Ubuntu

webkit--epiphany-browser crashed with SIGSEGV in Decoder()

Reported by John S. Gruber on 2013-03-03
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Lernid
Critical
Unassigned
Webkit
New
Critical
epiphany-browser (Ubuntu)
Medium
Unassigned
Raring
Medium
Unassigned
lernid (Ubuntu)
Undecided
Unassigned
Raring
Undecided
Unassigned
webkit (Ubuntu)
High
Unassigned
Raring
High
Unassigned

Bug Description

Crash on browsing watching youtube video from http://ubuntuonair.com. Expected it to play the whole hangout video but played less than a minute. After restarting the browser it crashed again with another random video off youtube in less than 10 seconds. It appears to matter which video, or has another intermittent effect.The last failing
video I've found is http://www.youtube.com/watch?v=Ir2TdfSwH8g.

Also fails on lernid, which I'm testing, and midori--both also webkit browsers.

Running today's live i386 CD from raring. (Today == 2013-3-3).

No flash installed and therefore I assume that it is using html 5. Running flash in lernid and midori avoids the problem as webkit seems to use it in preference to html5--but that's just my guess.

To reproduce:

Install raring
**Don't install flash**
Install ephiphany with 'sudo apt-get install epiphany-browser'
Start epiphany from the terminal with "epiphany "http://www.youtube.com/watch?v=Ir2TdfSwH8g
Start the video and wait for the video to stop (coincident with the halt in the video within a minute).

ProblemType: Crash
DistroRelease: Ubuntu 13.04
Package: epiphany-browser 3.6.1-2ubuntu1
ProcVersionSignature: Ubuntu 3.8.0-9.18-generic 3.8.1
Uname: Linux 3.8.0-9-generic i686
ApportVersion: 2.9-0ubuntu2
Architecture: i386
CasperVersion: 1.330
Date: Sun Mar 3 16:55:35 2013
ExecutablePath: /usr/bin/epiphany-browser
LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha i386 (20130303)
MarkForUpload: True
ProcCmdline: epiphany-browser
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0xb49fe2b9 <_ZN3JSC3DFG15AssemblyHelpers17decodedCodeMapForEPNS_9CodeBlockE+473>: mov 0x4(%edx),%edi
 PC (0xb49fe2b9) ok
 source "0x4(%edx)" (0x00000004) not located in a known VMA region (needed readable region)!
 destination "%edi" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: epiphany-browser
StacktraceTop:
 JSC::DFG::AssemblyHelpers::decodedCodeMapFor(JSC::CodeBlock*) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
 JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::Operands<JSC::ValueRecovery, JSC::OperandValueTraits<JSC::ValueRecovery> > const&, JSC::DFG::SpeculationRecovery*) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
 ?? () from /usr/lib/libjavascriptcoregtk-3.0.so.0
 ?? ()
 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () from /usr/lib/libjavascriptcoregtk-3.0.so.0
Title: epiphany-browser crashed with SIGSEGV in JSC::DFG::AssemblyHelpers::decodedCodeMapFor()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
XsessionErrors:
 (process:3675): GLib-GIO-WARNING **: g_settings_set_value: value for key 'visual-bell-type' in schema 'org.gnome.desktop.wm.preferences' is outside of valid range
 (process:3675): GLib-GIO-WARNING **: g_settings_set_value: value for key 'visual-bell-type' in schema 'org.gnome.desktop.wm.preferences' is outside of valid range
 (process:3675): GLib-GIO-WARNING **: g_settings_set_value: value for key 'visual-bell-type' in schema 'org.gnome.desktop.wm.preferences' is outside of valid range
 (gnome-settings-daemon:3483): libappindicator-CRITICAL **: app_indicator_set_label: assertion `IS_APP_INDICATOR (self)' failed
 (process:8224): GLib-CRITICAL **: g_slice_set_config: assertion `sys_page_size == 0' failed

John S. Gruber (jsjgruber) wrote :
information type: Private → Public

StacktraceTop:
 Decoder (jitCodeMap=<optimized out>, this=<optimized out>) at ../Source/JavaScriptCore/jit/CompactJITCodeMap.h:275
 decode (result=..., this=<optimized out>) at ../Source/JavaScriptCore/jit/CompactJITCodeMap.h:180
 JSC::DFG::AssemblyHelpers::decodedCodeMapFor (this=0xbfe49fbc, codeBlock=0xa4879680) at ../Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp:52
 JSC::DFG::OSRExitCompiler::compileExit (this=0xbfe49f98, exit=..., operands=..., recovery=0x0) at ../Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp:690
 JSC::DFG::compileOSRExit (exec=0xa9dfc438) at ../Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp:92

Changed in epiphany-browser (Ubuntu):
importance: Undecided → Medium
summary: - epiphany-browser crashed with SIGSEGV in
- JSC::DFG::AssemblyHelpers::decodedCodeMapFor()
+ epiphany-browser crashed with SIGSEGV in Decoder()
tags: removed: need-i386-retrace
description: updated
description: updated
Changed in lernid:
importance: Undecided → Critical
status: New → Confirmed
description: updated
description: updated
Changed in epiphany-browser (Ubuntu):
assignee: nobody → John S. Gruber (jsjgruber)
Changed in epiphany-browser (Ubuntu):
status: New → Invalid
Changed in lernid:
status: Confirmed → Invalid
Changed in epiphany-browser (Ubuntu):
assignee: John S. Gruber (jsjgruber) → nobody
Changed in webkit (Ubuntu):
assignee: nobody → John S. Gruber (jsjgruber)

Debdiff with the patch from webkit upstream Filip Pizlo. See the webkit bug above. Before the patch was applied I could often trigger the segfault. After applying it to my system the problem I was no longer able to trigger the fault.

There is an i386 build in my ppa. The build log is at https://launchpadlibrarian.net/133296050/buildlog_ubuntu-raring-i386.webkit_1.10.2-0ubuntu2_UPLOADING.txt.gz . The PPA is ppa:jsjgruber/ppa . The uploaded version is 1.10.2-0ubuntu2.

Neither lp: webkit nor lp:ubuntu/webkit appear to be up-to-date.

The attachment "Debdiff for 1.10.2-0ubuntu2 with webkit patch from Filip Pizlo" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Changed in webkit (Ubuntu):
assignee: John S. Gruber (jsjgruber) → nobody
summary: - epiphany-browser crashed with SIGSEGV in Decoder()
+ webkit--epiphany-browser crashed with SIGSEGV in Decoder()
John S. Gruber (jsjgruber) wrote :

Correct patch attribution to Yong Li.

Changed in webkit:
importance: Unknown → Critical
status: Unknown → New
Changed in webkit (Ubuntu Raring):
status: New → Triaged
importance: Undecided → High
Changed in lernid (Ubuntu Raring):
status: New → Invalid
Brian Murray (brian-murray) wrote :

I'd prefer not to upload this patch at this point in time as it does seem to be an interim fix and not ideal. I went searching for crashes like this at errors.ubuntu.com about either epiphany-browser or lernid and did not find any, so I don't believe a large number of people are affected by this.

However, I've opened a task for Raring and will set a milestone so that we revisit the issue before 13.04 is released. Thanks for you work here. Oh, and for future reference it is helpful to put some metadata about the patch in it. For more information see:
http://dep.debian.net/deps/dep3/

Changed in webkit (Ubuntu Raring):
milestone: none → ubuntu-13.04
John S. Gruber (jsjgruber) wrote :

Thanks, Brian, for looking at this and offering to look at it again before Raring release.

I'm sure you are right that not many people are presently affected--firefox is widely used and chromium-browser uses its own Javascript engine. For those using straight webkit I think only the i386 architecture doesn't use the Low Level Interpreter and therefore only it is affected. If the LLINT is enabled the present code already creates the structure in the DFG::ShouldProfile case. (See line 811 of Source/JavaScriptCore/jit/JIT.cpp. for where the situation is categorized).

I'm maintaining Lernid and the current Lernid and from the current classes I'd say Lernid isn't used with youtube often (if at all). However I have readied a release for support of ubuntuonair which uses hangouts, and therefore youtube. The first time I tested it I got this crash. I can't release Lernid with this bug outstanding in the soon-to-be current Ubuntu release. I gather this release is also in quantal-proposed.

Please see https://bugs.launchpad.net/lernid/+bug/1130454 filed by an ubuntuonair organizer and Liz from the Ubuntu classroom team. The blueprint is at https://blueprints.launchpad.net/lernid/+spec/support-ubuntu-onair .

I believe this problem will be resolved when upstream releases r144137 for gtk. It makes the relevant test include the additional alternative, if I read it correctly. It's too complex for me to feel comfortible proposing for cherry picking.

I've added the patch headers you've requested and hope that they are alright.

Brian Murray (brian-murray) wrote :

I'm really sorry about my delay in getting back to this. I've recreated the crash in Saucy and it is in bug 1216158. The youtube video did not cause a crash, but just going to http://ubuntuonair.com and watching the charm school video did.

tags: added: saucy
Brian Murray (brian-murray) wrote :

I was unable to recreate this on an amd64 install of saucy as the whole video played without issue.

Changed in webkit (Ubuntu):
assignee: nobody → Brian Murray (brian-murray)
Changed in webkit (Ubuntu Raring):
milestone: ubuntu-13.04 → raring-updates
Brian Murray (brian-murray) wrote :

I've been repeatedly unable to build webkit with the patch attached to this bug report. I'm unfamiliar with webkit so I'm unassigning the bug from myself.

Changed in webkit (Ubuntu):
assignee: Brian Murray (brian-murray) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.