<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [SOUP] Invalid read in webkitSoupCookieJarSqliteLoad"
href="https://bugs.webkit.org/show_bug.cgi?id=148622">148622</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[SOUP] Invalid read in webkitSoupCookieJarSqliteLoad
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>Other
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>WebKit2
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mcatanzaro@igalia.com
</td>
</tr></table>
<p>
<div>
<pre>Part of an investigation into why Epiphany likes to crash during startup....
The network process crashes immediately when run with asan. The problem is in webkitSoupCookieJarSqliteLoad, calling WebCore::SQLiteStatement::getColumnText. The return value of sqlite3_column_text16 [1] is invalid. I don't know why.
While investigating this I discovered <a class="bz_bug_link
bz_status_NEW "
title="NEW - Undefined behavior in SQLiteStatement::getColumnText"
href="show_bug.cgi?id=148620">bug #148620</a>, but that is unfortunately NOT the cause of this issue.
I also tried omitting the call to sqlite3_column_bytes16, and switched to the WTF::String constructor that expects a null-terminated UTF-16 string. That also did not help.
[1] <a href="https://sqlite.org/c3ref/column_blob.html">https://sqlite.org/c3ref/column_blob.html</a>
==22362==ERROR: AddressSanitizer: unknown-crash on address 0x7f5d63813983 at pc 0x00000048530a bp 0x7ffca75e8b30 sp 0x7ffca75e82e8
WRITE of size 1408 at 0x7f5d63813983 thread T0
#0 0x485309 in __asan_memcpy (/home/mcatanzaro/jhbuild/install/libexec/webkit2gtk-4.0/WebKitNetworkProcess+0x485309)
#1 0x7f5d77d0fe79 in WTF::Ref<WTF::StringImpl> WTF::StringImpl::createInternal<unsigned short>(unsigned short const*, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/StringImpl.cpp:248:5
#2 0x7f5d77d0231d in WTF::StringImpl::create(unsigned short const*, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/StringImpl.cpp:254:12
#3 0x7f5d77d1acdb in WTF::String::String(unsigned short const*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/text/WTFString.cpp:56:14
#4 0x7f5d80107884 in WebCore::SQLiteStatement::getColumnText(int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebCore/platform/sql/SQLiteStatement.cpp:349:5
#5 0x7f5d7ed68311 in webkitSoupCookieJarSqliteLoad(_WebKitSoupCookieJarSqlite*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebKitSoupCookieJarSqlite.cpp:110:93
#6 0x7f5d7ed68014 in webkitSoupCookieJarSqliteNew /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebKitSoupCookieJarSqlite.cpp:222:5
#7 0x7f5d7ed6787f in WebKit::WebCookieManager::setCookiePersistentStorage(WTF::String const&, unsigned int) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/WebProcess/Cookies/soup/WebCookieManagerSoup.cpp:79:25
#8 0x7f5d7ee2a58e in void IPC::callMemberFunctionImpl<WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>, 0ul, 1ul>(WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>&&, std::index_sequence<0ul, 1ul>) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:16:5
#9 0x7f5d7ee2a4e8 in void IPC::callMemberFunction<WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int), std::tuple<WTF::String, unsigned int>, std::make_index_sequence<2ul> >(std::tuple<WTF::String, unsigned int>&&, WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:22:5
#10 0x7f5d7ee2a3ad in void IPC::handleMessage<Messages::WebCookieManager::SetCookiePersistentStorage, WebKit::WebCookieManager, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)>(IPC::MessageDecoder&, WebKit::WebCookieManager*, void (WebKit::WebCookieManager::*)(WTF::String const&, unsigned int)) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/HandleMessage.h:92:5
#11 0x7f5d7ee2975e in WebKit::WebCookieManager::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/DerivedSources/WebKit2/WebCookieManagerMessageReceiver.cpp:74:9
#12 0x7f5d7ee299ac in non-virtual thunk to WebKit::WebCookieManager::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/DerivedSources/WebKit2/WebCookieManagerMessageReceiver.cpp:81:1
#13 0x7f5d7e60ace6 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:97:9
#14 0x7f5d7ebcc110 in WebKit::NetworkProcess::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/NetworkProcess.cpp:127:9
#15 0x7f5d7e5f061c in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:898:5
#16 0x7f5d7e5e9e18 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:929:9
#17 0x7f5d7e5f077a in IPC::Connection::dispatchOneMessage() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:960:5
#18 0x7f5d7e5f0a70 in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Platform/IPC/Connection.cpp:892:9
#19 0x7f5d7e5f08b0 in std::_Function_handler<void (), IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >)::$_10>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:1871:4
#20 0x7f5d7e54007b in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:2271:14
#21 0x7f5d81385c7e in WTF::RunLoop::performWork() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/RunLoop.cpp:121:9
#22 0x7f5d8138c780 in WTF::RunLoop::wakeUp()::$_0::operator()() const /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/RunLoopGLib.cpp:96:9
#23 0x7f5d8138c5c0 in std::_Function_handler<void (), WTF::RunLoop::wakeUp()::$_0>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:1871:4
#24 0x7f5d7e54007b in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-redhat-linux/5.1.1/../../../../include/c++/5.1.1/functional:2271:14
#25 0x7f5d77d31f2e in WTF::GMainLoopSource::voidCallback() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/GMainLoopSource.cpp:365:5
#26 0x7f5d77d2ff1c in WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/GMainLoopSource.cpp:456:5
#27 0x7f5d736d9430 in g_idle_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:5441
#28 0x7f5d736d6a78 in g_main_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3154
#29 0x7f5d736d78bc in g_main_context_dispatch /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3769
#30 0x7f5d736d7aa0 in g_main_context_iterate /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:3840
#31 0x7f5d736d7ec6 in g_main_loop_run /home/mcatanzaro/jhbuild/checkout/glib/glib/gmain.c:4034
#32 0x7f5d8138b9e8 in WTF::RunLoop::run() /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WTF/wtf/glib/RunLoopGLib.cpp:67:9
#33 0x7f5d7ec445a3 in int WebKit::ChildProcessMain<WebKit::NetworkProcess, WebKit::NetworkProcessMain>(int, char**) /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61:5
#34 0x7f5d7ec44478 in NetworkProcessMainUnix /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/gtk/NetworkProcessMainGtk.cpp:62:12
#35 0x4b9f76 in main /home/mcatanzaro/WebKit/WebKitBuild/GNOME/../../Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:44:12
#36 0x7f5d6cfa66ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
#37 0x4b9e78 in _start (/home/mcatanzaro/jhbuild/install/libexec/webkit2gtk-4.0/WebKitNetworkProcess+0x4b9e78)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0fec2c6fa6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fec2c6fa730:[03]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fec2c6fa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==22362==ABORTING</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>