[Webkit-unassigned] [Bug 284786] New: WTF: Sometimes crash on Linux with -D_GLIBCXX_ASSERTIONS enabled
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 16 15:57:02 PST 2024
https://bugs.webkit.org/show_bug.cgi?id=284786
Bug ID: 284786
Summary: WTF: Sometimes crash on Linux with
-D_GLIBCXX_ASSERTIONS enabled
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P4
Component: Web Template Framework
Assignee: webkit-unassigned at lists.webkit.org
Reporter: audvare at gmail.com
Compiler: GCC 14.2.1
I am working on a fork of PhantomJS https://github.com/Tatsh/phantomjs and linking with this fork of WebKit https://github.com/movableink/webkit which is only a few months old in terms of upstream and only patches back in support for Qt 6. The code path I am debugging does not seem related to the changes in said fork or PhantomJS.
When WebKit is built with -D_GLIBCXX_ASSERTIONS and PhantomJS starts some code that requires the JITWorker thread to be created, the following prints out:
$ phantomjs --ssl-protocol=any payload.js
/usr/lib/gcc/x86_64-pc-linux-gnu/14/include/g++-v14/span:287: constexpr std::span<_Type, _Extent>::element_type& std::span<_Type, _Extent>::operator[](size_type) const [with _Type = const unsigned char; long unsigned int _Extent = 18446744073709551615; reference = const unsigned char&; size_type = long unsigned int]: Assertion '__idx < size()' failed.
PhantomJS has crashed. Please read the bug reporting guide at
<http://github.com/Tatsh/phantomjs/issues> and file a bug report.
Aborted (core dumped)
Most relevant line is https://github.com/WebKit/WebKit/blob/main/Source/WTF/wtf/text/StringImpl.h#L722 where the start variable becomes equal to max size again. I do not know if this is a compiler issue or something else. When _GLIBCXX_ASSERTIONS is not defined, the library works fine. I am aware of this PR https://github.com/WebKit/WebKit/pull/21785 to enable assertions so I wanted to let you know about this issue.
The call is from WTF::Thread::normalizeThreadName("JITWorker") which in turn calls `template<typename CharacterType> inline size_t WTF::reverseFind(std::span<const CharacterType> characters, CharacterType matchCharacter, size_t start)` (eventually `reverseFind({...}, '.', std::numeric_limits<int32_t>::max()`) in the aforementioned file.
I have tried reproducing with a minimal set of code but have been unsuccessful.
GDB session:
$ gdb -args phantomjs --ssl-protocol=any x
Reading symbols from phantomjs...
Reading symbols from /usr/lib/debug//usr/bin/phantomjs.debug...
(ins)(gdb) r
Starting program: /usr/bin/phantomjs --ssl-protocol=any x
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
[New Thread 0x7fffa835d6c0 (LWP 12354)]
/usr/lib/gcc/x86_64-pc-linux-gnu/14/include/g++-v14/span:287: constexpr std::span<_Type, _Extent>::element_type& std::span<_Type, _Extent>::operator[](size_type) const [with _Type = const unsigned char; long unsigned int _Extent = 18446744073709551615; reference = const unsigned char&; size_type = long unsigned int]: Assertion '__idx < size()' failed.
Thread 2 "phantomjs" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffa835d6c0 (LWP 12354)]
__pthread_kill_implementation (threadid=<optimized out>, signo=signo at entry=6, no_tid=no_tid at entry=0) at pthread_kill.c:44
44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
(ins)(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo at entry=6, no_tid=no_tid at entry=0) at pthread_kill.c:44
#1 0x00007fffee6cfe43 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78
#2 0x00007fffee67a596 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007fffee6628fa in __GI_abort () at abort.c:79
#4 0x00007fffee8daaef in std::__glibcxx_assert_fail
(file=file at entry=0x7ffff4577d60 "/usr/lib/gcc/x86_64-pc-linux-gnu/14/include/g++-v14/span", line=line at entry=287, function=function at entry=0x7ffff45ac6c8 "constexpr std::span<_Type, _Extent>::element_type& std::span<_Type, _Extent>::operator[](size_type) const [with _Type = const unsigned char; long unsigned int _Extent = 18446744073709551615; reference"..., condition=condition at entry=0x7ffff44b8eaa "__idx < size()") at /usr/src/debug/sys-devel/gcc-14.2.1_p20241116/gcc-14-20241116/libstdc++-v3/src/c++11/assert_fail.cc:41
#5 0x00007ffff444c10e in std::span<unsigned char const, 18446744073709551615ul>::operator[] (this=<synthetic pointer>, __idx=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/14/include/g++-v14/span:284
#6 std::span<unsigned char const, 18446744073709551615ul>::operator[] (this=<optimized out>, __idx=<optimized out>) at /usr/lib/gcc/x86_64-pc-linux-gnu/14/include/g++-v14/span:284
#7 WTF::reverseFind<unsigned char> (characters=Python Exception <class 'gdb.error'>: No symbol "static_cast" in current context.
..., matchCharacter=<optimized out>, start=<optimized out>) at Source/WTF/wtf/text/StringImpl.h:719
#8 WTF::reverseFind (characters=Python Exception <class 'gdb.error'>: value has been optimized out
, matchCharacter=<optimized out>, start=<optimized out>) at Source/WTF/wtf/text/StringImpl.h:735
#9 WTF::StringView::reverseFind (this=<optimized out>, character=<optimized out>, start=<optimized out>) at Source/WTF/wtf/text/StringView.h:718
#10 WTF::StringView::reverseFind (this=<optimized out>, character=<optimized out>, start=<optimized out>) at Source/WTF/wtf/text/StringView.h:715
#11 WTF::Thread::normalizeThreadName (threadName=<optimized out>) at Source/WTF/wtf/Threading.cpp:192
#12 0x00007ffff44b21ad in WTF::Thread::initializeCurrentThreadInternal (threadName=<optimized out>) at Source/WTF/wtf/posix/ThreadingPOSIX.cpp:350
#13 0x00007ffff444c3d7 in WTF::Thread::entryPoint (newThreadContext=0x555555f0fce0) at /usr/lib/gcc/x86_64-pc-linux-gnu/14/include/g++-v14/span:305
#14 0x00007ffff44b1cdd in WTF::wtfThreadEntryPoint (context=<optimized out>) at Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241
#15 0x00007fffee6ce099 in start_thread (arg=<optimized out>) at pthread_create.c:447
#16 0x00007fffee73c9ac in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
(ins)(gdb) up 7
#7 WTF::reverseFind<unsigned char> (characters=..., matchCharacter=<optimized out>, start=<optimized out>) at Source/WTF/wtf/text/StringImpl.h:719
warning: 719 Source/WTF/wtf/text/StringImpl.h: No such file or directory
(ins)(gdb) disas
Dump of assembler code for function _ZN3WTF6Thread19normalizeThreadNameEPKc:
Address range 0x7ffff444bfd0 to 0x7ffff444c18b:
0x00007ffff444bfd0 <+0>: endbr64
0x00007ffff444bfd4 <+4>: push rbp
0x00007ffff444bfd5 <+5>: push rbx
0x00007ffff444bfd6 <+6>: mov rbx,rdi
0x00007ffff444bfd9 <+9>: sub rsp,0x68
0x00007ffff444bfdd <+13>: mov rax,QWORD PTR fs:0x28
0x00007ffff444bfe6 <+22>: mov QWORD PTR [rsp+0x58],rax
0x00007ffff444bfeb <+27>: xor eax,eax
0x00007ffff444bfed <+29>: mov BYTE PTR [rsp+0xc],0x1
0x00007ffff444bff2 <+34>: mov QWORD PTR [rsp+0x10],0x0
0x00007ffff444bffb <+43>: test rdi,rdi
0x00007ffff444bffe <+46>: je 0x7ffff444c005 <WTF::Thread::normalizeThreadName(char const*)+53>
0x00007ffff444c000 <+48>: call 0x7fffeff74480 <strlen at plt>
0x00007ffff444c005 <+53>: mov rdi,rsp
0x00007ffff444c008 <+56>: mov QWORD PTR [rsp],rbx
0x00007ffff444c00c <+60>: mov rbx,rsp
0x00007ffff444c00f <+63>: mov DWORD PTR [rsp+0x8],eax
0x00007ffff444c013 <+67>: call 0x7fffeff70950 <WTF::StringView::underlyingStringIsValidImpl() const at plt>
0x00007ffff444c018 <+72>: test al,al
0x00007ffff444c01a <+74>: je 0x7ffff0523773 <WTF::Thread::normalizeThreadName(char const*)-66226269>
0x00007ffff444c020 <+80>: mov eax,DWORD PTR [rsp+0x8]
0x00007ffff444c024 <+84>: test rax,rax
0x00007ffff444c027 <+87>: je 0x7ffff444c0d4 <WTF::Thread::normalizeThreadName(char const*)+260>
0x00007ffff444c02d <+93>: mov rcx,QWORD PTR [rsp]
0x00007ffff444c031 <+97>: lea rdx,[rax-0x1]
0x00007ffff444c035 <+101>: jmp 0x7ffff444c055 <WTF::Thread::normalizeThreadName(char const*)+133>
0x00007ffff444c037 <+103>: nop WORD PTR [rax+rax*1+0x0]
0x00007ffff444c040 <+112>: test rdx,rdx
0x00007ffff444c043 <+115>: je 0x7ffff444c0cb <WTF::Thread::normalizeThreadName(char const*)+251>
0x00007ffff444c049 <+121>: dec rdx
0x00007ffff444c04c <+124>: cmp rdx,rax
0x00007ffff444c04f <+127>: jae 0x7ffff444c0ef <WTF::Thread::normalizeThreadName(char const*)+287>
0x00007ffff444c055 <+133>: cmp BYTE PTR [rcx+rdx*1],0x2e
0x00007ffff444c059 <+137>: jne 0x7ffff444c040 <WTF::Thread::normalizeThreadName(char const*)+112>
0x00007ffff444c05b <+139>: lea rbp,[rsp+0x20]
0x00007ffff444c060 <+144>: inc edx
0x00007ffff444c062 <+146>: or ecx,0xffffffff
0x00007ffff444c065 <+149>: mov rsi,rbx
0x00007ffff444c068 <+152>: mov rdi,rbp
0x00007ffff444c06b <+155>: call 0x7ffff1118b40 <WTF::StringView::substring(unsigned int, unsigned int) const>
0x00007ffff444c070 <+160>: mov rdi,rbp
0x00007ffff444c073 <+163>: call 0x7fffeff70950 <WTF::StringView::underlyingStringIsValidImpl() const at plt>
0x00007ffff444c078 <+168>: test al,al
0x00007ffff444c07a <+170>: je 0x7ffff444c186 <WTF::Thread::normalizeThreadName(char const*)+438>
0x00007ffff444c080 <+176>: mov rax,QWORD PTR [rsp+0x20]
0x00007ffff444c085 <+181>: xor esi,esi
0x00007ffff444c087 <+183>: xor ecx,ecx
0x00007ffff444c089 <+185>: mov rdi,rbx
0x00007ffff444c08c <+188>: mov QWORD PTR [rsp+0x20],rcx
0x00007ffff444c091 <+193>: mov QWORD PTR [rsp],rax
0x00007ffff444c095 <+197>: mov eax,DWORD PTR [rsp+0x28]
0x00007ffff444c099 <+201>: mov DWORD PTR [rsp+0x28],esi
0x00007ffff444c09d <+205>: mov rsi,rbp
0x00007ffff444c0a0 <+208>: mov DWORD PTR [rsp+0x8],eax
0x00007ffff444c0a4 <+212>: movzx eax,BYTE PTR [rsp+0x2c]
0x00007ffff444c0a9 <+217>: mov BYTE PTR [rsp+0x2c],0x1
0x00007ffff444c0ae <+222>: mov BYTE PTR [rsp+0xc],al
0x00007ffff444c0b2 <+226>: call 0x7fffeff76ac0 <WTF::StringView::setUnderlyingStringImpl(WTF::StringView const&)@plt>
0x00007ffff444c0b7 <+231>: xor esi,esi
0x00007ffff444c0b9 <+233>: mov rdi,rbp
0x00007ffff444c0bc <+236>: call 0x7fffeff75590 <WTF::StringView::setUnderlyingStringImpl(WTF::StringImpl const*)@plt>
0x00007ffff444c0c1 <+241>: xor esi,esi
0x00007ffff444c0c3 <+243>: mov rdi,rbp
0x00007ffff444c0c6 <+246>: call 0x7fffeff75590 <WTF::StringView::setUnderlyingStringImpl(WTF::StringImpl const*)@plt>
0x00007ffff444c0cb <+251>: mov edx,DWORD PTR [rsp+0x8]
0x00007ffff444c0cf <+255>: cmp edx,0xf
0x00007ffff444c0d2 <+258>: ja 0x7ffff444c10e <WTF::Thread::normalizeThreadName(char const*)+318>
0x00007ffff444c0d4 <+260>: cmp BYTE PTR [rsp+0xc],0x0
0x00007ffff444c0d9 <+265>: je 0x7ffff05237c5 <WTF::Thread::normalizeThreadName(char const*)-66226187>
0x00007ffff444c0df <+271>: mov rdi,rbx
0x00007ffff444c0e2 <+274>: call 0x7fffeff70950 <WTF::StringView::underlyingStringIsValidImpl() const at plt>
0x00007ffff444c0e7 <+279>: test al,al
0x00007ffff444c0e9 <+281>: je 0x7ffff052379c <WTF::Thread::normalizeThreadName(char const*)-66226228>
0x00007ffff444c0ef <+287>: lea rcx,[rip+0x6cdb4] # 0x7ffff44b8eaa
0x00007ffff444c0f6 <+294>: lea rdx,[rip+0x1605cb] # 0x7ffff45ac6c8
0x00007ffff444c0fd <+301>: mov esi,0x11f
0x00007ffff444c102 <+306>: lea rdi,[rip+0x12bc57] # 0x7ffff4577d60
0x00007ffff444c109 <+313>: call 0x7fffeff696d0 <std::__glibcxx_assert_fail(char const*, int, char const*, char const*)@plt>
=> 0x00007ffff444c10e <+318>: lea rbp,[rsp+0x40]
0x00007ffff444c113 <+323>: sub edx,0xf
0x00007ffff444c116 <+326>: mov ecx,0xf
0x00007ffff444c11b <+331>: mov rsi,rbx
0x00007ffff444c11e <+334>: mov rdi,rbp
0x00007ffff444c121 <+337>: call 0x7ffff1118b40 <WTF::StringView::substring(unsigned int, unsigned int) const>
0x00007ffff444c126 <+342>: mov rdi,rbp
0x00007ffff444c129 <+345>: call 0x7fffeff70950 <WTF::StringView::underlyingStringIsValidImpl() const at plt>
0x00007ffff444c12e <+350>: test al,al
0x00007ffff444c130 <+352>: je 0x7ffff052376e <WTF::Thread::normalizeThreadName(char const*) [clone .cold]>
0x00007ffff444c136 <+358>: mov rax,QWORD PTR [rsp+0x40]
0x00007ffff444c13b <+363>: xor edx,edx
0x00007ffff444c13d <+365>: mov rsi,rbp
0x00007ffff444c140 <+368>: mov rdi,rbx
0x00007ffff444c143 <+371>: mov QWORD PTR [rsp],rax
0x00007ffff444c147 <+375>: mov eax,DWORD PTR [rsp+0x48]
0x00007ffff444c14b <+379>: mov DWORD PTR [rsp+0x48],edx
0x00007ffff444c14f <+383>: mov DWORD PTR [rsp+0x8],eax
0x00007ffff444c153 <+387>: movzx eax,BYTE PTR [rsp+0x4c]
0x00007ffff444c158 <+392>: mov BYTE PTR [rsp+0x4c],0x1
0x00007ffff444c15d <+397>: mov BYTE PTR [rsp+0xc],al
0x00007ffff444c161 <+401>: xor eax,eax
0x00007ffff444c163 <+403>: mov QWORD PTR [rsp+0x40],rax
0x00007ffff444c168 <+408>: call 0x7fffeff76ac0 <WTF::StringView::setUnderlyingStringImpl(WTF::StringView const&)@plt>
0x00007ffff444c16d <+413>: xor esi,esi
0x00007ffff444c16f <+415>: mov rdi,rbp
0x00007ffff444c172 <+418>: call 0x7fffeff75590 <WTF::StringView::setUnderlyingStringImpl(WTF::StringImpl const*)@plt>
0x00007ffff444c177 <+423>: xor esi,esi
0x00007ffff444c179 <+425>: mov rdi,rbp
0x00007ffff444c17c <+428>: call 0x7fffeff75590 <WTF::StringView::setUnderlyingStringImpl(WTF::StringImpl const*)@plt>
0x00007ffff444c181 <+433>: jmp 0x7ffff444c0d4 <WTF::Thread::normalizeThreadName(char const*)+260>
0x00007ffff444c186 <+438>: jmp 0x7ffff052376e <WTF::Thread::normalizeThreadName(char const*) [clone .cold]>
0x00007ffff052376e <-66226274>: call 0x7ffff052337e <WTF::StringView::operator=(WTF::StringView&&)>
0x00007ffff0523773 <-66226269>: lea rcx,[rip+0x3f94c0d] # 0x7ffff44b8387
0x00007ffff052377a <-66226262>: lea rdx,[rip+0x4022a9f] # 0x7ffff4546220
0x00007ffff0523781 <-66226255>: mov esi,0x1e0
0x00007ffff0523786 <-66226250>: lea rdi,[rip+0x5c46e9b] # 0x7ffff616a628
0x00007ffff052378d <-66226243>: call 0x7fffeff6b7a0 <WTFReportAssertionFailure at plt>
0x00007ffff0523792 <-66226238>: call 0x7fffeff84020 <WTFReportBacktrace at plt>
0x00007ffff0523797 <-66226233>: call 0x7fffeff7fd00 <abort at plt>
0x00007ffff052379c <-66226228>: lea rcx,[rip+0x3f94be4] # 0x7ffff44b8387
0x00007ffff05237a3 <-66226221>: lea rdx,[rip+0x4022a76] # 0x7ffff4546220
0x00007ffff05237aa <-66226214>: mov esi,0x1e0
0x00007ffff05237af <-66226209>: lea rdi,[rip+0x5c46e72] # 0x7ffff616a628
0x00007ffff05237b6 <-66226202>: call 0x7fffeff6b7a0 <WTFReportAssertionFailure at plt>
0x00007ffff05237bb <-66226197>: call 0x7fffeff84020 <WTFReportBacktrace at plt>
0x00007ffff05237c0 <-66226192>: call 0x7fffeff7fd00 <abort at plt>
0x00007ffff05237c5 <-66226187>: call 0x7ffff052345a <WTF::StringView::span8() const>
End of assembler dump.
For reference, PhantomJS starts execution of JavaScript here https://github.com/Tatsh/phantomjs/blob/qt6/src/utils.cpp#L124C18-L124C36
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241216/154fd141/attachment-0001.htm>
More information about the webkit-unassigned
mailing list