Ubuntu
webkitgtk package

surf crashed with SIGSEGV in JSC::JSCell::getPrimitiveNumber()

Bug #1556735 reported by Serge Hallyn
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
surf (Ubuntu)
Invalid
Medium
Unassigned
webkitgtk (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

I can reproduce this with both surf and vimprobable2, two very different web browsers both based on webkitgtk. Just go to imgur.com, load an image (make sure js is enabled), go to the bottom, and wait for everything to load. If it doesn't crash the first time, choose one or two more from the list on the side. I have never gotten past a third page without a crash. (This has been for months now at least).

ProblemType: Crash
DistroRelease: Ubuntu 16.04
Package: surf 0.7-1
ProcVersionSignature: Ubuntu 4.4.0-11.26-generic 4.4.4
Uname: Linux 4.4.0-11-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
Date: Sun Mar 13 18:25:02 2016
ExecutablePath: /usr/bin/surf
ExecutableTimestamp: 1452424530
InstallationDate: Installed on 2014-07-30 (593 days ago)
InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140729)
ProcCmdline: surf
ProcCwd: /home/serge
ProcEnviron:
 LANGUAGE=en_US
 PATH=(custom, user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0x7fdf505d76f0 <_ZNK3JSC6JSCell18getPrimitiveNumberEPNS_9ExecStateERdRNS_7JSValueE>: mov (%rdi),%rax
 PC (0x7fdf505d76f0) ok
 source "(%rdi)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%rax" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: surf
StacktraceTop:
 JSC::JSCell::getPrimitiveNumber(JSC::ExecState*, double&, JSC::JSValue&) const () from /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-3.0.so.0
 ?? () from /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-3.0.so.0
 ?? ()
 ?? ()
 ?? ()
Title: surf crashed with SIGSEGV in JSC::JSCell::getPrimitiveNumber()
UpgradeStatus: Upgraded to xenial on 2016-02-14 (28 days ago)
UserGroups: adm cdrom dip kvm libvirtd lpadmin plugdev sambashare sudo

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(I actually posted this hoping that lp would give me a fuller stack trace as I don't have all the debug symbol packages locally)

Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 JSC::JSCell::getPrimitiveNumber (this=0x0, exec=0x7fdedde7eb30, number=@0x7ffff5fd3a20: 6.9463366493883692e-310, value=...) at ../Source/JavaScriptCore/runtime/JSCell.cpp:134
 JSC::JSValue::getPrimitiveNumber (this=this@entry=0x7ffff5fd39f0, exec=exec@entry=0x7fdedde7eb30, number=@0x7ffff5fd3a20: 6.9463366493883692e-310, value=...) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:599
 jsLess<true> (v2=..., v1=..., callFrame=0x7fdedde7eb30) at ../Source/JavaScriptCore/runtime/Operations.h:136
 JSC::operationCompareLess (exec=0x7fdedde7eb30, encodedOp1=<optimized out>, encodedOp2=<optimized out>) at ../Source/JavaScriptCore/jit/JITOperations.cpp:829
 ?? ()

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in surf (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Serge Hallyn (serge-hallyn)
information type: Private → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in surf (Ubuntu):
status: New → Confirmed
Changed in webkitgtk (Ubuntu):
status: New → Confirmed
Alberto Salvia Novella (es20490446e)
Changed in webkitgtk (Ubuntu):
importance: Undecided → Medium
Revision history for this message
giacof (giacof) wrote :
Download full text (4.1 KiB)

I'm having similar issue with Eclipse, which crashed after the following exception:

#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f88441d39c0, pid=7412, tid=140228481140480
#
# JRE version: OpenJDK Runtime Environment (8.0_91-b14) (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)
# Java VM: OpenJDK 64-Bit Server VM (25.91-b14 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libjavascriptcoregtk-3.0.so.0+0x4629c0] JSC::JSCell::getPrimitiveNumber(JSC::ExecState*, double&, JSC::JSValue&) const+0x0

[...]

Stack: [0x00007f897cbe4000,0x00007f897cce5000], sp=0x00007f897cce2138, free space=1016k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C [libjavascriptcoregtk-3.0.so.0+0x4629c0] JSC::JSCell::getPrimitiveNumber(JSC::ExecState*, double&, JSC::JSValue&) const+0x0
C 0x00007f87fe5ea4e8

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
J 8160 org.eclipse.swt.internal.gtk.OS._g_main_context_iteration(JZ)Z (0 bytes) @ 0x00007f8966704084 [0x00007f8966704040+0x44]
J 11091 C2 org.eclipse.swt.widgets.Display.readAndDispatch()Z (71 bytes) @ 0x00007f896656a890 [0x00007f896656a5c0+0x2d0]
J 11110% C2 org.eclipse.jface.window.Window.runEventLoop(Lorg/eclipse/swt/widgets/Shell;)V (70 bytes) @ 0x00007f8966abf310 [0x00007f8966abf240+0xd0]
j org.eclipse.jface.window.Window.open()I+49
j org.python.pydev.editor.PydevShowBrowserMessage$1.run()V+32
j org.eclipse.swt.widgets.RunnableLock.run()V+11
j org.eclipse.swt.widgets.Synchronizer.runAsyncMessages(Z)Z+37
j org.eclipse.swt.widgets.Display.runAsyncMessages(Z)Z+5
j org.eclipse.swt.widgets.Display.readAndDispatch()Z+61
j org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$4.run()V+530
j org.eclipse.core.databinding.observable.Realm.runWithDefault(Lorg/eclipse/core/databinding/observable/Realm;Ljava/lang/Runnable;)V+12
j org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(Lorg/eclipse/e4/ui/model/application/MApplicationElement;Lorg/eclipse/e4/core/contexts/IEclipseContext;)Ljava/lang/Object;+57
j org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(Lorg/eclipse/e4/ui/model/application/MApplicationElement;)V+20
j org.eclipse.ui.internal.Workbench$5.run()V+436
j org.eclipse.core.databinding.observable.Realm.runWithDefault(Lorg/eclipse/core/databinding/observable/Realm;Ljava/lang/Runnable;)V+12
j org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Lorg/eclipse/swt/widgets/Display;Lorg/eclipse/ui/application/WorkbenchAdvisor;)I+18
j org.eclipse.ui.PlatformUI.createAndRunWorkbench(Lorg/eclipse/swt/widgets/Display;Lorg/eclipse/ui/application/WorkbenchAdvisor;)I+2
j org.eclipse.ui.internal.ide.application.IDEApplication.start(Lorg/eclipse/equinox/app/IApplicationContext;)Ljava/lang/Object;+105
j org.eclipse.equinox.internal.app.EclipseAppHandle.run(Ljava/lang/Object;)Ljava/lang/Object;+135
j org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(Ljava/lang/Object;)Ljava/lang/Object;+85
j org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(Ljava/lang/Object;)Ljava/lang/Object;+82
j org.eclipse.core.runtime.adaptor...

Read more...

Revision history for this message
James Cameron (quozl) wrote :

Also seen with sugar-browse-activity package.

(gdb) bt
#0 JSC::JSCell::getPrimitiveNumber (this=this@entry=0x0, exec=exec@entry=0x7f8e28d43ab0,
    number=@0x7ffdcedc13e0: 9.8813129168249309e-324, value=...) at ../Source/JavaScriptCore/runtime/JSCell.cpp:134
#1 0x00007f8e85accbdc in JSC::JSValue::getPrimitiveNumber (value=..., number=@0x7ffdcedc13e0: 9.8813129168249309e-324,
    exec=0x7f8e28d43ab0, this=<synthetic pointer>) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:599
#2 JSC::jsLess<true> (v2=..., v1=..., callFrame=0x7f8e28d43ab0) at ../Source/JavaScriptCore/runtime/Operations.h:136
#3 JSC::slow_path_less (exec=0x7f8e28d43ab0, pc=0x7f8e0024a290) at ../Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:295
#4 0x00007f8e337cf4b2 in ?? ()
#5 0x0000000000000000 in ?? ()

Same backtrace, matched by function names and line numbers, reported in other bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1315708
https://bugzilla.redhat.com/show_bug.cgi?id=1305994
https://bugs.webkit.org/show_bug.cgi?id=154905 (comment 4, wontfix)
https://bugs.webkit.org/show_bug.cgi?id=153938

Reiner Herrmann (deki)
Changed in surf (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.