5992ec6 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1u, WTF::CrashOnOverflow, 16u>) () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#38 0xb59931e7 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) ()
   from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#39 0xb59b375e in WebCore::Node::handleLocalEvents(WebCore::Event&) ()
   from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#40 0xb598c2c5 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#41 0xb598d398 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#42 0xb59b71f2 in WebCore::Node::dispatchEvent(WebCore::Event&) [clone .localalias.411] () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#43 0xb5b84b48 in WebCore::HTMLScriptElement::dispatchLoadEvent() ()
   from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#44 0xb59d809f in WebCore::ScriptElement::executeScriptAndDispatchEvent(WebCore::LoadableScript&) () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#45 0xb59d8134 in WebCore::ScriptElement::executePendingScript(WebCore::PendingScript&) () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#46 0xb59dc5d7 in WebCore::ScriptRunner::timerFired() ()
   from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#47 0xb59dca6b in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (WebCore::ScriptRunner::*)()> (WebCore::ScriptRunner*)> >::_M_invoke(std::_Any_data const&) () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#48 0xb512dc55 in WebCore::Timer::fired() ()
   from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#49 0xb5ece8de in WebCore::ThreadTimers::sharedTimerFiredInternal() ()
   from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#50 0xb5ece925 in std::_Function_handler<void (), WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::{lambda()#1}>::_M_invoke(std::_Any_data const&)
    () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#51 0xb5eb04d1 in WebCore::MainThreadSharedTimer::fired() ()
   from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#52 0xb5eb04fe in WTF::RunLoop::Timer<WebCore::MainThreadSharedTimer>::fired()
    () from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#53 0xb381015e in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) () from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#54 0xb380fc01 in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#55 0xb02e3a5b in g_main_dispatch ()
    at /home/user/projects/sandbox/trunk/code/server/webkit/webkit-2.16/WebKitBuild/DependenciesGTK/Source/glib-2.44.1/glib/gmain.c:3122
#56 g_main_context_dispatch ()
    at /home/user/projects/sandbox/trunk/code/server/webkit/webkit-2.16/WebKitBuild/DependenciesGTK/Source/glib-2.44.1/glib/gmain.c:3737
#57 0xb02e3e59 in g_main_context_iterate ()
    at /home/user/projects/sandbox/trunk/code/server/webkit/webkit-2.16/WebKitBuild/DependenciesGTK/Source/glib-2.44.1/glib/gmain.c:3808
#58 0xb02e4209 in g_main_loop_run ()
    at /home/user/projects/sandbox/trunk/code/server/webkit/webkit-2.16/WebKitBuild/DependenciesGTK/Source/glib-2.44.1/glib/gmain.c:4002
#59 0xb3810590 in WTF::RunLoop::run() ()
   from /bin/NX/webkitgtk/libjavascriptcoregtk-4.0.so.18
#60 0xb550fbc0 in WebProcessMainUnix ()
   from /bin/NX/webkitgtk/libwebkit2gtk-4.0.so.37
#61 0x08048a27 in main ()

Note that I am seeing this with WebKitGTK 2.16.6. Since I am still using Debian Jessie, I can't currently try it on a newer release to see if the problem still exists. I did try upgrading LLVM from 3.7.0 to 3.8.1, but it had no effect.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180511/78cc885a/attachment.html>

More information about the webkit-unassigned mailing list