Bug 987739 - [abrt] libwebkit2gtk-2.0.3-2.fc19: WTF::OwnArrayPtr<JSC::WriteBarrier<JSC::Unknown> >::UnspecifiedBoolType: Process /usr/libexec/WebKitWebProcess was killed by signal 11 (SIGSEGV)
[abrt] libwebkit2gtk-2.0.3-2.fc19: WTF::OwnArrayPtr<JSC::WriteBarrier<JSC::Un...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: webkitgtk3 (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Matthias Clasen
Fedora Extras Quality Assurance
abrt_hash:694cc9e5b86b40435693a68efce...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-23 23:57 EDT by Michael Catanzaro
Modified: 2014-03-03 19:34 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-03 19:34:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (344.42 KB, text/plain)
2013-07-23 23:57 EDT, Michael Catanzaro
no flags Details
File: cgroup (140 bytes, text/plain)
2013-07-23 23:57 EDT, Michael Catanzaro
no flags Details
File: core_backtrace (6.06 KB, text/plain)
2013-07-23 23:57 EDT, Michael Catanzaro
no flags Details
File: dso_list (12.89 KB, text/plain)
2013-07-23 23:57 EDT, Michael Catanzaro
no flags Details
File: environ (1.43 KB, text/plain)
2013-07-23 23:57 EDT, Michael Catanzaro
no flags Details
File: limits (1.29 KB, text/plain)
2013-07-23 23:57 EDT, Michael Catanzaro
no flags Details
File: maps (73.98 KB, text/plain)
2013-07-23 23:58 EDT, Michael Catanzaro
no flags Details

  None (edit)
Description Michael Catanzaro 2013-07-23 23:57:20 EDT
Description of problem:
A WebKit crash that's actually reproducible!  Just visit www.google.com/trends

Looks like it's probably a problem with the JavaScriptCore.

Version-Release number of selected component:
libwebkit2gtk-2.0.3-2.fc19

Additional info:
reporter:       libreport-2.1.5
backtrace_rating: 4
cmdline:        /usr/libexec/WebKitWebProcess 14
crash_function: WTF::OwnArrayPtr<JSC::WriteBarrier<JSC::Unknown> >::UnspecifiedBoolType
executable:     /usr/libexec/WebKitWebProcess
kernel:         3.9.9-302.fc19.x86_64
runlevel:       N 5
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 operator WTF::OwnArrayPtr<JSC::WriteBarrier<JSC::Unknown> >::UnspecifiedBoolType at Source/WTF/wtf/OwnArrayPtr.h:67
 #1 isTornOff at Source/JavaScriptCore/runtime/Arguments.h:84
 #2 JSC::Arguments::tearOff at Source/JavaScriptCore/runtime/Arguments.cpp:333
 #3 JSC::Interpreter::unwindCallFrame at Source/JavaScriptCore/interpreter/Interpreter.cpp:501
 #4 JSC::Interpreter::throwException at Source/JavaScriptCore/interpreter/Interpreter.cpp:779
 #5 JSC::genericThrow at Source/JavaScriptCore/jit/JITExceptions.cpp:45
 #6 JSC::LLInt::returnToThrow at Source/JavaScriptCore/llint/LLIntExceptions.cpp:76
 #7 JSC::LLInt::llint_slow_path_throw at Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1622
 #8 llint_op_throw at /lib64/libjavascriptcoregtk-3.0.so.0
 #9 ??
Comment 1 Michael Catanzaro 2013-07-23 23:57:27 EDT
Created attachment 777557 [details]
File: backtrace
Comment 2 Michael Catanzaro 2013-07-23 23:57:30 EDT
Created attachment 777558 [details]
File: cgroup
Comment 3 Michael Catanzaro 2013-07-23 23:57:33 EDT
Created attachment 777559 [details]
File: core_backtrace
Comment 4 Michael Catanzaro 2013-07-23 23:57:38 EDT
Created attachment 777560 [details]
File: dso_list
Comment 5 Michael Catanzaro 2013-07-23 23:57:43 EDT
Created attachment 777561 [details]
File: environ
Comment 6 Michael Catanzaro 2013-07-23 23:57:55 EDT
Created attachment 777562 [details]
File: limits
Comment 7 Michael Catanzaro 2013-07-23 23:58:31 EDT
Created attachment 777563 [details]
File: maps
Comment 8 Ben Boeckel 2013-07-24 00:14:19 EDT
I can't reproduce this with WebKit1 in Rawhide. WebKit2 does indeed crash for me, but for unrelated reasons it seems. Still digging.
Comment 9 Ben Boeckel 2013-07-24 00:42:27 EDT
FWIW, it works in valgrind with WebKit2, so that makes me think it's memory corruption of some sort. gdb and vanilla running is giving me junk in uzbl, so I don't know what happens normally.

This is also webkitgtk3-2.1.3-1.fc20.x86_64.
Comment 10 Ben Boeckel 2013-07-24 01:15:58 EDT
Okay, so clicking any of the links makes WebKit1 crash with the backtrace below; clicking in Rawhide's WebKit2 is fine.

@Michael: Could you try out Rawhide; it seems that this page is chock full of test cases :) .

#0  WebCore::FrameLoader::dispatchDidCommitLoad (this=0x7fd8a0d3c3b0) at Source/WebCore/loader/FrameLoader.cpp:3305
#1  0x00007fd909b96770 in WebCore::FrameLoader::receivedFirstData (this=0x7fd8a0d3c3b0) at Source/WebCore/loader/FrameLoader.cpp:614
#2  0x00007fd909b82208 in WebCore::DocumentLoader::commitData (this=this@entry=0x7fd89f08b000, 
    bytes=bytes@entry=0x7fd8a6362600 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=length@entry=512)
    at Source/WebCore/loader/DocumentLoader.cpp:783
#3  0x00007fd90949bcf6 in WebKit::FrameLoaderClient::committedLoad (this=0x10bf000, loader=0x7fd89f08b000, 
    data=0x7fd8a6362600 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=512) at Source/WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:165
#4  0x00007fd909b827c7 in WebCore::DocumentLoader::commitLoad (this=0x7fd89f08b000, 
    data=0x7fd8a6362600 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=512) at Source/WebCore/loader/DocumentLoader.cpp:740
#5  0x00007fd909b66ce3 in WebCore::CachedRawResource::notifyClientsDataWasReceived (this=this@entry=0x7fd8a0d45c00, 
    data=data@entry=0x7fd8a6362600 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=512) at Source/WebCore/loader/cache/CachedRawResource.cpp:110
#6  0x00007fd909b66e99 in WebCore::CachedRawResource::addDataBuffer (this=0x7fd8a0d45c00, data=0x7fd89dd6ea98) at Source/WebCore/loader/cache/CachedRawResource.cpp:66
#7  0x00007fd909bd67e3 in WebCore::SubresourceLoader::didReceiveDataOrBuffer (this=0x7fd8a0d45800, 
    data=0xfac330 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., length=512, prpBuffer=..., encodedDataLength=<optimized out>, 
    dataPayloadType=<optimized out>) at Source/WebCore/loader/SubresourceLoader.cpp:250
#8  0x00007fd909bd693b in WebCore::SubresourceLoader::didReceiveData (this=<optimized out>, data=<optimized out>, length=<optimized out>, encodedDataLength=<optimized out>, dataPayloadType=<optimized out>) at Source/WebCore/loader/SubresourceLoader.cpp:226
#9  0x00007fd909bcbdcc in WebCore::ResourceLoader::didReceiveData (this=0x7fd8a0d45800, data=0xfac330 "<!doctype html><html itemscope=\"itemscope\" itemtype=\"http://schema.org/WebPage\"><head><meta itemprop=\"image\" content=\"/images/google_favicon_128.png\"><title>Carlos Danger - Google Search</title><scrip"..., 
    length=512, encodedDataLength=512) at Source/WebCore/loader/ResourceLoader.cpp:475
#10 0x00007fd90a2eb9f2 in WebCore::readCallback (asyncResult=<optimized out>, data=0x7fd8a0f22288) at Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1343
#11 0x00007fd906b3da16 in async_ready_callback_wrapper (source_object=0x11bda50, res=0x11a0e20, user_data=0x7fd8a0f22288) at ginputstream.c:519
#12 0x00007fd906b5fbf5 in g_task_return_now (task=0x11a0e20) at gtask.c:1108
#13 0x00007fd906b5fc19 in complete_in_idle_cb (task=0x11a0e20) at gtask.c:1117
#14 0x00007fd9063a5f26 in g_main_dispatch (context=0x8b1710) at gmain.c:3064
#15 g_main_context_dispatch (context=context@entry=0x8b1710) at gmain.c:3640
#16 0x00007fd9063a62a8 in g_main_context_iterate (context=0x8b1710, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3711
#17 0x00007fd9063a66ba in g_main_loop_run (loop=0xe46e30) at gmain.c:3905
#18 0x00007fd90834646d in gtk_main () at gtkmain.c:1157
#19 0x0000000000409ba7 in main (argc=2, argv=0x7fff65dc3bd8) at src/uzbl-core.c:297
Comment 11 Michael Catanzaro 2013-07-24 22:12:49 EDT
(In reply to Ben Boeckel from comment #10)
> @Michael: Could you try out Rawhide; it seems that this page is chock full
> of test cases :) .

I'd rather not; I don't have rawhide installed, and as I'm not at all familiar with the massive WebKit codebase, I doubt I would be much help.
Comment 12 Ben Boeckel 2013-07-24 23:41:48 EDT
What browser was this with? I might be able to poke it here.
Comment 13 Ben Boeckel 2013-07-24 23:55:16 EDT
Alternatively, just do a "yum --enablerepo=rawhide upgrade webkitgtk*"
Comment 14 Michael Catanzaro 2013-07-25 08:41:45 EDT
(In reply to Ben Boeckel from comment #12)
> What browser was this with? I might be able to poke it here.

epiphany-3.8.2-1.fc19

(In reply to Ben Boeckel from comment #13)
> Alternatively, just do a "yum --enablerepo=rawhide upgrade webkitgtk*"

I'll make a VM soon to try rawhide in.
Comment 15 Ben Boeckel 2014-03-03 14:33:35 EST
Seems to work fine with WebKit2 + WebKit1 (the WebKit1 crash from comment #10 was an uzbl bug) as of version webkitgtk3-2.2.5-1.fc20.x86_64. Is epiphany happy with that version?
Comment 16 Michael Catanzaro 2014-03-03 18:46:51 EST
Yup, this seems to be fixed.

Note You need to log in before you can comment on or make changes to this bug.