Bug 208473

Summary: Crash in WTF::StringHasher::computeHashAndMaskTop8Bits
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal    
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Backtrace none

Description Michael Catanzaro 2020-03-02 14:32:01 PST 
Created attachment 392192 [details]
Backtrace

Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 419 144'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  WTF::StringHasher::computeHashImpl<char16_t, WTF::StringHasher::DefaultConverter> (length=<optimized out>, 
    characters=0x7f913b726000 <error: Cannot access memory at address 0x7f913b726000>)
    at ../Source/WTF/wtf/text/StringHasher.h:297
297	        result += firstCharacter;

Short backtrace:

   #0  0x00007f9146201e50 in WTF::StringHasher::computeHashImpl<char16_t, WTF::StringHasher::DefaultConverter>(char16_t const*, unsigned int)
    (length=<optimized out>, characters=0x7f913b726000 <error: Cannot access memory at address 0x7f913b726000>)
    at ../Source/WTF/wtf/text/StringHasher.h:297
#1  0x00007f9146201e50 in WTF::StringHasher::computeHashAndMaskTop8Bits<char16_t, WTF::StringHasher::DefaultConverter>(char16_t const*, unsigned int) (length=8388608, data=0x7f913b6410e0 u"Ӽ")
    at ../Source/WTF/wtf/text/StringHasher.h:177
#2  0x00007f9146201e50 in WTF::StringHasher::computeHashAndMaskTop8Bits<char16_t>(char16_t const*, unsigned int)
    (length=8388608, data=0x7f913b6410e0 u"Ӽ") at ../Source/WTF/wtf/text/StringHasher.h:187
#3  0x00007f9146201e50 in WTF::StringImpl::hashSlowCase() const (this=0x7f776c8d7fa0)
    at ../Source/WTF/wtf/text/StringImpl.cpp:1897
#4  0x00007f91461f9bcd in WTF::StringImpl::hash() const (this=<optimized out>) at ../Source/WTF/wtf/FastMalloc.h:228
#5  0x00007f91461f9bcd in WTF::StringHash::hash(WTF::Packed<WTF::StringImpl*> const&) (key=...)
    at ../Source/WTF/wtf/text/StringHash.h:59
#6  0x00007f91461f9bcd in WTF::IdentityHashTranslator<WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::StringHash>::hash<WTF::Packed<WTF::StringImpl*> >(WTF::Packed<WTF::StringImpl*> const&) (key=...)
    at ../Source/WTF/wtf/HashTable.h:289
#7  0x00007f91461f9bcd in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::lookupForWriting<WTF::IdentityHashTranslator<WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::StringHash>, WTF::Packed<WTF::StringImpl*> >(WTF::Packed<WTF::StringImpl*> const&) (key=..., this=0x7f7744933ee8)
    at ../Source/WTF/wtf/HashTable.h:724
#8  0x00007f91461f9bcd in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::lookupForWriting(WTF::Packed<WTF::StringImpl*> const&) (key=..., this=0x7f7744933ee8)
    at ../Source/WTF/wtf/HashTable.h:514
#9  0x00007f91461f9bcd in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::reinsert(WTF::Packed<WTF::StringImpl*>&&) (entry=..., this=0x7f7744933ee8)
    at ../Source/WTF/wtf/HashTable.h:1050
#10 0x00007f91461f9bcd in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::rehash(unsigned int, WTF::Packed<WTF::StringImpl*>*)
    (this=this@entry=0x7f7744933ee8, newTableSize=<optimized out>, entry=entry@entry=0x0)
    at ../Source/WTF/wtf/HashTable.h:1343
#11 0x00007f91461fa1ea in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::shrink() (this=0x7f7744933ee8) at ../Source/WTF/wtf/HashTable.h:531
#12 0x00007f91461fa1ea in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::remove(WTF::Packed<WTF::StringImpl*>*) (this=this@entry=0x7f7744933ee8, pos=<optimized out>)
    at ../Source/WTF/wtf/HashTable.h:1125
#13 0x00007f91461f9744 in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::removeAndInvalidateWithoutEntryConsistencyCheck(WTF::Packed<WTF::StringImpl*>*)
    (pos=<optimized out>, this=0x7f7744933ee8) at ../Source/WTF/wtf/HashTable.h:1096
#14 0x00007f91461f9744 in WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::removeWithoutEntryConsistencyCheck(WTF::HashTableConstIterator<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >) (this=<optimized out>, it=...) at ../Source/WTF/wtf/HashTable.h:1154
#15 0x00007f91461f9744 in WTF::HashSet<WTF::Packed<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::remove(WTF::HashTableConstIteratorAdapter<WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packe--Type <RET> for more, q to quit, c to continue without paging--c
d<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::StringHash, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >, WTF::Packed<WTF::StringImpl*> >) (this=0x7f7744933ee8, it=...) at ../Source/WTF/wtf/HashSet.h:279
#16 0x00007f91461f9744 in WTF::AtomStringImpl::remove(WTF::AtomStringImpl*) (string=0x7f76edf49da0) at ../Source/WTF/wtf/text/AtomStringImpl.cpp:498
#17 0x00007f91461fed95 in WTF::StringImpl::~StringImpl() (this=0x7f76edf49da0, __in_chrg=<optimized out>) at ../Source/WTF/wtf/text/StringImpl.cpp:120
#18 0x00007f91461fedfd in WTF::StringImpl::destroy(WTF::StringImpl*) (stringImpl=0x7f76edf49da0) at ../Source/WTF/wtf/text/StringImpl.cpp:152
#19 0x00007f9145fcf3b0 in JSC::JSString::destroy(JSC::JSCell*) (cell=0x7f76ee45f070) at ../Source/JavaScriptCore/runtime/JSString.h:97
#20 0x00007f9145fcf3b0 in JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const (cell=0x7f76ee45f070, this=<optimized out>) at ../Source/JavaScriptCore/heap/IsoInlinedHeapCellType.h:44
#21 0x00007f9145fcf3b0 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&)::{lambda(void*)#1}::operator()(void*) const (this=<optimized out>, cell=0x7f76ee45f070) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:260
#22 0x00007f9145fcf3b0 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&)::{lambda(void*)#1}::operator()(void*) const (this=<synthetic pointer>, cell=0x7f76ee45f070) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:257
#23 0x00007f9145fcf3b0 in JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&) (this=0x7f7745aef420, freeList=freeList@entry=0x0, emptyMode=emptyMode@entry=JSC::MarkedBlock::Handle::IsEmpty, sweepMode=sweepMode@entry=JSC::MarkedBlock::Handle::SweepOnly, destructionMode=destructionMode@entry=JSC::MarkedBlock::Handle::BlockHasDestructors, scribbleMode=scribbleMode@entry=JSC::MarkedBlock::Handle::DontScribble, newlyAllocatedMode=JSC::MarkedBlock::Handle::DoesNotHaveNewlyAllocated, marksMode=JSC::MarkedBlock::Handle::MarksStale, destroyFunc=...) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:294
#24 0x00007f9145fd09fd in JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&)::{lambda()#1}::operator()() const (this=<synthetic pointer>) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:483
#25 0x00007f9145fd09fd in JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc>(JSC::FreeList*, JSC::IsoInlinedHeapCellType<JSC::JSString>::DestroyFunc const&) (this=<optimized out>, freeList=<optimized out>, destroyFunc=...) at ../Source/JavaScriptCore/heap/MarkedBlockInlines.h:435
#26 0x00007f9145fd0aa8 in JSC::IsoInlinedHeapCellType<JSC::JSString>::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (this=<optimized out>, handle=..., freeList=<optimized out>) at ../Source/JavaScriptCore/heap/IsoInlinedHeapCellType.h:48
#27 0x00007f9145a3c726 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (this=this@entry=0x7f7745aef420, freeList=freeList@entry=0x0) at ../Source/JavaScriptCore/heap/MarkedBlock.cpp:419
#28 0x00007f9145a27f4b in JSC::IncrementalSweeper::sweepNextBlock(JSC::VM&) (this=this@entry=0x7f774490b038, vm=...) at ../Source/JavaScriptCore/heap/IncrementalSweeper.cpp:89
#29 0x00007f9145a27fc1 in JSC::IncrementalSweeper::doSweep(JSC::VM&, WTF::MonotonicTime) (this=0x7f774490b038, vm=..., sweepBeginTime=...) at ../Source/JavaScriptCore/heap/IncrementalSweeper.cpp:59
#30 0x00007f9145e9e55c in JSC::JSRunLoopTimer::timerDidFire() (this=0x7f774490b038) at ../Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:305
#31 0x00007f9145ea0ccc in JSC::JSRunLoopTimer::Manager::timerDidFire() (this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43
#32 0x00007f9146214b78 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7f774491e100) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:177
#33 0x00007f9146214b78 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:183
#34 0x00007f9146950bde in g_main_dispatch (context=0x7f7770002690) at ../glib/gmain.c:3309
#35 0x00007f9146950bde in g_main_context_dispatch (context=context@entry=0x7f7770002690) at ../glib/gmain.c:3974
#36 0x00007f9146950f90 in g_main_context_iterate (context=context@entry=0x7f7770002690, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4047
#37 0x00007f9146951033 in g_main_context_iteration (context=context@entry=0x7f7770002690, may_block=may_block@entry=0) at ../glib/gmain.c:4108
#38 0x00007f9149ed73fa in WebCore::WorkerRunLoop::runInMode(WebCore::WorkerGlobalScope*, WebCore::ModePredicate const&, WebCore::WorkerRunLoop::WaitMode) (this=this@entry=0x7f774472abf0, context=context@entry=0x7f908444e830, predicate=..., waitMode=waitMode@entry=WebCore::WorkerRunLoop::WaitForMessage) at ../Source/WebCore/workers/WorkerRunLoop.cpp:176
#39 0x00007f9149ed75d0 in WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) (this=0x7f774472abf0, context=0x7f908444e830) at ../Source/WebCore/workers/WorkerRunLoop.cpp:142
#40 0x00007f9149ed9db8 in WebCore::WorkerThread::workerThread() (this=0x7f774472abd0) at ../Source/WebCore/workers/WorkerThread.cpp:205
#41 0x00007f91461c7148 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Function.h:81
#42 0x00007f91461c7148 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (newThreadContext=0x7f7744928558) at ../Source/WTF/wtf/Threading.cpp:148
#43 0x00007f914621644d in WTF::wtfThreadEntryPoint(void*) (context=<optimized out>) at ../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:200
#44 0x00007f91448bf5e2 in start_thread (arg=<optimized out>) at pthread_create.c:479
#45 0x00007f91478c6413 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Full backtrace attached