[Webkit-unassigned] [Bug 241588] New: General Protection Fault in WebKitWebProcess on 32bit CPUs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 13 23:09:41 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=241588

            Bug ID: 241588
           Summary: General Protection Fault in WebKitWebProcess on 32bit
                    CPUs
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Major
          Priority: P2
         Component: Web Audio
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: karogyoker2+webkit at gmail.com
                CC: cdumez at apple.com

Created attachment 460224

  --> https://bugs.webkit.org/attachment.cgi?id=460224&action=review

backtrace and other

Dear Maintainer,

The problem is reproducible if I try to open this webpage in epiphany-browser:
https://www.microsoft.com/en-us/software-download/windows10ISO

The problem is that Gnome Web is displaying Oops! Something went wrong while
displaying this page. Please reload or visit a different page to continue.
Instead it should display the page I want to open.

I'm using the latest Debian Testing i386.
Package: libwebkit2gtk-4.1-0
Version: 2.36.3-1

cat /var/log/kern.log | grep webkit
debian kernel: [ 6021.658455] traps: ffline renderer[26566] general protection
fault ip:b5717218 sp:983a6f50 error:0 in
libwebkit2gtk-4.1.so.0.1.7[b440b000+27af000

I've attached the gdb output and system information.

Based on the stack trace, this is where the segfault happens: https://github.com/WebKit/WebKit/blob/623a598f89fff02777796a87d35942a8dfe5a621/Source/WebCore/platform/audio/DenormalDisabler.h#L59

In the gdb logs it can be seen that mxcsr has the default value 0x1f80. Bit-wise OR-ing this with 0x8040 gives 0x9fc0 as it is seen in eax. That is 1001 1111 1100 0000 in binary. I'm using zero-based indexing from now on. The 6th bit is 1, and this is a problem because setting the 6th bit is reserved and setting it to 1 is not allowed and gives a general protection exception[1]. Flag meanings here[2].

It doesn't cause a GP exception on newer hardware because the 6th bit is not reserved anymore. I've written a little C++ program to test this (at the end of the attached file). Trying to set the 6th bit to 1 on an Athlon XP crashes the program but on a Haswell it is allowed. Therefore it is not reproducible on QEMU, only on real 32 bit hardware[3].

Why an ISO download page is using Web Audio API? Most probably because of browser fingerprinting purposes. Since a lot of websites do that, all those pages will crash and WebKit is unable to display them on Debian i386. This is a baseline violation on Debian i386, hence the severity is major.

Workarounds:
 - Turn off "Website Data Storage" in Preferences (in GNOME Web).
 - Disable Web Audio API somehow

Possible fix:
Delete "defined(__i386__) || " from line #39 and #86 in DenormalDisabler.h#L59.
0x8040 is also used here, so this should be fixed as well (not related to current crash): https://github.com/WebKit/WebKit/blob/623a598f89fff02777796a87d35942a8dfe5a621/Source/ThirdParty/libwebrtc/Source/webrtc/system_wrappers/source/denormal_disabler.cc#L18
Change WEBRTC_ARCH_X86_FAMILY to WEBRTC_ARCH_X86_64.

I was not able to test these fixes because I got an error at step Tools/Scripts/update-webkitgtk-libs:
Installing from webkit-sdk org.webkit.Platform i686 21.08
Looking for matches...
error: Nothing matches org.webkit.Platform in remote webkit-sdk

The following command returned a non-zero exit status: flatpak install --user --assumeyes webkit-sdk org.webkit.Platform --reinstall 21.08
Output: None
Died at Tools/Scripts/update-webkitgtk-libs line 28.


[1]: https://qcd.phys.cmu.edu/QCDcluster/intel/vtune/reference/vc148.htm
[2]: https://help.totalview.io/previous_releases/2019/html/Reference_Guide/Intelx86MXSCRRegister_2.html
[3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012548#10

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220614/40a1909f/attachment.htm>

More information about the webkit-unassigned mailing list