wkhtmltopdf index.html test.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Segmentation fault (core dumped) ] 17%
Userspace tool common name: wkhtmltopdf
The userspace tool has the following bit modes: 64
Userspace rpm: libqt5webkit5
Userspace tool obtained from project website: na
*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.
== Comment: #1 - Andreas Krebbel <email address hidden> - 2021-11-15 09:44:04 ==
In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes the property offset as pointer size (hence 64 bit) value:
in llint/LowLevelInterpreter64.asm fixes the problem for me.
I could not reproduce the problem on Ubuntu 20.10. In upstream webkit the problem got fixed as a side effect of a larger change but in the end quite similar to the change I'm proposing. The value resides somewhere else now but it is accessed as 64 bit value in getProperty:
== Comment: #0 - Andreas Krebbel <email address hidden> - 2021-11-15 09:29:44 ==
---Problem Description---
Segmentation fault from WebKit Javascript engine
Contact Information = <email address hidden>
---uname output--- 301.fc33. s390x #1 SMP Thu Oct 15 15:55:57 UTC 2020 s390x s390x s390x GNU/Linux
Linux 193438490afd 5.8.15-
Machine Type = IBM Z
---Debugger---
A debugger is not configured
---Steps to Reproduce---
index.html:
<!doctype html>
<html lang="de">
<head>
</head>
<body> js"></script>
<script src="min.
</body>
</html>
min.js:
var i = Math.max
wkhtmltopdf index.html test.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Segmentation fault (core dumped) ] 17%
Userspace tool common name: wkhtmltopdf
The userspace tool has the following bit modes: 64
Userspace rpm: libqt5webkit5
Userspace tool obtained from project website: na
*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.
== Comment: #1 - Andreas Krebbel <email address hidden> - 2021-11-15 09:44:04 ==
In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes the property offset as pointer size (hence 64 bit) value:
2141: instructions[i + 6].u.pointer = reinterpret_ cast<void* >(op.operand) ;
while the same slot is accessed later by the jitted code as 32 bit integer:
macro getProperty(slow) nstruction( 6, t1)
loadisFromI
This fails on big endian targets since the integer access takes the higher part of the 64 bit value.
Changing:
macro getProperty(slow) nstruction( 6, t1)
loadisFromI
to
macro getProperty(slow) struction( 6, t1)
loadpFromIn
in llint/LowLevelI nterpreter64. asm fixes the problem for me.
I could not reproduce the problem on Ubuntu 20.10. In upstream webkit the problem got fixed as a side effect of a larger change but in the end quite similar to the change I'm proposing. The value resides somewhere else now but it is accessed as 64 bit value in getProperty:
macro getProperty() :Metadata: :m_operand[ t5], t1
loadp OpGetFromScope:
If you have the jsc binary from the webkit package available the problem can be reproduced with just 'jsc -e "i=Math.min"'
== Comment: #2 - Andreas Krebbel <email address hidden> - 2021-11-15 09:49:55 ==