Browse-156 segfault on Fedora 18

[quozl]

Program received signal SIGSEGV, Segmentation fault.
0xb11eccdb in WTF::dtoa<true, false, false, true> ()
   from /lib/libjavascriptcoregtk-3.0.so.0
(gdb) thread apply all bt full

Thread 2 (LWP 1084):
#0  0xb775b424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb75a8534 in pthread_cond_timedwait () from /lib/libpthread.so.0
No symbol table info available.
#2  0xb6ee3e81 in g_cond_wait_until (cond=cond@entry=0x9e7a960, 
    mutex=mutex@entry=0x9e7a958, end_time=23113022007) at gthread-posix.c:857
        ts = {tv_sec = 23113, tv_nsec = 22007000}
        status = <optimized out>
#3  0xb6e74861 in g_async_queue_pop_intern_unlocked (
    queue=queue@entry=0x9e7a958, wait=wait@entry=1, end_time=23113022007)
    at gasyncqueue.c:424
        retval = <optimized out>
        __PRETTY_FUNCTION__ = "g_async_queue_pop_intern_unlocked"
#4  0xb6e750af in g_async_queue_timeout_pop (queue=0x9e7a958, timeout=15000000)
    at gasyncqueue.c:545
        end_time = <optimized out>
        retval = <optimized out>
#5  0xb6ec803f in g_thread_pool_wait_for_new_pool () at gthreadpool.c:169
        pool = <optimized out>
        local_max_idle_time = 15000
        local_wakeup_thread_serial = <optimized out>
        local_max_unused_threads = 2
        last_wakeup_thread_serial = 0
        have_relayed_thread_marker = <optimized out>
#6  g_thread_pool_thread_proxy (data=0x9e7a888) at gthreadpool.c:366
        free_pool = <optimized out>
        task = 0x3a98
        pool = <optimized out>
#7  0xb6ec7644 in g_thread_proxy (data=0xa25e9b0) at gthread.c:797
        thread = 0xa25e9b0
#8  0xb75a4aff in ?? () from /lib/libpthread.so.0
No symbol table info available.
#9  0xb74930be in clone () from /lib/libc.so.6
No symbol table info available.

Thread 1 (LWP 1055):
#0  0xb11eccdb in WTF::dtoa<true, false, false, true> ()
   from /lib/libjavascriptcoregtk-3.0.so.0
No locals.
#1  0xb11e93a4 in WTF::dtoa () from /lib/libjavascriptcoregtk-3.0.so.0
No locals.
#2  0xb16c6feb in formatNumber () from /lib/libwebkitgtk-3.0.so.0
No locals.
#3  0x30303030 in ?? ()
No symbol table info available.
#4  0x30303030 in ?? ()
No symbol table info available.
#5  0x30303030 in ?? ()
No symbol table info available.
...
#3558 0x30303030 in ?? ()
No symbol table info available.
#3559 0x30303030 in ?? ()
No symbol table info available.
Cannot access memory at address 0xbfc0f000
(gdb) 

[quozl]

Easily and reliably reproducible. Two gdb core dump files captured.

[quozl]

Method to reproduce is to search for something using the default page, then on the result page at google.com, search for something else. The failure apparently occurs during execution of JavaScript after the enter key is pressed.

Another example with Browse-157 on Fedora 20, using 14.1.0 test build, with SIGILL.

(gdb) bt
#0  0xaa31b515 in ?? ()
#1  0xb1f03729 in JSC::JIT::privateCompile(JSC::MacroAssemblerCodePtr*, JSC::JITCompilationEffort) () from /lib/libjavascriptcoregtk-3.0.so.0
#2  0xb200f21c in JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) () from /lib/libjavascriptcoregtk-3.0.so.0
#3  0xb25d04fe in WTF::HashMap<NPClass*, JSC::Bindings::CClass*, WTF::PtrHash<NPClass*>, WTF::HashTraits<NPClass*>, WTF::HashTraits<JSC::Bindings::CClass*> >::set(NPClass* const&, JSC::Bindings::CClass* const&) ()
   from /lib/libwebkitgtk-3.0.so.0
#4  0xbf808a44 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) 

The instruction stream contains SSE2 instructions:

  >│0xaa31b515      movsd  (%ebx,%ecx,8),%xmm0                                 │
   │0xaa31b51a      ucomisd %xmm0,%xmm0                                        │
   │0xaa31b51e      jp     0xaa31ccde                                          │
   │0xaa31b524      movd   %xmm0,%eax                                          │
   │0xaa31b528      psrlq  $0x20,%xmm0                                         │
   │0xaa31b52d      movd   %xmm0,%edx                                          │
   │0xaa31b531      mov    %eax,0xa9424114                                     │
   │0xaa31b536      mov    %edx,0xa9424118                                     │
   │0xaa31b53c      mov    %eax,0x10(%edi)                                     │
   │0xaa31b53f      mov    %edx,0x14(%edi)                                     │
   │0xaa31b542      mov    -0x40(%edi),%eax                                    │
   │0xaa31b545      mov    -0x3c(%edi),%edx                                    │
   │0xaa31b548      cmp    $0xfffffffb,%edx                                    │

[quozl]

This isn't a problem with Browse. By excluding Browse, it can be shown that the underlying WebKit package does the same thing. So I'm closing this ticket in Sugar Labs, and opening OLPC ​12863. If someone thinks it should be handled here, please re-open.

Showing how the WebKit GtkLauncher reproduces the problem:

% ulimit -c unlimited
% /usr/libexec/webkitgtk3/GtkLauncher http://google.com/
Illegal instruction (core dumped)
...
% gdb /usr/libexec/webkitgtk3/GtkLauncher core.1633
...
Core was generated by `/usr/libexec/webkitgtk3/GtkLauncher http://google.com/'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0xae1625f5 in ?? ()
(gdb) bt
#0  0xae1625f5 in ?? ()
#1  0xb53b509a in JSC::JIT::emit_op_next_pname(JSC::Instruction*) ()
   from /lib/libjavascriptcoregtk-3.0.so.0
#2  0xb54b148d in WTF::PassRefPtr<JSC::EvalNode> JSC::Parser<JSC::Lexer<unsigned short> >::parse<JSC::EvalNode>(JSC::ParserError&) ()
   from /lib/libjavascriptcoregtk-3.0.so.0
#3  0xb5a77c3e in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) ()
   from /lib/libwebkitgtk-3.0.so.0
#4  0xb5a781b4 in WebCore::ScheduledAction::execute(WebCore::Document*) ()
   from /lib/libwebkitgtk-3.0.so.0
#5  0xb5a78694 in WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) () from /lib/libwebkitgtk-3.0.so.0
#6  0xb60a607b in WebCore::DOMTimer::fired() () from /lib/libwebkitgtk-3.0.so.0
#7  0xb59ae246 in WebCore::ThreadTimers::sharedTimerFiredInternal() ()
   from /lib/libwebkitgtk-3.0.so.0
#8  0xb59ae2bd in WebCore::ThreadTimers::sharedTimerFired() ()
   from /lib/libwebkitgtk-3.0.so.0
#9  0xb59c647c in WebCore::timeout_cb(void*) () from /lib/libwebkitgtk-3.0.so.0
#10 0xb41a0262 in g_timeout_dispatch () from /lib/libglib-2.0.so.0
#11 0xb419f556 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#12 0xb419f920 in g_main_context_iterate.isra () from /lib/libglib-2.0.so.0
#13 0xb419fdc3 in g_main_loop_run () from /lib/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#14 0xb4bd578d in gtk_events_pending () from /lib/libgtk-3.so.0
#15 0x0804ad1b in main ()
(gdb) 

The same instruction stream is present:

   ┌───────────────────────────────────────────────────────────────────────────┐
  >│0xae1625f5      movsd  (%ebx,%ecx,8),%xmm0                                 │
   │0xae1625fa      ucomisd %xmm0,%xmm0                                        │
   │0xae1625fe      jp     0xae161639                                          │
   │0xae162604      movd   %xmm0,%eax                                          │
   │0xae162608      psrlq  $0x20,%xmm0                                         │
   │0xae16260d      movd   %xmm0,%edx                                          │
   │0xae162611      jmp    0xae15fb70                                          │
   └───────────────────────────────────────────────────────────────────────────┘