| 2021-11-18 21:09:23 |
bugproxy |
bug |
|
|
added bug |
| 2021-11-18 21:09:25 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-195436 severity-high targetmilestone-inin--- |
|
| 2021-11-18 21:09:27 |
bugproxy |
attachment added |
|
Proposed Fix https://bugs.launchpad.net/bugs/1951470/+attachment/5541882/+files/webkit-IBMZ-fix.patch |
|
| 2021-11-18 21:09:28 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2021-11-18 21:09:32 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
| 2021-11-19 08:24:05 |
Andrew Cloke |
bug task added |
|
ubuntu-z-systems |
|
| 2021-11-19 08:50:30 |
Frank Heimes |
affects |
linux (Ubuntu) |
qtwebkit-opensource-src (Ubuntu) |
|
| 2021-11-19 08:52:25 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-195436 severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-195436 severity-high targetmilestone-inin--- universe |
|
| 2021-11-19 09:08:09 |
Frank Heimes |
qtwebkit-opensource-src (Ubuntu): status |
New |
Confirmed |
|
| 2021-11-19 09:08:14 |
Frank Heimes |
ubuntu-z-systems: status |
New |
Confirmed |
|
| 2021-11-19 09:08:22 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
| 2021-11-19 09:16:33 |
Heinrich Schuchardt |
bug |
|
|
added subscriber Heinrich Schuchardt |
| 2021-11-22 07:39:34 |
bugproxy |
bug watch added |
|
https://bugs.webkit.org/show_bug.cgi?id=193402 |
|
| 2021-11-23 20:28:03 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/qtwebkit-opensource-src/+git/qtwebkit-opensource-src/+merge/412305 |
|
| 2021-11-23 20:42:51 |
Frank Heimes |
attachment added |
|
qtwebkit debdiff (jammy) https://bugs.launchpad.net/ubuntu/+source/qtwebkit-opensource-src/+bug/1951470/+attachment/5542873/+files/debdiff-qtwebkit-lp1951470-jammy.patch |
|
| 2021-11-24 00:29:44 |
Ubuntu Foundations Team Bug Bot |
tags |
architecture-s39064 bugnameltc-195436 severity-high targetmilestone-inin--- universe |
architecture-s39064 bugnameltc-195436 patch severity-high targetmilestone-inin--- universe |
|
| 2021-11-24 00:29:52 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2021-11-24 11:19:51 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
| 2021-11-24 11:19:51 |
Frank Heimes |
bug task added |
|
qtwebkit-opensource-src (Ubuntu Focal) |
|
| 2021-11-24 11:19:51 |
Frank Heimes |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-11-24 11:19:51 |
Frank Heimes |
bug task added |
|
qtwebkit-opensource-src (Ubuntu Hirsute) |
|
| 2021-11-24 11:19:51 |
Frank Heimes |
nominated for series |
|
Ubuntu Impish |
|
| 2021-11-24 11:19:51 |
Frank Heimes |
bug task added |
|
qtwebkit-opensource-src (Ubuntu Impish) |
|
| 2021-11-24 11:19:51 |
Frank Heimes |
nominated for series |
|
Ubuntu Jammy |
|
| 2021-11-24 11:19:51 |
Frank Heimes |
bug task added |
|
qtwebkit-opensource-src (Ubuntu Jammy) |
|
| 2021-11-24 11:20:02 |
Frank Heimes |
qtwebkit-opensource-src (Ubuntu Jammy): status |
Confirmed |
In Progress |
|
| 2021-11-24 11:20:06 |
Frank Heimes |
ubuntu-z-systems: status |
Confirmed |
In Progress |
|
| 2021-11-24 11:21:28 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-195436 patch severity-high targetmilestone-inin--- universe |
architecture-s39064 bugnameltc-195436 jammy patch severity-high targetmilestone-inin--- universe |
|
| 2021-11-24 12:42:25 |
Frank Heimes |
description |
== Comment: #0 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:29:44 ==
---Problem Description---
Segmentation fault from WebKit Javascript engine
Contact Information = andreas.krebbel@de.ibm.com
---uname output---
Linux 193438490afd 5.8.15-301.fc33.s390x #1 SMP Thu Oct 15 15:55:57 UTC 2020 s390x s390x s390x GNU/Linux
Machine Type = IBM Z
---Debugger---
A debugger is not configured
---Steps to Reproduce---
index.html:
<!doctype html>
<html lang="de">
<head>
</head>
<body>
<script src="min.js"></script>
</body>
</html>
min.js:
var i = Math.max
wkhtmltopdf index.html test.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Segmentation fault (core dumped) ] 17%
Userspace tool common name: wkhtmltopdf
The userspace tool has the following bit modes: 64
Userspace rpm: libqt5webkit5
Userspace tool obtained from project website: na
*Additional Instructions for andreas.krebbel@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: #1 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:44:04 ==
In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes the property offset as pointer size (hence 64 bit) value:
2141: instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);
while the same slot is accessed later by the jitted code as 32 bit integer:
macro getProperty(slow)
loadisFromInstruction(6, t1)
This fails on big endian targets since the integer access takes the higher part of the 64 bit value.
Changing:
macro getProperty(slow)
loadisFromInstruction(6, t1)
to
macro getProperty(slow)
loadpFromInstruction(6, t1)
in llint/LowLevelInterpreter64.asm fixes the problem for me.
I could not reproduce the problem on Ubuntu 20.10. In upstream webkit the problem got fixed as a side effect of a larger change but in the end quite similar to the change I'm proposing. The value resides somewhere else now but it is accessed as 64 bit value in getProperty:
macro getProperty()
loadp OpGetFromScope::Metadata::m_operand[t5], t1
If you have the jsc binary from the webkit package available the problem can be reproduced with just 'jsc -e "i=Math.min"'
== Comment: #2 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:49:55 == |
SRU Justification:
[Impact]
* WebKit Javascript engine is causing a segmentation fault on big endian (s390x) systems.
* This happens for example when transferring an html to a pdf file using wkhtmltopdf.
* The fix is relatively simple with changing loadisFromInstruction to loadpFromInstruction
in macro getProperty(slow), which solves this unpleasant situation.
* The JIT ocde is 32bit (even on 64bit systems),
hence is crucial to make sure the lower part of a 64bit value is taken on big endian systems.
[Test Plan]
* Testing is very straight forward by following these steps:
* install the following packages (incl. their dependencies):
$ sudo apt install libqt5webkit5 wkhtmltopdf
* create an html file like this:
$ vi index.html
$ cat index.html
<!doctype html>
<html lang="de">
<head>
</head>
<body>
<script src="min.js"></script>
</body>
</html>
* create a JavaScript file like this:
$ vi min.js
$ cat min.js
var i = Math.max
* call wkhtmltopdf to process the local files:
$ wkhtmltopdf --enable-local-file-access index.html test.pdf
* if it's broken one gets this output:
Loading page (1/2)
Segmentation fault (core dumped) ] 50%
and no pdf file was generated:
$ ls *.pdf
ls: cannot access '*.pdf': No such file or directory
* in case it's fixed one gets this output:
Loading page (1/2)
Printing pages (2/2)
Done
and a pdf file was generated and in placed in the current directory (with more than 0 bytes size):
$ ls -l ./*.pdf
-rw-rw-r-- 1 ubuntu ubuntu 1339 Nov 24 11:48 ./test.pdf
[Where problems could occur]
* While this issue only affects big endian systems (like s390x),
a bad fix may have an impact on little endian systems, too
for example in case the wrong function got used in the macro.
* But loadpFromInstruction is known to work for LE and BE systems;
* and on top cross-architecture builds were done:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1951470
* and tested on s390x (if the fix works) and on non-s390x (regression testing).
* The changes are otherwise very limited, just:
macro getProperty(slow)
- loadisFromInstruction(6, t1)
+ loadpFromInstruction(6, t1)
hence I think there is not much more to say.
[Other Info]
* The maintainer of the Debian packages (Dmitry Shachnev)
is going to add this to the Debian package, too.
* This issue affects Ubuntu jammy, impish, hirsute and focal - SRUs are ongoing.
* The issue does not occur with the very latest upstream version anymore,
and was fixed in a similar way as part of a commit
that fixes numerous other CLoop issues on top:
"Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change)."
commit 3fdde71c7d95d758a61fcbc4c58168616794c102
__________
== Comment: #0 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:29:44 ==
---Problem Description---
Segmentation fault from WebKit Javascript engine
Contact Information = andreas.krebbel@de.ibm.com
---uname output---
Linux 193438490afd 5.8.15-301.fc33.s390x #1 SMP Thu Oct 15 15:55:57 UTC 2020 s390x s390x s390x GNU/Linux
Machine Type = IBM Z
---Debugger---
A debugger is not configured
---Steps to Reproduce---
index.html:
<!doctype html>
<html lang="de">
<head>
</head>
<body>
<script src="min.js"></script>
</body>
</html>
min.js:
var i = Math.max
wkhtmltopdf index.html test.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Segmentation fault (core dumped) ] 17%
Userspace tool common name: wkhtmltopdf
The userspace tool has the following bit modes: 64
Userspace rpm: libqt5webkit5
Userspace tool obtained from project website: na
*Additional Instructions for andreas.krebbel@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: #1 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:44:04 ==
In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes the property offset as pointer size (hence 64 bit) value:
2141: instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);
while the same slot is accessed later by the jitted code as 32 bit integer:
macro getProperty(slow)
loadisFromInstruction(6, t1)
This fails on big endian targets since the integer access takes the higher part of the 64 bit value.
Changing:
macro getProperty(slow)
loadisFromInstruction(6, t1)
to
macro getProperty(slow)
loadpFromInstruction(6, t1)
in llint/LowLevelInterpreter64.asm fixes the problem for me.
I could not reproduce the problem on Ubuntu 20.10. In upstream webkit the problem got fixed as a side effect of a larger change but in the end quite similar to the change I'm proposing. The value resides somewhere else now but it is accessed as 64 bit value in getProperty:
macro getProperty()
loadp OpGetFromScope::Metadata::m_operand[t5], t1
If you have the jsc binary from the webkit package available the problem can be reproduced with just 'jsc -e "i=Math.min"'
== Comment: #2 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:49:55 == |
|
| 2021-11-24 19:29:38 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/qtwebkit-opensource-src/+git/qtwebkit-opensource-src/+merge/412357 |
|
| 2021-11-24 19:37:54 |
Frank Heimes |
attachment added |
|
qtwebkit debdiff (impish) https://bugs.launchpad.net/ubuntu/+source/qtwebkit-opensource-src/+bug/1951470/+attachment/5543117/+files/debdiff-qtwebkit-lp1951470-impish.patch |
|
| 2021-11-24 19:46:33 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-195436 jammy patch severity-high targetmilestone-inin--- universe |
architecture-s39064 bugnameltc-195436 impish jammy patch severity-high targetmilestone-inin--- universe |
|
| 2021-11-24 19:46:42 |
Frank Heimes |
qtwebkit-opensource-src (Ubuntu Impish): status |
New |
In Progress |
|
| 2021-11-25 11:14:25 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/qtwebkit-opensource-src/+git/qtwebkit-opensource-src/+merge/412383 |
|
| 2021-11-25 11:19:55 |
Frank Heimes |
attachment added |
|
qtwebkit debdiff (hirsute) https://bugs.launchpad.net/ubuntu/+source/qtwebkit-opensource-src/+bug/1951470/+attachment/5543299/+files/debdiff-qtwebkit-lp1951470-hirsute.patch |
|
| 2021-11-25 11:22:09 |
Frank Heimes |
qtwebkit-opensource-src (Ubuntu Hirsute): status |
New |
In Progress |
|
| 2021-11-25 12:01:00 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-195436 impish jammy patch severity-high targetmilestone-inin--- universe |
architecture-s39064 bugnameltc-195436 hirsute impish patch severity-high targetmilestone-inin--- universe |
|
| 2021-11-25 12:01:25 |
Frank Heimes |
qtwebkit-opensource-src (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2021-11-25 19:38:45 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/qtwebkit-opensource-src/+git/qtwebkit-opensource-src/+merge/412408 |
|
| 2021-11-25 19:41:04 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/qtwebkit-opensource-src/+git/qtwebkit-opensource-src/+merge/412410 |
|
| 2021-11-25 19:46:07 |
Frank Heimes |
attachment added |
|
qtwebkit debdiff (focal) https://bugs.launchpad.net/ubuntu/+source/qtwebkit-opensource-src/+bug/1951470/+attachment/5543391/+files/debdiff-qtwebkit-lp1951470-focal.patch |
|
| 2021-11-25 19:52:20 |
Frank Heimes |
qtwebkit-opensource-src (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-11-25 19:52:32 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-195436 hirsute impish patch severity-high targetmilestone-inin--- universe |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe |
|
| 2021-11-25 19:59:40 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2021-11-25 23:36:39 |
Launchpad Janitor |
qtwebkit-opensource-src (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2021-11-27 15:09:25 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2021-11-30 18:31:25 |
Brian Murray |
qtwebkit-opensource-src (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
| 2021-11-30 18:31:28 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-11-30 18:31:33 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2021-11-30 18:31:37 |
Brian Murray |
tags |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-needed verification-needed-impish |
|
| 2021-11-30 18:32:59 |
Brian Murray |
qtwebkit-opensource-src (Ubuntu Hirsute): status |
In Progress |
Fix Committed |
|
| 2021-11-30 18:33:06 |
Brian Murray |
tags |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-needed verification-needed-impish |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-needed verification-needed-hirsute verification-needed-impish |
|
| 2021-11-30 18:39:12 |
Brian Murray |
qtwebkit-opensource-src (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-11-30 18:39:23 |
Brian Murray |
tags |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-needed verification-needed-hirsute verification-needed-impish |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-needed verification-needed-focal verification-needed-hirsute verification-needed-impish |
|
| 2021-11-30 19:18:28 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
| 2021-11-30 20:36:15 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-needed verification-needed-focal verification-needed-hirsute verification-needed-impish |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-done-impish verification-needed verification-needed-focal verification-needed-hirsute |
|
| 2021-11-30 20:37:14 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-done-impish verification-needed verification-needed-focal verification-needed-hirsute |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-done-hirsute verification-done-impish verification-needed verification-needed-focal |
|
| 2021-11-30 20:38:02 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-done-hirsute verification-done-impish verification-needed verification-needed-focal |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-done verification-done-focal verification-done-hirsute verification-done-impish |
|
| 2021-12-01 16:09:08 |
bugproxy |
tags |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin--- universe verification-done verification-done-focal verification-done-hirsute verification-done-impish |
architecture-s39064 bugnameltc-195436 focal hirsute impish patch severity-high targetmilestone-inin2004 universe verification-done verification-done-focal verification-done-hirsute verification-done-impish |
|
| 2021-12-07 23:26:46 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-12-07 23:28:04 |
Launchpad Janitor |
qtwebkit-opensource-src (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-12-07 23:28:16 |
Launchpad Janitor |
qtwebkit-opensource-src (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
| 2021-12-07 23:28:29 |
Launchpad Janitor |
qtwebkit-opensource-src (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
| 2021-12-08 05:57:07 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|
