[Webkit-unassigned] [Bug 209198] New: WebkitGtk 2.28.0 SIGSEGVing if built with -D_FORTIFY_SOURCES=2

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 17 15:05:36 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=209198

            Bug ID: 209198
           Summary: WebkitGtk 2.28.0 SIGSEGVing if built with
                    -D_FORTIFY_SOURCES=2
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rasmus.thomsen at protonmail.com

This happens when starting Epiphany with Webkit 2.28.0 on Alpine Linux. Here's the backtrace:

Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 11 39'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  memcpy () at /usr/include/fortify/string.h:48
48              if ((__d < __s && __d + __n > __s) ||
[Current thread is 1 (LWP 3)]
#0  memcpy () at /usr/include/fortify/string.h:48
#1  WTF::bitwise_cast<unsigned long, JSC::Heap const*>(JSC::Heap const*) () at DerivedSources/ForwardingHeaders/wtf/StdLibExtras.h:143
#2  JSC::Heap::vm() const () at ../Source/JavaScriptCore/heap/HeapInlines.h:43
#3  JSC::tryAllocateCellHelper<JSC::JSString>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) () at ../Source/JavaScriptCore/runtime/JSCellInlines.h:160
#4  JSC::allocateCell<JSC::JSString>(JSC::Heap&, unsigned long) () at ../Source/JavaScriptCore/runtime/JSCellInlines.h:177
#5  JSC::JSString::create(JSC::VM&, WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) () at ../Source/JavaScriptCore/runtime/JSString.h:162
#6  0x00007f822373f170 in JSC::jsString(JSC::VM&, WTF::String const&) () at ../Source/JavaScriptCore/runtime/JSString.h:826
#7  JSC::jsString(JSC::VM&, WTF::String const&) () at ../Source/JavaScriptCore/runtime/JSString.h:816
#8  0x00007f8223e5ed13 in JSC::ErrorInstance::finishCreation(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, bool) () at ../Source/JavaScriptCore/runtime/ErrorInstance.cpp:117
#9  0x00007f8223e61f45 in JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) () at ../Source/JavaScriptCore/runtime/ErrorInstance.h:61
#10 0x00007f8223e5f6b5 in JSC::createRangeError(JSC::JSGlobalObject*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) () at ../Source/JavaScriptCore/runtime/Error.cpp:60
#11 0x00007f8223e625f8 in JSC::createStackOverflowError(JSC::JSGlobalObject*) () at ../Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:72
#12 0x00007f8223e62799 in JSC::throwStackOverflowError(JSC::JSGlobalObject*, JSC::ThrowScope&) () at ../Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:341
#13 0x00007f8223c91086 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:882
#14 0x00007f8223e28679 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () at ../Source/JavaScriptCore/runtime/CallData.cpp:59
#15 0x00007f8223ee4b73 in callToPrimitiveFunction<> () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2146
#16 JSC::JSObject::ordinaryToPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2167
#17 0x00007f8223ee7744 in JSC::JSObject::toPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2206
#18 0x00007f8223e9ca3a in JSC::JSValue::toStringSlowCase(JSC::JSGlobalObject*, bool) const () at ../Source/JavaScriptCore/runtime/JSCJSValue.cpp:401
#19 0x00007f8223e9cc91 in JSC::JSValue::toWTFStringSlowCase(JSC::JSGlobalObject*) const () at ../Source/JavaScriptCore/runtime/JSCJSValue.cpp:425
#20 0x00007f8223c6e1d8 in JSC::JSValue::toWTFString(JSC::JSGlobalObject*) const () at ../Source/JavaScriptCore/runtime/JSString.h:1064
#21 Inspector::JSGlobalObjectInspectorController::reportAPIException(JSC::JSGlobalObject*, JSC::Exception*) () at ../Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp:192
#22 0x00007f82236ff66b in handleExceptionIfNeeded(JSC::CatchScope&, OpaqueJSContext const*, OpaqueJSValue const**) () at ../Source/JavaScriptCore/API/APIUtils.h:49
#23 0x00007f822373c7a2 in JSObjectCallAsFunction() () at ../Source/JavaScriptCore/API/JSObjectRef.cpp:739
#24 0x00007f82236feaa7 in jsObjectCall () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:875
#25 jsObjectCall () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:865
#26 jscValueCallFunction() () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:910
#27 0x00007f82236fee0e in jsc_value_object_invoke_method() () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:958
#28 0x00007f81ab8fc7d2 in  ()
#29 0x0000564ef5e11d20 in  ()
#30 0x00007ffc3826ae60 in  ()
#31 0x0000000000000000 in  ()

It appears without D_FORTIFY_SOURCES it runs into a stack overflow:

#0  JSC::jsString(JSC::VM&, WTF::String const&) () at ../Source/JavaScriptCore/runtime/JSString.h:818
#1  0x00007f0b025009f7 in JSC::ErrorInstance::finishCreation(JSC::JSGlobalObject*, JSC::VM&, WTF::String const&, bool) () at ../Source/JavaScriptCore/runtime/ErrorInstance.cpp:117
#2  0x00007f0b02503a1e in JSC::ErrorInstance::create(JSC::JSGlobalObject*, JSC::VM&, JSC::Structure*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) () at ../Source/JavaScriptCore/runtime/ErrorInstance.h:61
#3  0x00007f0b025012d6 in JSC::createRangeError(JSC::JSGlobalObject*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) () at ../Source/JavaScriptCore/runtime/Error.cpp:60
#4  0x00007f0b02503fd1 in JSC::createStackOverflowError(JSC::JSGlobalObject*) () at ../Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:72
#5  0x00007f0b02504172 in JSC::throwStackOverflowError(JSC::JSGlobalObject*, JSC::ThrowScope&) () at ../Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:341
#6  0x00007f0b0234a4bc in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:882
#7  0x00007f0b024cec65 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () at ../Source/JavaScriptCore/runtime/CallData.cpp:59
#8  0x00007f0b02570a95 in callToPrimitiveFunction<> () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2146
#9  JSC::JSObject::ordinaryToPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2167
#10 0x00007f0b02572e4d in JSC::JSObject::toPrimitive(JSC::JSGlobalObject*, JSC::PreferredPrimitiveType) const () at ../Source/JavaScriptCore/runtime/JSObject.cpp:2206
#11 0x00007f0b0253869b in JSC::JSValue::toStringSlowCase(JSC::JSGlobalObject*, bool) const () at ../Source/JavaScriptCore/runtime/JSCJSValue.cpp:401
#12 0x00007f0b025388d4 in JSC::JSValue::toWTFStringSlowCase(JSC::JSGlobalObject*) const () at ../Source/JavaScriptCore/runtime/JSCJSValue.cpp:425
#13 0x00007f0b02328364 in JSC::JSValue::toWTFString(JSC::JSGlobalObject*) const () at ../Source/JavaScriptCore/runtime/JSString.h:1064
#14 Inspector::JSGlobalObjectInspectorController::reportAPIException(JSC::JSGlobalObject*, JSC::Exception*) () at ../Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp:192
#15 0x00007f0b01ea86ed in handleExceptionIfNeeded(JSC::CatchScope&, OpaqueJSContext const*, OpaqueJSValue const**) () at ../Source/JavaScriptCore/API/APIUtils.h:49
#16 0x00007f0b01ed4137 in JSObjectCallAsFunction() () at ../Source/JavaScriptCore/API/JSObjectRef.cpp:739
#17 0x00007f0b01ea7b81 in jsObjectCall () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:875
#18 jsObjectCall () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:865
#19 jscValueCallFunction() () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:910
#20 0x00007f0b01ea7ee8 in jsc_value_object_invoke_method() () at ../Source/JavaScriptCore/API/glib/JSCValue.cpp:958
#21 0x00007f0a8a0be7d2 in  ()
#22 0x000055b7863ad520 in  ()
#23 0x00007ffe6f8c8b20 in  ()
#24 0x0000000000000000 in  ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200317/07c96eab/attachment.htm>

More information about the webkit-unassigned mailing list