Ubuntu
qtwebkit-opensource-src package

Bug #1951470
Comment #0

Comment 0 for bug 1951470

Revision history for this message

bugproxy (bugproxy) wrote on 2021-11-18:

== Comment: #0 - Andreas Krebbel <email address hidden> - 2021-11-15 09:29:44 ==
---Problem Description---
Segmentation fault from WebKit Javascript engine

Contact Information = <email address hidden>

---uname output---
Linux 193438490afd 5.8.15-301.fc33.s390x #1 SMP Thu Oct 15 15:55:57 UTC 2020 s390x s390x s390x GNU/Linux

Machine Type = IBM Z

---Debugger---
A debugger is not configured

---Steps to Reproduce---
index.html:
<!doctype html>
<html lang="de">
<head>
</head>

min.js:
var i = Math.max

wkhtmltopdf index.html test.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Segmentation fault (core dumped) ] 17%

Userspace tool common name: wkhtmltopdf

The userspace tool has the following bit modes: 64

Userspace rpm: libqt5webkit5

Userspace tool obtained from project website: na

*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.

== Comment: #1 - Andreas Krebbel <email address hidden> - 2021-11-15 09:44:04 ==
In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes the property offset as pointer size (hence 64 bit) value:

2141: instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);

while the same slot is accessed later by the jitted code as 32 bit integer:

macro getProperty(slow)
loadisFromInstruction(6, t1)

This fails on big endian targets since the integer access takes the higher part of the 64 bit value.

Changing:

macro getProperty(slow)
loadisFromInstruction(6, t1)

macro getProperty(slow)
loadpFromInstruction(6, t1)

in llint/LowLevelInterpreter64.asm fixes the problem for me.

I could not reproduce the problem on Ubuntu 20.10. In upstream webkit the problem got fixed as a side effect of a larger change but in the end quite similar to the change I'm proposing. The value resides somewhere else now but it is accessed as 64 bit value in getProperty:

macro getProperty()
loadp OpGetFromScope::Metadata::m_operand[t5], t1

If you have the jsc binary from the webkit package available the problem can be reproduced with just 'jsc -e "i=Math.min"'

== Comment: #2 - Andreas Krebbel <email address hidden> - 2021-11-15 09:49:55 ==

== Comment: #0 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:29:44 ==
---Problem Description---
Segmentation fault from WebKit Javascript engine
 
Contact Information = andreas.krebbel@de.ibm.com 
 
---uname output---
Linux 193438490afd 5.8.15-301.fc33.s390x #1 SMP Thu Oct 15 15:55:57 UTC 2020 s390x s390x s390x GNU/Linux
 
Machine Type = IBM Z 
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---
 index.html:
<!doctype html>
<html lang="de">
  <head>
  </head>

min.js:
var i = Math.max

wkhtmltopdf index.html test.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Segmentation fault (core dumped)                             ] 17%
 
Userspace tool common name: wkhtmltopdf 
 
The userspace tool has the following bit modes: 64

Userspace rpm: libqt5webkit5

Userspace tool obtained from project website:  na 
 
*Additional Instructions for andreas.krebbel@de.ibm.com:
-Attach ltrace and strace of userspace application.

== Comment: #1 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:44:04 ==
In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes the property offset as pointer size (hence 64 bit) value:

2141: instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);

while the same slot is accessed later by the jitted code as 32 bit integer:

macro getProperty(slow)
    loadisFromInstruction(6, t1)

This fails on big endian targets since the integer access takes the higher part of the 64 bit value.

Changing:

macro getProperty(slow)
    loadisFromInstruction(6, t1)

macro getProperty(slow)
    loadpFromInstruction(6, t1)

in llint/LowLevelInterpreter64.asm fixes the problem for me.

macro getProperty()
        loadp OpGetFromScope::Metadata::m_operand[t5], t1

If you have the jsc binary from the webkit package available the problem can be reproduced with just 'jsc -e "i=Math.min"'

== Comment: #2 - Andreas Krebbel <Andreas.Krebbel@de.ibm.com> - 2021-11-15 09:49:55 ==

Ubuntuqtwebkit-opensource-src package

Comment 0 for bug 1951470

Ubuntu
qtwebkit-opensource-src package