Bug 208473

Summary: Crash in WTF::StringHasher::computeHashAndMaskTop8Bits
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal    
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Backtrace none

Michael Catanzaro
Reported 2020-03-02 14:32:01 PST
Created attachment 392192 [details] Backtrace Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 419 144'. Program terminated with signal SIGSEGV, Segmentation fault. #0 WTF::StringHasher::computeHashImpl<char16_t, WTF::StringHasher::DefaultConverter> (length=<optimized out>, characters=0x7f913b726000 <error: Cannot access memory at address 0x7f913b726000>) at ../Source/WTF/wtf/text/StringHasher.h:297 297 result += firstCharacter; Short backtrace: #0 0x00007f9146201e50 in WTF::StringHasher::computeHashImpl<char16_t, WTF::StringHasher::DefaultConverter>(char16_t const*, unsigned int) (length=<optimized out>, characters=0x7f913b726000 <error: Cannot access memory at address 0x7f913b726000>) at ../Source/WTF/wtf/text/StringHasher.h:297 #1 0x00007f9146201e50 in WTF::StringHasher::computeHashAndMaskTop8Bits<char16_t, WTF::StringHasher::DefaultConverter>(char16_t const*, unsigned int) (length=8388608, data=0x7f913b6410e0 u"Ӽ") at ../Source/WTF/wtf/text/StringHasher.h:177 #2 0x00007f9146201e50 in WTF::StringHasher::computeHashAndMaskTop8Bits<char16_t>(char16_t const*, unsigned int) (length=8388608, data=0x7f913b6410e0 u"Ӽ") at ../Source/WTF/wtf/text/StringHasher.h:187 #3 0x00007f9146201e50 in WTF::StringImpl::hashSlowCase() const (this=0x7f776c8d7fa0) at ../Source/WTF/wtf/text/StringImpl.cpp:1897 #4 0x00007f91461f9bcd in WTF::StringImpl::hash() const (this=<optimized out>) at ../Source/WTF/wtf/FastMalloc.h:228 #5 0x00007f91461f9bcd in WTF::StringHash::hash(WTF::Packed<WTF::StringImpl*> const&) (key=...) at ../Source/WTF/wtf/text/StringHash.h:59 #6 0x00007f91461f9bcd in WTF::IdentityHashTranslator<WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::StringHash>::hash<WTF::Packed<WTF::StringImpl*> >(WTF::Packed<WTF::StringImpl*> const&) (key=...) at ../Source/WTF/wtf/HashTable.h:289 #7 0x00007f91461f9bcd in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::lookupForWriting<WTF::IdentityHashTranslator<WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::StringHash>, WTF::Packed<WTF::StringImpl*> >(WTF::Packed<WTF::StringImpl*> const&) (key=..., this=0x7f7744933ee8) at ../Source/WTF/wtf/HashTable.h:724 #8 0x00007f91461f9bcd in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::lookupForWriting(WTF::Packed<WTF::StringImpl*> const&) (key=..., this=0x7f7744933ee8) at ../Source/WTF/wtf/HashTable.h:514 #9 0x00007f91461f9bcd in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::reinsert(WTF::Packed<WTF::StringImpl*>&&) (entry=..., this=0x7f7744933ee8) at ../Source/WTF/wtf/HashTable.h:1050 #10 0x00007f91461f9bcd in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::rehash(unsigned int, WTF::Packed<WTF::StringImpl*>*) (this=this@entry=0x7f7744933ee8, newTableSize=<optimized out>, entry=entry@entry=0x0) at ../Source/WTF/wtf/HashTable.h:1343 #11 0x00007f91461fa1ea in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::shrink() (this=0x7f7744933ee8) at ../Source/WTF/wtf/HashTable.h:531 #12 0x00007f91461fa1ea in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::remove(WTF::Packed<WTF::StringImpl*>*) (this=this@entry=0x7f7744933ee8, pos=<optimized out>) at ../Source/WTF/wtf/HashTable.h:1125 #13 0x00007f91461f9744 in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::removeAndInvalidateWithoutEntryConsistencyCheck(WTF::Packed<WTF::StringImpl*>*) (pos=<optimized out>, this=0x7f7744933ee8) at ../Source/WTF/wtf/HashTable.h:1096 #14 0x00007f91461f9744 in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::removeWithoutEntryConsistencyCheck(WTF::HashTableConstIterator<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >) (this=<optimized out>, it=...) at ../Source/WTF/wtf/HashTable.h:1154 #15 0x00007f91461f9744 in WTF::HashSet<WTF::Packed<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::remove(WTF::HashTableConstIteratorAdapter<WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packe--Type <RET> for more, q to quit, c to continue without paging--c d<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >, WTF::Packed<WTF::StringImpl*> >) (this=0x7f7744933ee8, it=...) at ../Source/WTF/wtf/HashSet.h:279 #16 0x00007f91461f9744 in WTF::AtomStringImpl::remove(WTF::AtomStringImpl*) (string=0x7f76edf49da0) at ../Source/WTF/wtf/text/AtomStringImpl.cpp:498 #17 0x00007f91461fed95 in WTF::StringImpl::~StringImpl() (this=0x7f76edf49da0, __in_chrg=<optimized out>) at ../Source/WTF/wtf/text/StringImpl.cpp:120 #18 0x00007f91461fedfd in WTF::StringImpl::destroy(WTF::StringImpl*) (stringImpl=0x7f76edf49da0) at ../Source/WTF/wtf/text/StringImpl.cpp:152 #19 0x00007f9145fcf3b0 in JSC::JSString::destroy(JSC::JSCell*) (cell=0x7f76ee45f070) at ../Source/JavaScriptCore/runtime/JSString.h:97 #20 0x00007f9145fcf3b0 in JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const (cell=0x7f76ee45f070, this=<optimized out>) at ../Source/JavaScriptCore/heap/IsoInlinedHeapCellType.h:44 #21 0x00007f9145fcf3b0 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&)::{lambda(void*)#1}::operator()(void*) const (this=<optimized out>, cell=0x7f76ee45f070) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:260 #22 0x00007f9145fcf3b0 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&)::{lambda(void*)#1}::operator()(void*) const (this=<synthetic pointer>, cell=0x7f76ee45f070) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:257 #23 0x00007f9145fcf3b0 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&) (this=0x7f7745aef420, freeList=freeList@entry=0x0, emptyMode=emptyMode@entry=JSC::MarkedBlock::Handle::IsEmpty, sweepMode=sweepMode@entry=JSC::MarkedBlock::Handle::SweepOnly, destructionMode=destructionMode@entry=JSC::MarkedBlock::Handle::BlockHasDestructors, scribbleMode=scribbleMode@entry=JSC::MarkedBlock::Handle::DontScribble, newlyAllocatedMode=JSC::MarkedBlock::Handle::DoesNotHaveNewlyAllocated, marksMode=JSC::MarkedBlock::Handle::MarksStale, destroyFunc=...) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:294 #24 0x00007f9145fd09fd in JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&)::{lambda()#1}::operator()() const (this=<synthetic pointer>) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:483 #25 0x00007f9145fd09fd in JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&) (this=<optimized out>, freeList=<optimized out>, destroyFunc=...) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:435 #26 0x00007f9145fd0aa8 in JSC::IsoInlinedHeapCellType<JSC::JSString>::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (this=<optimized out>, handle=..., freeList=<optimized out>) at ../Source/JavaScriptCore/heap/IsoInlinedHeapCellType.h:48 #27 0x00007f9145a3c726 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (this=this@entry=0x7f7745aef420, freeList=freeList@entry=0x0) at ../Source/JavaScriptCore/heap/MarkedBlock.cpp:419 #28 0x00007f9145a27f4b in JSC::IncrementalSweeper::sweepNextBlock(JSC::VM&) (this=this@entry=0x7f774490b038, vm=...) at ../Source/JavaScriptCore/heap/IncrementalSweeper.cpp:89 #29 0x00007f9145a27fc1 in JSC::IncrementalSweeper::doSweep(JSC::VM&, WTF::MonotonicTime) (this=0x7f774490b038, vm=..., sweepBeginTime=...) at ../Source/JavaScriptCore/heap/IncrementalSweeper.cpp:59 #30 0x00007f9145e9e55c in JSC::JSRunLoopTimer::timerDidFire() (this=0x7f774490b038) at ../Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:305 #31 0x00007f9145ea0ccc in JSC::JSRunLoopTimer::Manager::timerDidFire() (this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43 #32 0x00007f9146214b78 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7f774491e100) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:177 #33 0x00007f9146214b78 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:183 #34 0x00007f9146950bde in g_main_dispatch (context=0x7f7770002690) at ../glib/gmain.c:3309 #35 0x00007f9146950bde in g_main_context_dispatch (context=context@entry=0x7f7770002690) at ../glib/gmain.c:3974 #36 0x00007f9146950f90 in g_main_context_iterate (context=context@entry=0x7f7770002690, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4047 #37 0x00007f9146951033 in g_main_context_iteration (context=context@entry=0x7f7770002690, may_block=may_block@entry=0) at ../glib/gmain.c:4108 #38 0x00007f9149ed73fa in WebCore::WorkerRunLoop::runInMode(WebCore::WorkerGlobalScope*, WebCore::ModePredicate const&, WebCore::WorkerRunLoop::WaitMode) (this=this@entry=0x7f774472abf0, context=context@entry=0x7f908444e830, predicate=..., waitMode=waitMode@entry=WebCore::WorkerRunLoop::WaitForMessage) at ../Source/WebCore/workers/WorkerRunLoop.cpp:176 #39 0x00007f9149ed75d0 in WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) (this=0x7f774472abf0, context=0x7f908444e830) at ../Source/WebCore/workers/WorkerRunLoop.cpp:142 #40 0x00007f9149ed9db8 in WebCore::WorkerThread::workerThread() (this=0x7f774472abd0) at ../Source/WebCore/workers/WorkerThread.cpp:205 #41 0x00007f91461c7148 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Function.h:81 #42 0x00007f91461c7148 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (newThreadContext=0x7f7744928558) at ../Source/WTF/wtf/Threading.cpp:148 #43 0x00007f914621644d in WTF::wtfThreadEntryPoint(void*) (context=<optimized out>) at ../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:200 #44 0x00007f91448bf5e2 in start_thread (arg=<optimized out>) at pthread_create.c:479 #45 0x00007f91478c6413 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Full backtrace attached
Attachments
Backtrace (38.10 KB, text/plain)
2020-03-02 14:32 PST, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Note You need to log in before you can comment on or make changes to this bug.