[Webkit-unassigned] [Bug 200468] New: Loads of invalid writes using libgepub

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Aug 6 05:57:39 PDT 2019


https://bugs.webkit.org/show_bug.cgi?id=200468

            Bug ID: 200468
           Summary: Loads of invalid writes using libgepub
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bugzilla at hadess.net
                CC: bugs-noreply at webkitgtk.org

Created attachment 375620

  --> https://bugs.webkit.org/attachment.cgi?id=375620&action=review

valgrind-log.txt

webkit2gtk3-jsc-2.24.3-1.fc30.x86_64

libgepub uses webkitgtk to display epub files:
https://gitlab.gnome.org/GNOME/libgepub

The test-gepub binary throws loads of invalid writes that look caused by webkitgtk rather than libgepub itself, and might be the cause of a crash on exit in gnome-books, which uses libgepub.

A test epub file (it contains only one page) is attached at:
https://gitlab.gnome.org/GNOME/libgepub/issues/7
(it's too big for bugzilla)

For example (the full log is also too big for bugzilla):
==9682== Thread 1:
==9682== Invalid write of size 8
==9682==    at 0x8F7DC1B: ??? (in /usr/lib64/libjavascriptcoregtk-4.0.so.18.13.6)
==9682==    by 0x1FFEFFD6BF: ???
==9682==    by 0x1FFEFFD69F: ???
==9682==    by 0x949EDC1: UnknownInlinedFun (PerThread.h:96)
==9682==    by 0x949EDC1: UnknownInlinedFun (PerThread.h:127)
==9682==    by 0x949EDC1: UnknownInlinedFun (Cache.h:103)
==9682==    by 0x949EDC1: UnknownInlinedFun (bmalloc.h:86)
==9682==    by 0x949EDC1: WTF::fastFree(void*) (FastMalloc.cpp:301)
==9682==    by 0x50EFA9C: webkitWebViewDecidePolicy(_WebKitWebView*, _WebKitPolicyDecision*, WebKitPolicyDecisionType) (WebKitWebView.cpp:469)
==9682==    by 0xB678B27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==9682==    by 0xB678338: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==9682==    by 0x9CA5ECF: ??? (in /usr/lib64/libcairo.so.2.11600.0)
==9682==    by 0x9C60F67: ??? (in /usr/lib64/libcairo.so.2.11600.0)
==9682==    by 0x1F6FEFFF: ???
==9682==    by 0x1F6FF08F: ???
==9682==    by 0x949EC41: UnknownInlinedFun (PerThread.h:96)
==9682==    by 0x949EC41: UnknownInlinedFun (PerThread.h:127)
==9682==    by 0x949EC41: UnknownInlinedFun (Cache.h:79)
==9682==    by 0x949EC41: UnknownInlinedFun (bmalloc.h:49)
==9682==    by 0x949EC41: WTF::fastMalloc(unsigned long) (FastMalloc.cpp:279)
==9682==    by 0x94A84A5: WTF::MetaAllocator::allocate(unsigned long, void*) (MetaAllocator.cpp:192)
==9682==    by 0x8ECFFF9: JSC::ExecutableAllocator::allocate(unsigned long, void*, JSC::JITCompilationEffort) (ExecutableAllocator.cpp:495)
==9682==    by 0x87AF8FF: JSC::LinkBuffer::allocate(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) (LinkBuffer.cpp:326)
==9682==    by 0x87AFA3A: UnknownInlinedFun (string_fortified.h:34)
==9682==    by 0x87AFA3A: performJITMemcpy (ExecutableAllocator.h:122)
==9682==    by 0x87AFA3A: JSC::LinkBuffer::linkCode(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) (LinkBuffer.cpp:295)
==9682==    by 0x8F7B3C8: UnknownInlinedFun (AssemblerBuffer.h:125)
==9682==    by 0x8F7B3C8: UnknownInlinedFun (AssemblerBuffer.h:172)
==9682==    by 0x8F7B3C8: ~X86InstructionFormatter (X86Assembler.h:4016)
==9682==    by 0x8F7B3C8: ~X86Assembler (X86Assembler.h:101)
==9682==    by 0x8F7B3C8: ~AbstractMacroAssembler (AbstractMacroAssembler.h:77)
==9682==    by 0x8F7B3C8: ~MacroAssemblerX86Common (MacroAssemblerX86Common.h:39)
==9682==    by 0x8F7B3C8: ~MacroAssemblerX86_64 (MacroAssemblerX86_64.h:38)
==9682==    by 0x8F7B3C8: ~MacroAssembler (MacroAssembler.h:96)
==9682==    by 0x8F7B3C8: ~AssemblyHelpers (AssemblyHelpers.h:51)
==9682==    by 0x8F7B3C8: ~CCallHelpers (CCallHelpers.h:50)
==9682==    by 0x8F7B3C8: ~JSInterfaceJIT (JSInterfaceJIT.h:39)
==9682==    by 0x8F7B3C8: JSC::nativeForGenerator(JSC::VM*, JSC::ThunkFunctionType, JSC::CodeSpecializationKind, JSC::ThunkEntryType) (ThunkGenerators.cpp:253)
==9682==    by 0x1F6C63B7: ???
==9682==  Address 0x1ffeffcf98 is on thread 1's stack
==9682==  512 bytes below stack pointer

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190806/ebaaa4e6/attachment.html>


More information about the webkit-unassigned mailing list