Public bug reported:
== Comment: #0 - Andreas Krebbel <andreas.kreb...@de.ibm.com> - 2021-11-15
09:29:44 ==
---Problem Description---
Segmentation fault from WebKit Javascript engine
Contact Information = andreas.kreb...@de.ibm.com
---uname output---
Linux 193438490afd 5.8.15-301.fc33.s390x #1 SMP Thu Oct 15 15:55:57 UTC 2020
s390x s390x s390x GNU/Linux
Machine Type = IBM Z
---Debugger---
A debugger is not configured
---Steps to Reproduce---
index.html:
<!doctype html>
<html lang="de">
<head>
</head>
<body>
<script src="min.js"></script>
</body>
</html>
min.js:
var i = Math.max
wkhtmltopdf index.html test.pdf
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
Segmentation fault (core dumped) ] 17%
Userspace tool common name: wkhtmltopdf
The userspace tool has the following bit modes: 64
Userspace rpm: libqt5webkit5
Userspace tool obtained from project website: na
*Additional Instructions for andreas.kreb...@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: #1 - Andreas Krebbel <andreas.kreb...@de.ibm.com> - 2021-11-15
09:44:04 ==
In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes
the property offset as pointer size (hence 64 bit) value:
2141: instructions[i + 6].u.pointer =
reinterpret_cast<void*>(op.operand);
while the same slot is accessed later by the jitted code as 32 bit
integer:
macro getProperty(slow)
loadisFromInstruction(6, t1)
This fails on big endian targets since the integer access takes the
higher part of the 64 bit value.
Changing:
macro getProperty(slow)
loadisFromInstruction(6, t1)
to
macro getProperty(slow)
loadpFromInstruction(6, t1)
in llint/LowLevelInterpreter64.asm fixes the problem for me.
I could not reproduce the problem on Ubuntu 20.10. In upstream webkit the
problem got fixed as a side effect of a larger change but in the end quite
similar to the change I'm proposing. The value resides somewhere else now but
it is accessed as 64 bit value in getProperty:
macro getProperty()
loadp OpGetFromScope::Metadata::m_operand[t5], t1
If you have the jsc binary from the webkit package available the problem
can be reproduced with just 'jsc -e "i=Math.min"'
== Comment: #2 - Andreas Krebbel <andreas.kreb...@de.ibm.com> -
2021-11-15 09:49:55 ==
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39064 bugnameltc-195436 severity-high
targetmilestone-inin---
** Tags added: architecture-s39064 bugnameltc-195436 severity-high
targetmilestone-inin---
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951470
Title:
webkit javascript segmentation fault
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1951470/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
