210579 – Infinite loop while closing tab (infinite loop in HashTable::inlineLookup)

Bug 210579 - Infinite loop while closing tab (infinite loop in HashTable::inlineLookup)

Summary: Infinite loop while closing tab (infinite loop in HashTable::inlineLookup)

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-15 16:26 PDT by Benjamin Berg
Modified:	2020-04-15 16:29 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
bt + stepping showing where it returns to the top of the while (1) loop (20.08 KB, text/plain) 2020-04-15 16:26 PDT, Benjamin Berg	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benjamin Berg 2020-04-15 16:26:05 PDT

Created attachment 396588 [details]
bt + stepping showing where it returns to the top of the while (1) loop

I triggered this lockup by trying to close a youtube tab that was playing a video.

The lookup infinite loops, it seems this is because in my case:

  i == 64
  k == 0x7bc24d15
  sizeMask = 0x48

and "i = (i + k) & sizeMask" cannot change i …

Really, looks like a memory corruption. I have a full coredump locally (3.1 GiB), in case one may be able to fish out more information. Full backtrace and some stepping around attached.

This is with webkit2gtk3-2.28.0-7.fc31.x86_64