webkit javascript segmentation fault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
qtwebkit-opensource-src (Ubuntu) |
Fix Released
|
Undecided
|
Skipper Bug Screeners | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Skipper Bug Screeners |
Bug Description
SRU Justification:
[Impact]
* WebKit Javascript engine is causing a segmentation fault on big endian (s390x) systems.
* This happens for example when transferring an html to a pdf file using wkhtmltopdf.
* The fix is relatively simple with changing loadisFromInstr
in macro getProperty(slow), which solves this unpleasant situation.
* The JIT ocde is 32bit (even on 64bit systems),
hence is crucial to make sure the lower part of a 64bit value is taken on big endian systems.
[Test Plan]
* Testing is very straight forward by following these steps:
* install the following packages (incl. their dependencies):
$ sudo apt install libqt5webkit5 wkhtmltopdf
* create an html file like this:
$ vi index.html
$ cat index.html
<!doctype html>
<html lang="de">
<head>
</head>
<body>
<script src="min.
</body>
</html>
* create a JavaScript file like this:
$ vi min.js
$ cat min.js
var i = Math.max
* call wkhtmltopdf to process the local files:
$ wkhtmltopdf --enable-
* if it's broken one gets this output:
Loading page (1/2)
Segmentation fault (core dumped) ] 50%
and no pdf file was generated:
$ ls *.pdf
ls: cannot access '*.pdf': No such file or directory
* in case it's fixed one gets this output:
Loading page (1/2)
Printing pages (2/2)
Done
and a pdf file was generated and in placed in the current directory (with more than 0 bytes size):
$ ls -l ./*.pdf
-rw-rw-r-- 1 ubuntu ubuntu 1339 Nov 24 11:48 ./test.pdf
[Where problems could occur]
* While this issue only affects big endian systems (like s390x),
a bad fix may have an impact on little endian systems, too
for example in case the wrong function got used in the macro.
* But loadpFromInstru
* and on top cross-architecture builds were done:
https:/
* and tested on s390x (if the fix works) and on non-s390x (regression testing).
* The changes are otherwise very limited, just:
macro getProperty(slow)
- loadisFromInstr
+ loadpFromInstru
hence I think there is not much more to say.
[Other Info]
* The maintainer of the Debian packages (Dmitry Shachnev)
is going to add this to the Debian package, too.
* This issue affects Ubuntu jammy, impish, hirsute and focal - SRUs are ongoing.
* The issue does not occur with the very latest upstream version anymore,
and was fixed in a similar way as part of a commit
that fixes numerous other CLoop issues on top:
"Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change)."
commit 3fdde71c7d95d75
__________
== Comment: #0 - Andreas Krebbel <email address hidden> - 2021-11-15 09:29:44 ==
---Problem Description---
Segmentation fault from WebKit Javascript engine
Contact Information = <email address hidden>
---uname output---
Linux 193438490afd 5.8.15-
Machine Type = IBM Z
---Debugger---
A debugger is not configured
---Steps to Reproduce---
index.html:
<!doctype html>
<html lang="de">
<head>
</head>
<body>
<script src="min.
</body>
</html>
min.js:
var i = Math.max
wkhtmltopdf index.html test.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Segmentation fault (core dumped) ] 17%
Userspace tool common name: wkhtmltopdf
The userspace tool has the following bit modes: 64
Userspace rpm: libqt5webkit5
Userspace tool obtained from project website: na
*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.
== Comment: #1 - Andreas Krebbel <email address hidden> - 2021-11-15 09:44:04 ==
In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes the property offset as pointer size (hence 64 bit) value:
2141: instructions[i + 6].u.pointer = reinterpret_
while the same slot is accessed later by the jitted code as 32 bit integer:
macro getProperty(slow)
loadisFromI
This fails on big endian targets since the integer access takes the higher part of the 64 bit value.
Changing:
macro getProperty(slow)
loadisFromI
to
macro getProperty(slow)
loadpFromIn
in llint/LowLevelI
I could not reproduce the problem on Ubuntu 20.10. In upstream webkit the problem got fixed as a side effect of a larger change but in the end quite similar to the change I'm proposing. The value resides somewhere else now but it is accessed as 64 bit value in getProperty:
macro getProperty()
loadp OpGetFromScope:
If you have the jsc binary from the webkit package available the problem can be reproduced with just 'jsc -e "i=Math.min"'
== Comment: #2 - Andreas Krebbel <email address hidden> - 2021-11-15 09:49:55 ==
Related branches
- Dmitry Shachnev: Pending requested
-
Diff: 69 lines (+47/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/webkit-javascript-s390x-segmentation-fault-fix.patch (+38/-0)
- Dmitry Shachnev: Pending requested
-
Diff: 82 lines (+49/-1)4 files modifieddebian/changelog (+8/-0)
debian/control (+2/-1)
debian/patches/series (+1/-0)
debian/patches/webkit-javascript-s390x-segmentation-fault-fix.patch (+38/-0)
- Dmitry Shachnev: Pending requested
-
Diff: 82 lines (+49/-1)4 files modifieddebian/changelog (+8/-0)
debian/control (+2/-1)
debian/patches/series (+1/-0)
debian/patches/webkit-javascript-s390x-segmentation-fault-fix.patch (+38/-0)
Changed in qtwebkit-opensource-src (Ubuntu Jammy): | |
status: | Confirmed → In Progress |
Changed in ubuntu-z-systems: | |
status: | Confirmed → In Progress |
tags: | added: jammy |
description: | updated |
tags: | added: impish |
Changed in qtwebkit-opensource-src (Ubuntu Impish): | |
status: | New → In Progress |
Changed in qtwebkit-opensource-src (Ubuntu Focal): | |
status: | New → In Progress |
tags: | added: focal |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Default Comment by Bridge