[Webkit-unassigned] [Bug 210579] New: Infinite loop while closing tab (infinite loop in HashTable::inlineLookup)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 15 16:26:05 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=210579

            Bug ID: 210579
           Summary: Infinite loop while closing tab (infinite loop in
                    HashTable::inlineLookup)
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: benjamin at sipsolutions.net
                CC: bugs-noreply at webkitgtk.org

Created attachment 396588

  --> https://bugs.webkit.org/attachment.cgi?id=396588&action=review

bt + stepping showing where it returns to the top of the while (1) loop

I triggered this lockup by trying to close a youtube tab that was playing a video.

The lookup infinite loops, it seems this is because in my case:

  i == 64
  k == 0x7bc24d15
  sizeMask = 0x48

and "i = (i + k) & sizeMask" cannot change i …

Really, looks like a memory corruption. I have a full coredump locally (3.1 GiB), in case one may be able to fish out more information. Full backtrace and some stepping around attached.

This is with webkit2gtk3-2.28.0-7.fc31.x86_64

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200415/92716fd9/attachment.htm>

More information about the webkit-unassigned mailing list