[Webkit-unassigned] [Bug 238594] New: libjavascriptcoregtk segfault/abort

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 30 23:36:10 PDT 2022


https://bugs.webkit.org/show_bug.cgi?id=238594

            Bug ID: 238594
           Summary: libjavascriptcoregtk segfault/abort
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: bmalloc
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: hujialun at outlook.sg
                CC: ggaren at apple.com

wget fails inside libjavascriptcoregtk each time, presumably within libproxy. The problem can manifest itself in different ways (SIGSEGV, SIGABRT) so it might be something like a race condition. Strangely, only wget is suffering from this problem but not other programs using libproxy.

wget 1.21.3, libjavascriptcoregtk-4_0-18 2.36.0-1.1, libproxy1-pacrunner-webkit 0.4.17-3.2

Three separate different buggy runs in lldb and one in gdb are attached below.

hujialun at bogon:~> lldb -- wget ss
(lldb) target create "wget"
Current executable set to 'wget' (x86_64).
(lldb) settings set -- target.run-args  "ss"
(lldb) r
Process 2543 launched: '/usr/bin/wget' (x86_64)
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
Process 2543 stopped and restarted: thread 1 received signal: SIGCHLD
The futex facility returned an unexpected error code.
Process 2543 stopped
* thread #2, name = 'BMScavenger', stop reason = signal SIGABRT
    frame #0: 0x00007ffff789115c libc.so.6`__pthread_kill_implementation + 286
libc.so.6`__pthread_kill_implementation:
->  0x7ffff789115c <+286>: movl   %eax, %ebp
    0x7ffff789115e <+288>: negl   %ebp
    0x7ffff7891160 <+290>: cmpl   $0xfffff000, %eax         ; imm = 0xFFFFF000 
    0x7ffff7891165 <+295>: movl   $0x0, %eax
(lldb) thread backtrace
* thread #2, name = 'BMScavenger', stop reason = signal SIGABRT
  * frame #0: 0x00007ffff789115c libc.so.6`__pthread_kill_implementation + 286
    frame #1: 0x00007ffff7841306 libc.so.6`raise + 24
    frame #2: 0x00007ffff782a813 libc.so.6`abort + 213
    frame #3: 0x00007ffff78841b7 libc.so.6`__libc_message + 665
    frame #4: 0x00007ffff788424a libc.so.6`__libc_fatal + 44
    frame #5: 0x00007ffff788b89c libc.so.6`__futex_abstimed_wait_common + 110
    frame #6: 0x00007ffff788eba2 libc.so.6`pthread_cond_clockwait at GLIBC_2.30 + 468

=====================================================================================

hujialun at bogon:~> lldb -- wget ss
(lldb) target create "wget"
Current executable set to 'wget' (x86_64).
(lldb) settings set -- target.run-args  "ss"
(lldb) r
Process 3640 launched: '/usr/bin/wget' (x86_64)
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
Process 3640 stopped and restarted: thread 1 received signal: SIGCHLD
error: libjavascriptcoregtk-4.0.so.18 {0x018f5f0e}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x7d2c5b) attribute, but range extraction failed (invalid range list offset 0x7d2c5b), please file a bug and attach the file at the start of this error message (this message repeats many times with different addresses)
Process 3640 stopped
* thread #2, name = 'BMScavenger', stop reason = signal SIGSEGV: invalid address (fault address: 0x7ffff57afb10)
    frame #0: 0x00007ffff57afb10 libjavascriptcoregtk-4.0.so.18`bmalloc::AllIsoHeaps::AllIsoHeaps(std::scoped_lock<bmalloc::Mutex> const&)
libjavascriptcoregtk-4.0.so.18`bmalloc::AllIsoHeaps::AllIsoHeaps:
->  0x7ffff57afb10 <+0>:  jmpq   *0x148313a(%rip)          ; _GLOBAL_OFFSET_TABLE_ + 17800
    0x7ffff57afb16 <+6>:  pushq  $0x8ae                    ; imm = 0x8AE 
    0x7ffff57afb1b <+11>: jmp    0x140020                  ; ___lldb_unnamed_symbol40079

libjavascriptcoregtk-4.0.so.18`___lldb_unnamed_symbol39401:
    0x7ffff57afb20 <+0>:  jmpq   *0x1483132(%rip)          ; _GLOBAL_OFFSET_TABLE_ + 17808
(lldb) thread backtrace
* thread #2, name = 'BMScavenger', stop reason = signal SIGSEGV: invalid address (fault address: 0x7ffff57ab7d0)
  * frame #0: 0x00007ffff57ab7d0 libjavascriptcoregtk-4.0.so.18`std::chrono::_V2::steady_clock::now()
    frame #1: 0x00007ffff668f5c3 libjavascriptcoregtk-4.0.so.18`bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) [inlined] bmalloc::Scavenger::threadRunLoop() at condition_variable:203:27
    frame #2: 0x00007ffff668f2d1 libjavascriptcoregtk-4.0.so.18`bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) at Scavenger.cpp:297:29
    frame #3: 0x00007ffff76b1734 libstdc++.so.6`execute_native_thread_routine at thread.cc:82:18
    frame #4: 0x00007ffff788f2ba libc.so.6`start_thread + 732
    frame #5: 0x00007ffff7919460 libc.so.6`__clone3 + 48

==================================================================================================

hujialun at bogon:~> lldb -- wget ss
(lldb) target create "wget"
Current executable set to 'wget' (x86_64).
(lldb) settings set -- target.run-args  "ss"
(lldb) r
Process 4688 launched: '/usr/bin/wget' (x86_64)
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
Process 4688 stopped and restarted: thread 1 received signal: SIGCHLD
error: libjavascriptcoregtk-4.0.so.18 {0x018f5f0e}: DIE has DW_AT_ranges(DW_FORM_sec_offset 0x7d2c5b) attribute, but range extraction failed (invalid range list offset 0x7d2c5b), please file a bug and attach the file at the start of this error message  (this message repeats many times with different addresses)
Process 4688 stopped
* thread #2, name = 'BMScavenger', stop reason = signal SIGSEGV: invalid address (fault address: 0x7ffff57ab7d0)
    frame #0: 0x00007ffff57ab7d0 libjavascriptcoregtk-4.0.so.18`std::chrono::_V2::steady_clock::now()
libjavascriptcoregtk-4.0.so.18`std::chrono::_V2::steady_clock::now:
->  0x7ffff57ab7d0 <+0>:  jmpq   *0x14852da(%rip)          ; _GLOBAL_OFFSET_TABLE_ + 9192
    0x7ffff57ab7d6 <+6>:  pushq  $0x47a                    ; imm = 0x47A 
    0x7ffff57ab7db <+11>: jmp    0x140020                  ; ___lldb_unnamed_symbol40079

libjavascriptcoregtk-4.0.so.18`WTF::URL::stringWithoutFragmentIdentifier:
    0x7ffff57ab7e0 <+0>:  jmpq   *0x14852d2(%rip)          ; _GLOBAL_OFFSET_TABLE_ + 9200
(lldb) thread backtrace
* thread #2, name = 'BMScavenger', stop reason = signal SIGSEGV: invalid address (fault address: 0x7ffff57ab7d0)
  * frame #0: 0x00007ffff57ab7d0 libjavascriptcoregtk-4.0.so.18`std::chrono::_V2::steady_clock::now()
    frame #1: 0x00007ffff668f5c3 libjavascriptcoregtk-4.0.so.18`bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) [inlined] bmalloc::Scavenger::threadRunLoop() at condition_variable:203:27
    frame #2: 0x00007ffff668f2d1 libjavascriptcoregtk-4.0.so.18`bmalloc::Scavenger::threadEntryPoint(bmalloc::Scavenger*) at Scavenger.cpp:297:29
    frame #3: 0x00007ffff76b1734 libstdc++.so.6`execute_native_thread_routine at thread.cc:82:18
    frame #4: 0x00007ffff788f2ba libc.so.6`start_thread + 732
    frame #5: 0x00007ffff7919460 libc.so.6`__clone3 + 48

===================================================================================================

hujialun at bogon:~> gdb --args `which wget` ss
(gdb) r
Starting program: /usr/bin/wget ss
debugging using libthread_db enabled]                                                                                                                                                                                                
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGINT, Interrupt.
__GI__dl_debug_state () at dl-debug.c:116
116     {
(gdb) c
Continuing.
[Detaching after vfork from child process 6612]
[New Thread 0x7ffff4c36640 (LWP 6640)]
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal

Thread 2 "BMScavenger" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff4c36640 (LWP 6640)]
0x00007ffff788e16c in __condvar_dec_grefs (cond=cond at entry=0x7ffff6c49620, g=g at entry=1, private=private at entry=0) at pthread_cond_wait.c:152
152       if (atomic_fetch_add_release (cond->__data.__g_refs + g, -2) == 3)
(gdb) info stack
#0  0x00007ffff788e16c in __condvar_dec_grefs (cond=cond at entry=0x7ffff6c49620, g=g at entry=1, private=private at entry=0) at pthread_cond_wait.c:152
#1  0x00007ffff788ecbb in __pthread_cond_wait_common (abstime=<optimized out>, clockid=1, mutex=0x55555562bb20, cond=0x7ffff6c49620) at pthread_cond_wait.c:510
#2  ___pthread_cond_clockwait64 (abstime=<optimized out>, clockid=1, mutex=0x55555562bb20, cond=0x7ffff6c49620) at pthread_cond_wait.c:682
#3  ___pthread_cond_clockwait64 (cond=0x7ffff6c49620, mutex=0x55555562bb20, clockid=1, abstime=<optimized out>) at pthread_cond_wait.c:670
#4  0x00007ffff668f5be in  ()
#5  0x0000000000000000 in  ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220331/c52720e8/attachment-0001.htm>


More information about the webkit-unassigned mailing list