Ticket #348 (closed defect: fixed)

Opened 9 months ago

Last modified 4 weeks ago

OWB crashes when loading slashdot.org

Reported by: sszymczy Assigned to: sszymczy
Priority: major Milestone: Pukarua
Component: Bug Fix Version: 1.0
Keywords: Cc:
Number of hours worked: % Complete: 00
Number of hours remaining:

Description

When opening http://slashdot.org with OWB there's a segmentation fault in JSC::Interpreter::privateExecute(). Tested on SDL port (threads disabled, JIT disabled), revision 1000.

Attachments

amd64_overflow_fix.diff (2.0 kB) - added by sszymczy on 06/14/09 20:47:19.
Patch fixing arithmetic overflows in JavaScript interpreter on AMD64

Change History

06/09/09 19:52:18 changed by mbensi

I reproduce the problem and i add a bt :

progress : 82

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb4832920 (LWP 9247)] 0xb6c040fa in WebCore::Node::isElementNode (this=0x0) at /home/developer/Projects/trunk/WebCore/dom/Node.h:167 167 bool isElementNode() const { return m_isElement; } (gdb) bt #0 0xb6c040fa in WebCore::Node::isElementNode (this=0x0) at /home/developer/Projects/trunk/WebCore/dom/Node.h:167 #1 0xb6c04143 in WebCore::Node::hasTagName (this=0x0, name=@0xb7ffe354) at /home/developer/Projects/trunk/WebCore/dom/Element.h:251 #2 0xb70ac3ff in WebCore::RenderFieldset::findLegend (this=0xa37078c) at /home/developer/Projects/trunk/WebCore/rendering/RenderFieldset.cpp:110 #3 0xb70ad511 in WebCore::RenderFieldset::calcPrefWidths (this=0xa37078c) at /home/developer/Projects/trunk/WebCore/rendering/RenderFieldset.cpp:51 #4 0xb7091e0f in WebCore::RenderBox::minPrefWidth (this=0xa37078c) at /home/developer/Projects/trunk/WebCore/rendering/RenderBox.cpp:434 #5 0xb7097087 in WebCore::RenderBox::calcWidth (this=0xa37078c) at /home/developer/Projects/trunk/WebCore/rendering/RenderBox.cpp:1279 #6 0xb707cdb1 in WebCore::RenderBlock::layoutBlock (this=0xa37078c, relayoutChildren=false)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:726

#7 0xb706a3e0 in WebCore::RenderBlock::layout (this=0xa37078c) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #8 0xb707bbe8 in WebCore::RenderBlock::layoutBlockChildren (this=0xa37052c, relayoutChildren=true, maxFloatBottom=@0xbfc19c88)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1373

#9 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0xa37052c, relayoutChildren=true)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#10 0xb706a3e0 in WebCore::RenderBlock::layout (this=0xa37052c) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #11 0xb707bbe8 in WebCore::RenderBlock::layoutBlockChildren (this=0xa370174, relayoutChildren=true, maxFloatBottom=@0xbfc19f18)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1373

#12 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0xa370174, relayoutChildren=true)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#13 0xb706a3e0 in WebCore::RenderBlock::layout (this=0xa370174) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #14 0xb707bbe8 in WebCore::RenderBlock::layoutBlockChildren (this=0xa20e7d4, relayoutChildren=true, maxFloatBottom=@0xbfc1a1a8)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1373

#15 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0xa20e7d4, relayoutChildren=true)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#16 0xb706a3e0 in WebCore::RenderBlock::layout (this=0xa20e7d4) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #17 0xb707bbe8 in WebCore::RenderBlock::layoutBlockChildren (this=0xa451bf4, relayoutChildren=true, maxFloatBottom=@0xbfc1a438)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1373

#18 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0xa451bf4, relayoutChildren=true)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#19 0xb706a3e0 in WebCore::RenderBlock::layout (this=0xa451bf4) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #20 0xb6c1c293 in WebCore::RenderObject::layoutIfNeeded (this=0xa451bf4) at /home/developer/Projects/trunk/WebCore/rendering/RenderObject.h:479 #21 0xb707450b in WebCore::RenderBlock::insertFloatingObject (this=0xa13153c, o=0xa451bf4)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:2341

#22 0xb7077071 in WebCore::RenderBlock::handleFloatingChild (this=0xa13153c, child=0xa451bf4, marginInfo=@0xbfc1a64c)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:959

#23 0xb707b432 in WebCore::RenderBlock::handleSpecialChild (this=0xa13153c, child=0xa451bf4, marginInfo=@0xbfc1a64c)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:942

---Type <return> to continue, or q <return> to quit--- #24 0xb707b8cd in WebCore::RenderBlock::layoutBlockChildren (this=0xa13153c, relayoutChildren=false, maxFloatBottom=@0xbfc1a768)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1326

#25 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0xa13153c, relayoutChildren=false)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#26 0xb706a3e0 in WebCore::RenderBlock::layout (this=0xa13153c) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #27 0xb707bbe8 in WebCore::RenderBlock::layoutBlockChildren (this=0xa1fae8c, relayoutChildren=false, maxFloatBottom=@0xbfc1a9f8)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1373

#28 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0xa1fae8c, relayoutChildren=false)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#29 0xb706a3e0 in WebCore::RenderBlock::layout (this=0xa1fae8c) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #30 0xb707bbe8 in WebCore::RenderBlock::layoutBlockChildren (this=0xa1f3db4, relayoutChildren=false, maxFloatBottom=@0xbfc1ac88)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1373

#31 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0xa1f3db4, relayoutChildren=false)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#32 0xb706a3e0 in WebCore::RenderBlock::layout (this=0xa1f3db4) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #33 0xb707bbe8 in WebCore::RenderBlock::layoutBlockChildren (this=0x9fa6794, relayoutChildren=false, maxFloatBottom=@0xbfc1af18)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1373

#34 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0x9fa6794, relayoutChildren=false)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#35 0xb706a3e0 in WebCore::RenderBlock::layout (this=0x9fa6794) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #36 0xb707bbe8 in WebCore::RenderBlock::layoutBlockChildren (this=0x9fa65bc, relayoutChildren=false, maxFloatBottom=@0xbfc1b1a8)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:1373

#37 0xb707d072 in WebCore::RenderBlock::layoutBlock (this=0x9fa65bc, relayoutChildren=false)

at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:781

#38 0xb706a3e0 in WebCore::RenderBlock::layout (this=0x9fa65bc) at /home/developer/Projects/trunk/WebCore/rendering/RenderBlock.cpp:698 #39 0xb71220ef in WebCore::RenderView::layout (this=0x9fa65bc) at /home/developer/Projects/trunk/WebCore/rendering/RenderView.cpp:122 #40 0xb7006de0 in WebCore::FrameView::layout (this=0x9fa01b0, allowSubtree=true) at /home/developer/Projects/trunk/WebCore/page/FrameView.cpp:580 #41 0xb6d7541b in WebCore::Document::updateLayout (this=0xa00df08) at /home/developer/Projects/trunk/WebCore/dom/Document.cpp:1261 #42 0xb6d755f3 in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0xa00df08) at /home/developer/Projects/trunk/WebCore/dom/Document.cpp:1292 #43 0xb6ca3649 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue (this=0xa316188, propertyID=1041, updateLayout=WebCore::UpdateLayout)

at /home/developer/Projects/trunk/WebCore/css/CSSComputedStyleDeclaration.cpp:606

#44 0xb6caa9b8 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue (this=0xa316188, propertyID=1041)

at /home/developer/Projects/trunk/WebCore/css/CSSComputedStyleDeclaration.cpp:568

#45 0xb6ca07d1 in WebCore::CSSComputedStyleDeclaration::getPropertyValue (this=0xa316188, propertyID=1041)

at /home/developer/Projects/trunk/WebCore/css/CSSComputedStyleDeclaration.cpp:1398

#46 0xb6d04bdf in WebCore::CSSStyleDeclaration::getPropertyValue (this=0xa316188, propertyName=@0xbfc1bbf4) ---Type <return> to continue, or q <return> to quit---

at /home/developer/Projects/trunk/WebCore/css/CSSStyleDeclaration.cpp:53

#47 0xb72d72d3 in WebCore::jsCSSStyleDeclarationPrototypeFunctionGetPropertyValue (exec=0xb33fb304, thisValue={m_ptr = 0xa3e7c00}, args=@0xbfc1bc1c)

at /home/developer/Projects/trunk/build_merge_sdl/generated_sources/WebCore/JSCSSStyleDeclaration.cpp:245

#48 0xb6243217 in ?? () #49 0x0a3b6ba0 in ?? () #50 0x0a3e7c00 in ?? () #51 0xbfc1bc1c in ?? () #52 0xb33fb2e0 in ?? () #53 0x00000001 in ?? () #54 0x000001fd in ?? () #55 0xbfc1bc58 in ?? () #56 0xb2712894 in ?? () #57 0x00000004 in ?? () #58 0x0a3e7c00 in ?? () #59 0x0a40bf2c in ?? () #60 0x00000003 in ?? () #61 0x0a2f4550 in ?? () #62 0x0a4522c8 in ?? () #63 0xbfc1bc68 in ?? () #64 0xb7fddff4 in ?? () from /home/developer/Projects/trunk/build_merge_sdl/lib/libwebkit-owb.so.1.0 #65 0xbfc1bcb8 in ?? () #66 0xb7ffd730 in JSC::Profiler::s_sharedProfiler () from /home/developer/Projects/trunk/build_merge_sdl/lib/libwebkit-owb.so.1.0 #67 0xbfc1bc88 in ?? () #68 0xb6a2b06f in JSC::JITCode::execute (this=0xa016270, registerFile=0xb33fb284, callFrame=0xbfc1bd4c, globalData=0xb7ffd730, exception=0xa014540)

at /home/developer/Projects/trunk/JavaScriptCore/jit/JITCode.h:83

Backtrace stopped: frame did not save the PC

06/11/09 09:55:53 changed by sszymczy

I found that the following lines (3114-3119) from Interpreter.cpp responsible for this crash:

{{{{ // First step is to copy the "expected" parameters from their normal location relative to the callframe for (; i < inplaceArgs; i++)

argStore[i] = callFrame->registers()[i - RegisterFile::CallFrameHeaderSize - expectedParams];

// Then we copy any additional arguments that may be further up the stack ('-1' to account for 'this') for (; i < argCount; i++)

argStore[i] = callFrame->registers()[i - RegisterFile::CallFrameHeaderSize - expectedParams - argCount - 1];

}}}

In this code array indices are computed from uint32_t variables, so arithmetic overflow happens, hence segmentation fault. Computing negative values from unsigned types is not a very good idea :). After adding casts to int32_t slashdot is working again.

06/11/09 10:01:54 changed by jcverdie

  • owner changed from mbensi to sszymczy.

Hi sszymczy,

Would you be willing to submit a patch against this crash ?

Thanks

06/11/09 10:13:12 changed by sszymczy

Unfortunately not now, I'm leaving for a few days and will be offline.

06/14/09 19:56:26 changed by sszymczy

Ok, I'm back, will get a patch ready. One remark: it looks like the problem affects only AMD64 architecture.

06/14/09 20:47:19 changed by sszymczy

  • attachment amd64_overflow_fix.diff added.

Patch fixing arithmetic overflows in JavaScript interpreter on AMD64

07/05/09 10:04:01 changed by AirJordansForce

Thanks for the nice sharing. It works for me. Air Force Ones

11/02/09 18:11:53 changed by sszymczy

  • status changed from new to closed.
  • resolution set to fixed.

This bug was fixed long ago during merge with webkit revision 45702 (OWB revision 1025), so the patch is not needed anymore.

02/23/10 15:34:03 changed by sim

decoration Changed 1 year ago by admin

bathtub Changed 1 year ago by admin

solar system Changed 1 year ago by admin

stair parts Changed 1 year ago by admin

solar supply Changed 1 year ago by admin