[Webkit-unassigned] [Bug 207853] New: [WPE][GTK] UI process crash in WebKit::IconDatabase::iconIDForIconURL
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 17 12:41:44 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=207853
Bug ID: 207853
Summary: [WPE][GTK] UI process crash in
WebKit::IconDatabase::iconIDForIconURL
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebKitGTK
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at gnome.org
CC: bugs-noreply at webkitgtk.org
Hit this random crash with 2.27.90. Looks like we're passing bogus pointers into sqlite... not sure how it could happen unless the IconDatabase was somehow freed before executing the callback, which shouldn't happen because it seems to be protected where required.
#0 0x00007f4b2d5e9515 in __memmove_avx_unaligned_erms ()
at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:436
#1 0x00007f4b2812f437 in memcpy (__len=65174, __src=0x44, __dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
nAlloc = 65174
nByte = 65174
iLimit = <optimized out>
flags = <optimized out>
#2 0x00007f4b2812f437 in sqlite3VdbeMemSetStr
(pMem=pMem at entry=0x7f4a0001e268, z=z at entry=0x44 <error: Cannot access memory at address 0x44>, n=n at entry=65174, enc=enc at entry=2 '\002', xDel=xDel at entry=0xffffffffffffffff) at ../sqlite3.c:10077
nAlloc = 65174
nByte = 65174
iLimit = <optimized out>
flags = <optimized out>
#3 0x00007f4b2813b192 in bindText
(encoding=<optimized out>, xDel=0xffffffffffffffff, nData=65174, zData=0x44, i=<optimized out>, pStmt=0x7f4a00023818) at ../sqlite3.c:82848
pVar = 0x7f4a0001e268
rc = <optimized out>
p = 0x7f4a00023818
rc = 0
#4 0x00007f4b2813b192 in bindText
(pStmt=0x7f4a00023818, i=<optimized out>, zData=0x44, nData=65174, xDel=0xffffffffffffffff, encoding=<optimized out>) at ../sqlite3.c:17296
p = 0x7f4a00023818
rc = 0
#5 0x00007f4b2b9ea053 in WebCore::SQLiteStatement::bindText(int, WTF::String const&)
(this=0x7f4b226d3048, index=index at entry=1, text=...)
at DerivedSources/ForwardingHeaders/wtf/text/StringImpl.h:281
upconvertedCharacters =
{m_upconvertedCharacters = {<WTF::VectorBuffer<char16_t, 32, WTF::FastMalloc>> = {<WTF::VectorBufferBase<char16_t, WTF::FastMalloc>> = {m_buffer = 0x7f4a13ffe740 u"", m_capacity = 32, m_size = 0}, m_inlineBuffer = {{__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000\265", __align = {<No data fields>}}, {__data = "T\213", __align = {<No data fields>}}, {__data = "\365", <incomplete sequence \320>, __align = {<No data fields>}}, {__data = "\312", <incomplete sequence \303>, __align = {<No data fields>}}, {__data = "80", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "J\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\210\004", __align = {<No data fields>}}, {__data = "\002", __align = {<No data fields>}}, {__data = "J\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "80", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "J\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "m\"", __align = {<No data fields>}}, {__data = "K\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\001", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}, {__data = "\320", <incomplete sequence \347>, __align = {<No data fields>}}, {__data = "\377\023", __align = {<No data fields>}}, {__data = "J\177", __align = {<No data fields>}}, {__data = "\000", __align = {<No data fields>}}}}, <No data fields>}, m_characters = 0x44 <error: Cannot access memory at address 0x44>}
anyCharacter = 0 u'\000'
characters = <optimized out>
#6 0x00007f4b2a500144 in WebKit::IconDatabase::iconIDForIconURL(WTF::String const&, bool&)
(this=0x7f4b226da000, iconURL=..., expired=@0x7f4a13ffe847: false)
at ../Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:309
result = <optimized out>
#7 0x00007f4b2a503118 in WebKit::IconDatabase::<lambda()>::operator() (__closure=0x7f49b58a2388) at ../Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:560
expired = false
canWriteToDatabase = <optimized out>
iconID = {<WTF::constexpr_Optional_base<long>> = {init_ = false, storage_ = {dummy_ = 0 '\000', value_ = 0}}, <No data fields>}
iconData = {<WTF::VectorBuffer<char, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<char, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}
iconURL = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x7f49b5d2f108}}
this = 0x7f4b226da000
completionHandler = {m_function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void, WTF::RefPtr<_cairo_surface, WTF::DumbPtrTraits<_cairo_surface> >&&>> = {get() = 0x7f49b5d0bcf0}}}
timestamp = {m_value = 1581970944.7113521}
allowDatabaseWrite = WebKit::IconDatabase::AllowDatabaseWrite::Yes
pageURL = {static MaxLength = 2147483647, m_impl = {static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >::isRefPtr".>, m_ptr = 0x7f49b5d2e540}}
protectedThis = {static isRef = <error reading variable: Missing ELF symbol "WTF::Ref<WebKit::IconDatabase, WTF::DumbPtrTraits<WebKit::IconDatabase> >::isRef".>, m_ptr = 0x7f4b226da000}
#8 0x00007f4b2a503118 in WTF::Detail::CallableWrapper<WebKit::IconDatabase::loadIconForPageURL(const WTF::String&, WebKit::IconDatabase::AllowDatabaseWrite, WTF::CompletionHandler<void(WTF::RefPtr<_cairo_surface>&&)>&&)::<lambda()>, void>::call(void) (this=0x7f49b58a2380) at DerivedSources/ForwardingHeaders/wtf/Function.h:52
#9 0x00007f4b29734adc in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Function.h:81
function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f49b5d0bd08}}
functionsHandled = 109
functionsToHandle = 118
#10 0x00007f4b29734adc in WTF::RunLoop::performWork() (this=0x7f4b226d8000) at ../Source/WTF/wtf/RunLoop.cpp:124
function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f49b5d0bd08}}
functionsHandled = 109
functionsToHandle = 118
#11 0x00007f4b2978354d in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#12 0x00007f4b2978354d in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#13 0x00007f4b2d886bce in g_main_dispatch (context=0x7f4a00000b60) at ../glib/gmain.c:3309
dispatch = 0x7f4b29783560 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)>
prev_source = 0x0
was_in_call = 0
user_data = 0x7f4b226d8000
callback = 0x7f4b29783540 <WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer)>
cb_funcs = 0x7f4b2d95c280 <g_source_callback_funcs>
cb_data = 0x7f4a00002e30
need_destroy = <optimized out>
source = 0x7f4a00002dc0
current = 0x7f4a00002eb0
i = 0
__func__ = "g_main_dispatch"
#14 0x00007f4b2d886bce in g_main_context_dispatch (context=context at entry=0x7f4a00000b60) at ../glib/gmain.c:3974
#15 0x00007f4b2d886f80 in g_main_context_iterate (context=0x7f4a00000b60, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at ../glib/gmain.c:4047
max_priority = 100
timeout = 0
some_ready = 1
nfds = <optimized out>
allocated_nfds = <optimized out>
fds = 0x7f4a00002e90
#16 0x00007f4b2d887273 in g_main_loop_run (loop=0x7f4a00002da0) at ../glib/gmain.c:4241
__func__ = "g_main_loop_run"
#17 0x00007f4b29783fe0 in WTF::RunLoop::run() () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:96
runLoop = @0x7f4b226d8000: {<WTF::FunctionDispatcher> = {<WTF::ThreadSafeRefCounted<WTF::FunctionDispatcher, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = {<std::__atomic_base<unsigned int>> = {static _S_alignment = 4, _M_i = 2}, static is_always_lock_free = true}}, <No data fields>}, _vptr.FunctionDispatcher = 0x7f4b29a8e240 <vtable for WTF::RunLoop+16>}, m_functionQueueLock = {static isHeldBit = 1 '\001', static hasParkedBit = 2 '\002', m_byte = {value = {<std::__atomic_base<unsigned char>> = {static _S_alignment = 1, _M_i = 0 '\000'}, static is_always_lock_free = true}}}, m_functionQueue = {m_start = 195, m_end = 203, m_buffer = {<WTF::VectorBufferBase<WTF::Function<void()>, WTF::FastMalloc>> = {m_buffer = 0x7f4aa4349000, m_capacity = 214, m_size = 0}, <No data fields>}}, m_mainContext = {m_ptr = 0x7f4a00000b60}, m_mainLoops = {<WTF::VectorBuffer<WTF::GRefPtr<_GMainLoop>, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WTF::GRefPtr<_GMainLoop>, WTF::FastMalloc>> = {m_buffer = 0x7f4b226d7000, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>}, m_source = {m_ptr = 0x7f4a00002dc0}}
mainContext = 0x7f4a00000b60
innermostLoop = 0x7f4a00002da0
nestedMainLoop = <optimized out>
#18 0x00007f4b29736148 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Function.h:81
function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f4b226f7228}}
#19 0x00007f4b29736148 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (newThreadContext=0x7f4b226f0120) at ../Source/WTF/wtf/Threading.cpp:148
function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f4b226f7228}}
#20 0x00007f4b2978544d in WTF::wtfThreadEntryPoint(void*) (context=<optimized out>) at ../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:200
#21 0x00007f4b27bac5e2 in start_thread (arg=<optimized out>) at pthread_create.c:479
ret = <optimized out>
pd = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139956139849472, -260418948970155262, 140723808642638, 140723808642639, 139956139846464, 139956139849472, 213614938648376066, 212937116766204674}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = 0
#22 0x00007f4b2d583413 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200217/3528ebc0/attachment-0001.htm>
More information about the webkit-unassigned
mailing list