[Webkit-unassigned] [Bug 209198] New: WebkitGtk 2.28.0 SIGSEGVing if built with -D_FORTIFY_SOURCES=2
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 17 15:05:36 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=209198
Bug ID: 209198
Summary: WebkitGtk 2.28.0 SIGSEGVing if built with
-D_FORTIFY_SOURCES=2
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: rasmus.thomsen at protonmail.com
This happens when starting Epiphany with Webkit 2.28.0 on Alpine Linux. Here's the backtrace:
Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 11 39'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 memcpy () at /usr/include/fortify/string.h:48
48 if ((__d < __s && __d + __n > __s) ||
[Current thread is 1 (LWP 3)]
#0 memcpy () at /usr/include/fortify/string.h:48
#1 WTF::bitwise_cast<unsigned long, JSC::Heap const*>(JSC::Heap const*) () at DerivedSources/ForwardingHeaders/wtf/StdLibExtras.h:143
#2 JSC::Heap::vm() const () at ../Source/JavaScriptCore/heap/HeapInlines.h:43
#3 JSC::tryAllocateCellHelper<JSC::JSString>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) () at ../Source/JavaScriptCore/runtime/JSCellInlines.h:160
#4 JSC::allocateCell<JSC::JSString>(JSC::Heap&, unsigned long) () at ../Source/JavaScriptCore/runtime/JSCellInlines.h:177
#5 JSC::JSString::create(JSC::VM&, WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) () at ../Source/JavaScriptCore/runtime/JSString.h:162
#6 0x00007f822373f170 in JSC::jsString(JSC::VM&, WTF::String const&) () at ../Source/JavaScriptCore/runtime/JSString.h:826
#7 JSC::jsString(JSC::VM&, WTF::String const&) () at ../Source/JavaScriptCore/runtime/JSString.h:816
#8 0x00007f8223e5ed13 in JSC::ErrorInstance::finishCreation(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, bool) () at ../Source/JavaScriptCore/runtime/ErrorInstance.cpp:117
#9 0x00007f8223e61f45 in JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) () at ../Source/JavaScriptCore/runtime/ErrorInstance.h:61
#10 0x00007f8223e5f6b5 in JSC::createRangeError(JSC::JSGlobalObject*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) () at ../Source/JavaScriptCore/runtime/Error.cpp:60
#11 0x00007f8223e625f8 in JSC::createStackOverflowError(JSC::JSGlobalObject*) () at ../Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:72
#12 0x00007f8223e62799 in JSC::throwStackOverflowError(JSC::JSGlobalObject*, JSC::ThrowScope&) () at ../Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:341
#13 0x00007f8223c91086 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:882
#14 0x00007f8223e28679 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () at ../Source/JavaScriptCore/runtime/CallData.cpp:59
#15 0x00007f8223ee4b73 in callToPrimitiveFunction<> () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2146
#16 JSC::JSObject::ordinaryToPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2167
#17 0x00007f8223ee7744 in JSC::JSObject::toPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2206
#18 0x00007f8223e9ca3a in JSC::JSValue::toStringSlowCase(JSC::JSGlobalObject*, bool) const () at ../Source/JavaScriptCore/runtime/JSCJSValue.cpp:401
#19 0x00007f8223e9cc91 in JSC::JSValue::toWTFStringSlowCase(JSC::JSGlobalObject*) const () at ../Source/JavaScriptCore/runtime/JSCJSValue.cpp:425
#20 0x00007f8223c6e1d8 in JSC::JSValue::toWTFString(JSC::JSGlobalObject*) const () at ../Source/JavaScriptCore/runtime/JSString.h:1064
#21 Inspector::JSGlobalObjectInspectorController::reportAPIException(JSC::JSGlobalObject*, JSC::Exception*) () at ../Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp:192
#22 0x00007f82236ff66b in handleExceptionIfNeeded(JSC::CatchScope&, OpaqueJSContext const*, OpaqueJSValue const**) () at ../Source/JavaScriptCore/API/APIUtils.h:49
#23 0x00007f822373c7a2 in JSObjectCallAsFunction() () at ../Source/JavaScriptCore/API/JSObjectRef.cpp:739
#24 0x00007f82236feaa7 in jsObjectCall () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:875
#25 jsObjectCall () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:865
#26 jscValueCallFunction() () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:910
#27 0x00007f82236fee0e in jsc_value_object_invoke_method() () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:958
#28 0x00007f81ab8fc7d2 in ()
#29 0x0000564ef5e11d20 in ()
#30 0x00007ffc3826ae60 in ()
#31 0x0000000000000000 in ()
It appears without D_FORTIFY_SOURCES it runs into a stack overflow:
#0 JSC::jsString(JSC::VM&, WTF::String const&) () at ../Source/JavaScriptCore/runtime/JSString.h:818
#1 0x00007f0b025009f7 in JSC::ErrorInstance::finishCreation(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, bool) () at ../Source/JavaScriptCore/runtime/ErrorInstance.cpp:117
#2 0x00007f0b02503a1e in JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) () at ../Source/JavaScriptCore/runtime/ErrorInstance.h:61
#3 0x00007f0b025012d6 in JSC::createRangeError(JSC::JSGlobalObject*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) () at ../Source/JavaScriptCore/runtime/Error.cpp:60
#4 0x00007f0b02503fd1 in JSC::createStackOverflowError(JSC::JSGlobalObject*) () at ../Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:72
#5 0x00007f0b02504172 in JSC::throwStackOverflowError(JSC::JSGlobalObject*, JSC::ThrowScope&) () at ../Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:341
#6 0x00007f0b0234a4bc in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:882
#7 0x00007f0b024cec65 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () at ../Source/JavaScriptCore/runtime/CallData.cpp:59
#8 0x00007f0b02570a95 in callToPrimitiveFunction<> () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2146
#9 JSC::JSObject::ordinaryToPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2167
#10 0x00007f0b02572e4d in JSC::JSObject::toPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2206
#11 0x00007f0b0253869b in JSC::JSValue::toStringSlowCase(JSC::JSGlobalObject*, bool) const () at ../Source/JavaScriptCore/runtime/JSCJSValue.cpp:401
#12 0x00007f0b025388d4 in JSC::JSValue::toWTFStringSlowCase(JSC::JSGlobalObject*) const () at ../Source/JavaScriptCore/runtime/JSCJSValue.cpp:425
#13 0x00007f0b02328364 in JSC::JSValue::toWTFString(JSC::JSGlobalObject*) const () at ../Source/JavaScriptCore/runtime/JSString.h:1064
#14 Inspector::JSGlobalObjectInspectorController::reportAPIException(JSC::JSGlobalObject*, JSC::Exception*) () at ../Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp:192
#15 0x00007f0b01ea86ed in handleExceptionIfNeeded(JSC::CatchScope&, OpaqueJSContext const*, OpaqueJSValue const**) () at ../Source/JavaScriptCore/API/APIUtils.h:49
#16 0x00007f0b01ed4137 in JSObjectCallAsFunction() () at ../Source/JavaScriptCore/API/JSObjectRef.cpp:739
#17 0x00007f0b01ea7b81 in jsObjectCall () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:875
#18 jsObjectCall () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:865
#19 jscValueCallFunction() () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:910
#20 0x00007f0b01ea7ee8 in jsc_value_object_invoke_method() () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:958
#21 0x00007f0a8a0be7d2 in ()
#22 0x000055b7863ad520 in ()
#23 0x00007ffe6f8c8b20 in ()
#24 0x0000000000000000 in ()
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200317/07c96eab/attachment.htm>
More information about the webkit-unassigned
mailing list