[Webkit-unassigned] [Bug 238594] New: libjavascriptcoregtk segfault/abort
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 30 23:36:10 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=238594
Bug ID: 238594
Summary: libjavascriptcoregtk segfault/abort
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: bmalloc
Assignee: webkit-unassigned at lists.webkit.org
Reporter: hujialun at outlook.sg
CC: ggaren at apple.com
wget fails inside libjavascriptcoregtk each time, presumably within libproxy. The problem can manifest itself in different ways (SIGSEGV, SIGABRT) so it might be something like a race condition. Strangely, only wget is suffering from this problem but not other programs using libproxy.
wget 1.21.3, libjavascriptcoregtk-4_0-18 2.36.0-1.1, libproxy1-pacrunner-webkit 0.4.17-3.2
Three separate different buggy runs in lldb and one in gdb are attached below.
hujialun at bogon:~> lldb -- wget ss
(lldb) target create "wget"
Current executable set to 'wget' (x86_64).
(lldb) settings set -- target.run-args "ss"
(lldb) r
Process 2543 launched: '/usr/bin/wget' (x86_64)
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
Process 2543 stopped and restarted: thread 1 received signal: SIGCHLD
The futex facility returned an unexpected error code.
Process 2543 stopped
* thread #2, name = 'BMScavenger', stop reason = signal SIGABRT
frame #0: 0x00007ffff789115c libc.so.6`__pthread_kill_implementation + 286
libc.so.6`__pthread_kill_implementation:
-> 0x7ffff789115c <+286>: movl %eax, %ebp
0x7ffff789115e <+288>: negl %ebp
0x7ffff7891160 <+290>: cmpl $0xfffff000, %eax ; imm = 0xFFFFF000
0x7ffff7891165 <+295>: movl $0x0, %eax
(lldb) thread backtrace
* thread #2, name = 'BMScavenger', stop reason = signal SIGABRT
* frame #0: 0x00007ffff789115c libc.so.6`__pthread_kill_implementation + 286
frame #1: 0x00007ffff7841306 libc.so.6`raise + 24
frame #2: 0x00007ffff782a813 libc.so.6`abort + 213
frame #3: 0x00007ffff78841b7 libc.so.6`__libc_message + 665
frame #4: 0x00007ffff788424a libc.so.6`__libc_fatal + 44
frame #5: 0x00007ffff788b89c libc.so.6`__futex_abstimed_wait_common + 110
frame #6: 0x00007ffff788eba2 libc.so.6`pthread_cond_clockwait at GLIBC_2.30 + 468
=====================================================================================
hujialun at bogon:~> lldb -- wget ss
(lldb) target create "wget"
Current executable set to 'wget' (x86_64).
(lldb) settings set -- target.run-args "ss"
(lldb) r
Process 3640 launched: '/usr/bin/wget' (x86_64)
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
Process 3640 stopped and restarted: thread 1 received signal: SIGCHLD
error: libjavascriptcoregtk-4.0.so.18 {0x018f5f0e}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x7d2c5b) attribute, but range extraction failed (invalid range list offset 0x7d2c5b), please file a bug and attach the file at the start of this error message (this message repeats many times with different addresses)
Process 3640 stopped
* thread #2, name = 'BMScavenger', stop reason = signal SIGSEGV: invalid address (fault address: 0x7ffff57afb10)
frame #0: 0x00007ffff57afb10 libjavascriptcoregtk-4.0.so.18`bmalloc::AllIsoHeaps::AllIsoHeaps(std::scoped_lock<bmalloc::Mutex> const&)
libjavascriptcoregtk-4.0.so.18`bmalloc::AllIsoHeaps::AllIsoHeaps:
-> 0x7ffff57afb10 <+0>: jmpq *0x148313a(%rip) ; _GLOBAL_OFFSET_TABLE_ + 17800
0x7ffff57afb16 <+6>: pushq $0x8ae ; imm = 0x8AE
0x7ffff57afb1b <+11>: jmp 0x140020 ; ___lldb_unnamed_symbol40079
libjavascriptcoregtk-4.0.so.18`___lldb_unnamed_symbol39401:
0x7ffff57afb20 <+0>: jmpq *0x1483132(%rip) ; _GLOBAL_OFFSET_TABLE_ + 17808
(lldb) thread backtrace
* thread #2, name = 'BMScavenger', stop reason = signal SIGSEGV: invalid address (fault address: 0x7ffff57ab7d0)
* frame #0: 0x00007ffff57ab7d0 libjavascriptcoregtk-4.0.so.18`std::chrono::_V2::steady_clock::now()
frame #1: 0x00007ffff668f5c3 libjavascriptcoregtk-4.0.so.18`bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) [inlined] bmalloc::Scavenger::threadRunLoop() at condition_variable:203:27
frame #2: 0x00007ffff668f2d1 libjavascriptcoregtk-4.0.so.18`bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) at Scavenger.cpp:297:29
frame #3: 0x00007ffff76b1734 libstdc++.so.6`execute_native_thread_routine at thread.cc:82:18
frame #4: 0x00007ffff788f2ba libc.so.6`start_thread + 732
frame #5: 0x00007ffff7919460 libc.so.6`__clone3 + 48
==================================================================================================
hujialun at bogon:~> lldb -- wget ss
(lldb) target create "wget"
Current executable set to 'wget' (x86_64).
(lldb) settings set -- target.run-args "ss"
(lldb) r
Process 4688 launched: '/usr/bin/wget' (x86_64)
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
Process 4688 stopped and restarted: thread 1 received signal: SIGCHLD
error: libjavascriptcoregtk-4.0.so.18 {0x018f5f0e}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x7d2c5b) attribute, but range extraction failed (invalid range list offset 0x7d2c5b), please file a bug and attach the file at the start of this error message (this message repeats many times with different addresses)
Process 4688 stopped
* thread #2, name = 'BMScavenger', stop reason = signal SIGSEGV: invalid address (fault address: 0x7ffff57ab7d0)
frame #0: 0x00007ffff57ab7d0 libjavascriptcoregtk-4.0.so.18`std::chrono::_V2::steady_clock::now()
libjavascriptcoregtk-4.0.so.18`std::chrono::_V2::steady_clock::now:
-> 0x7ffff57ab7d0 <+0>: jmpq *0x14852da(%rip) ; _GLOBAL_OFFSET_TABLE_ + 9192
0x7ffff57ab7d6 <+6>: pushq $0x47a ; imm = 0x47A
0x7ffff57ab7db <+11>: jmp 0x140020 ; ___lldb_unnamed_symbol40079
libjavascriptcoregtk-4.0.so.18`WTF::URL::stringWithoutFragmentIdentifier:
0x7ffff57ab7e0 <+0>: jmpq *0x14852d2(%rip) ; _GLOBAL_OFFSET_TABLE_ + 9200
(lldb) thread backtrace
* thread #2, name = 'BMScavenger', stop reason = signal SIGSEGV: invalid address (fault address: 0x7ffff57ab7d0)
* frame #0: 0x00007ffff57ab7d0 libjavascriptcoregtk-4.0.so.18`std::chrono::_V2::steady_clock::now()
frame #1: 0x00007ffff668f5c3 libjavascriptcoregtk-4.0.so.18`bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) [inlined] bmalloc::Scavenger::threadRunLoop() at condition_variable:203:27
frame #2: 0x00007ffff668f2d1 libjavascriptcoregtk-4.0.so.18`bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) at Scavenger.cpp:297:29
frame #3: 0x00007ffff76b1734 libstdc++.so.6`execute_native_thread_routine at thread.cc:82:18
frame #4: 0x00007ffff788f2ba libc.so.6`start_thread + 732
frame #5: 0x00007ffff7919460 libc.so.6`__clone3 + 48
===================================================================================================
hujialun at bogon:~> gdb --args `which wget` ss
(gdb) r
Starting program: /usr/bin/wget ss
debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Program received signal SIGINT, Interrupt.
__GI__dl_debug_state () at dl-debug.c:116
116 {
(gdb) c
Continuing.
[Detaching after vfork from child process 6612]
[New Thread 0x7ffff4c36640 (LWP 6640)]
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
Thread 2 "BMScavenger" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff4c36640 (LWP 6640)]
0x00007ffff788e16c in __condvar_dec_grefs (cond=cond at entry=0x7ffff6c49620, g=g at entry=1, private=private at entry=0) at pthread_cond_wait.c:152
152 if (atomic_fetch_add_release (cond->__data.__g_refs + g, -2) == 3)
(gdb) info stack
#0 0x00007ffff788e16c in __condvar_dec_grefs (cond=cond at entry=0x7ffff6c49620, g=g at entry=1, private=private at entry=0) at pthread_cond_wait.c:152
#1 0x00007ffff788ecbb in __pthread_cond_wait_common (abstime=<optimized out>, clockid=1, mutex=0x55555562bb20, cond=0x7ffff6c49620) at pthread_cond_wait.c:510
#2 ___pthread_cond_clockwait64 (abstime=<optimized out>, clockid=1, mutex=0x55555562bb20, cond=0x7ffff6c49620) at pthread_cond_wait.c:682
#3 ___pthread_cond_clockwait64 (cond=0x7ffff6c49620, mutex=0x55555562bb20, clockid=1, abstime=<optimized out>) at pthread_cond_wait.c:670
#4 0x00007ffff668f5be in ()
#5 0x0000000000000000 in ()
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220331/c52720e8/attachment-0001.htm>
More information about the webkit-unassigned
mailing list