Bug 729294 – Opening 2048 result in a webkit crash

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 729294 - Opening 2048 result in a webkit crash


Summary:	Opening 2048 result in a webkit crash


Status:	RESOLVED NOTGNOME

Product:	epiphany
Classification:	Core
Component:	General
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Epiphany Maintainers
QA Contact:	Epiphany Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-04-30 22:57 UTC by Elad Alfassa
Modified:	2014-07-03 14:19 UTC

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=1088480
GNOME target:	---
GNOME version:	---

Description Elad Alfassa 2014-04-30 22:57:57 UTC

http://gabrielecirulli.github.io/2048/ will cause a crash. I can't get the backtrace cause uploading a huge coredump or downloading gigs of debuginfos is impossible on my network

Comment 1 Michael Catanzaro 2014-05-01 04:45:20 UTC

This works for me with WebKit 2.4.1, Epiphany 3.12.0.  What version of WebKit are you using?

Comment 2 Yosef Or Boczko 2014-05-01 10:38:04 UTC

This works for me with WebKti2.2.6, Epiphany 3.10.3.

Comment 3 Elad Alfassa 2014-05-01 17:03:58 UTC

Webkit 2.4.1, Epiphany 3.12 on Fedora Rawhide, crashes every time I open 2048.

Comment 4 Elad Alfassa 2014-05-01 18:17:18 UTC

Tried to use ABRT to fetch a backtrace, it said it's the same as this bug https://bugzilla.redhat.com/show_bug.cgi?id=1088480

I'm not sure if that's an assumption you can trust, tho.

Comment 5 Elad Alfassa 2014-07-02 19:51:59 UTC

Webkit 2.4.3

Same crash in duckduckgo search, and many many other websites which are seemingly unrelated. Could be that there's some widely-used javascript library that causes a crash.

Here's a backtrace without installing the libwebkit2gtk debuginfo, because that causes gdb to crash :)

+ Trace 233758

#0 ??
#0 0x0000000000000000 in
#1 TSymbolTableLevel::~TSymbolTableLevel()
#2 TCompiler::compile(char const* const*, unsigned long, int)
#3 ShCompile
#4 WebCore::ANGLEWebKitBridge::compileShaderSource(char const*, WebCore::ANGLEShaderType, WTF::String&, WTF::String&, WTF::Vector<WebCore::ANGLEShaderSymbol, 0ul, WTF::CrashOnOverflow>&, int)
#5 WebCore::Extensions3DOpenGLCommon::getTranslatedShaderSourceANGLE(unsigned int)
#6 WebCore::GraphicsContext3D::compileShader(unsigned int)
#7 WebCore::TextureMapperShaderProgram::TextureMapperShaderProgram(WTF::PassRefPtr<WebCore::GraphicsContext3D>, WTF::String const&, WTF::String const&)
#8 WebCore::TextureMapperShaderProgram::create(WTF::PassRefPtr<WebCore::GraphicsContext3D>, unsigned int)
#9 WebCore::TextureMapperGL::drawTexture(unsigned int, int, WebCore::IntSize const&, WebCore::FloatRect const&, WebCore::TransformationMatrix const&, float, unsigned int)
#10 WebCore::TextureMapperGL::drawTexture(WebCore::BitmapTexture const&, WebCore::FloatRect const&, WebCore::TransformationMatrix const&, float, unsigned int)
#11 WebCore::TextureMapperTile::paint(WebCore::TextureMapper*, WebCore::TransformationMatrix const&, float, unsigned int)
#12 WebCore::TextureMapperTiledBackingStore::paintToTextureMapper(WebCore::TextureMapper*, WebCore::FloatRect const&, WebCore::TransformationMatrix const&, float)
#13 WebCore::TextureMapperLayer::paintSelf(WebCore::TextureMapperPaintOptions const&)
#14 WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&)
#15 WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&)
#16 WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&)
#17 WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&) [clone .part.97]
#18 WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&)
#19 WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&)
#20 WebCore::TextureMapperLayer::paint()
#21 WebKit::LayerTreeHostGtk::compositeLayersToContext(WebKit::LayerTreeHostGtk::CompositePurpose)
#22 WebKit::LayerTreeHostGtk::flushAndRenderLayers()
#23 WebKit::LayerTreeHostGtk::layerFlushTimerFired()
#24 WebKit::LayerTreeHostGtk::layerFlushTimerFiredCallback(WebKit::LayerTreeHostGtk*)
#25 g_timeout_dispatch
at gmain.c line 4472
#26 g_main_context_dispatch
at gmain.c line 3064
#27 g_main_context_dispatch
at gmain.c line 3663
#28 g_main_context_iterate
at gmain.c line 3734
#29 g_main_loop_run
at gmain.c line 3928
#30 WebProcessMainGtk
#31 __libc_start_main
at libc-start.c line 289
#32 _start

Comment 6 Elad Alfassa 2014-07-02 20:05:35 UTC

More detailed trace (after debuginfo installation). It stops prematurely when gdb crashes, but it tells us the crash is in ANGLE (https://code.google.com/p/angleproject/), which is related to WebGL, but the crash happens in pages which afaik don't use WebGL.

+ Trace 233759

#0 0x0000000000000000 in
#1 TSymbolTableLevel::~TSymbolTableLevel()
at Source/ThirdParty/ANGLE/src/compiler/SymbolTable.cpp line 174
#2 TCompiler::compile(char const* const*, unsigned long, int)
at Source/ThirdParty/ANGLE/src/compiler/SymbolTable.h line 263
#3 TCompiler::compile(char const* const*, unsigned long, int)
at Source/ThirdParty/ANGLE/src/compiler/Compiler.cpp line 55
#4 TCompiler::compile(char const* const*, unsigned long, int)
at Source/ThirdParty/ANGLE/src/compiler/Compiler.cpp line 150
#5 ShCompile(ShHandle, char const* const*, size_t, int)
at Source/ThirdParty/ANGLE/src/compiler/ShaderLang.cpp line 149
#6 WebCore::ANGLEWebKitBridge::compileShaderSource(char const*, WebCore::ANGLEShaderType, WTF::String&, WTF::String&, WTF::Vector<WebCore::ANGLEShaderSymbol, 0ul, WTF::CrashOnOverflow>&, int)
at Source/WebCore/platform/graphics/ANGLEWebKitBridge.cpp line 205
#7 WebCore::Extensions3DOpenGLCommon::getTranslatedShaderSourceANGLE(unsigned int)
at Source/WebCore/platform/graphics/opengl/Extensions3DOpenGLCommon.cpp line 179
#8 WebCore::GraphicsContext3D::compileShader(unsigned int)
at Source/WebCore/platform/graphics/opengl/GraphicsContext3DOpenGLCommon.cpp line 519
#9 WebCore::TextureMapperShaderProgram::TextureMapperShaderProgram(WTF::PassRefPtr<WebCore::GraphicsContext3D>, WTF::String const&, WTF::String const&)
at Source/WebCore/platform/graphics/texmap/TextureMapperShaderProgram.cpp line 53
#10 WebCore::TextureMapperShaderProgram::create(WTF::PassRefPtr<WebCore::GraphicsContext3D>, unsigned int)
at Source/WebCore/platform/graphics/texmap/TextureMapperShaderProgram.cpp line 399
#11 WebCore::TextureMapperGL::drawTexture(unsigned int, int, WebCore::IntSize const&, WebCore::FloatRect const&, WebCore::TransformationMatrix const&, fWhat else isloat, unsigned int)
at Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp line 81
#12 WebCore::TextureMapperGL::drawTexture(unsigned int, int, WebCore::IntSize const&, WebCore::FloatRect const&, WebCore::TransformationMatrix const&, float, unsigned int)
at Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp line 567
#13 WebCore::TextureMapperGL::drawTexture(WebCore::BitmapTexture const&, WebCore::FloatRect const&, WebCore::TransformationMatrix const&, float, unsigned int)
at Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp line 530
#14 WebCore::TextureMapperTile::paint(WebCore::TextureMapper*, WebCore::TransformationMatrix const&, float, unsigned int)
at Source/WebCore/platform/graphics/texmap/TextureMapperTile.cpp line 75
#15 WebCore::TextureMapperTiledBackingStore::paintToTextureMapper(WebCore::TextureMapper*, WebCore::FloatRect const&, WebCore::TransformationMatrix const&, float)
at Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp line 55
#16 WebCore::TextureMapperLayer::paintSelf(WebCore::TextureMapperPaintOptions const&)
at Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp line 139
#17 WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&)
at Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp line 176
#18 WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&)
at Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp line 231
#19 WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&)
at Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp line 455
#20 WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions const&)
at Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp line 191
#21 WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions const&)
at Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp line 231
#22 WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions const&)
at Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp line 455
#23 WebCore::TextureMapperLayer::paint()
at Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp line 92
#24 WebKit::LayerTreeHostGtk::compositeLayersToContext(WebKit::LayerTreeHostGtk::CompositePurpose)
at Source/WebKit2/WebProcess/WebPage/gtk/LayerTreeHostGtk.cpp line 341
#25 WebKit::LayerTreeHostGtk::flushAndRenderLayers()
at Source/WebKit2/WebProcess/WebPage/gtk/LayerTreeHostGtk.cpp line 366
#26 WebKit::LayerTreeHostGtk::layerFlushTimerFired()
at Source/WebKit2/WebProcess/WebPage/gtk/LayerTreeHostGtk.cpp line 301

Comment 7 Alberto Garcia 2014-07-03 11:01:42 UTC

Hey, I've been making several tests with that web page and it doesn't seem to crash in my environment, certainly not with the WebKitGTK+ 2.4.3 packages from Debian.

After testing a bit it seems that I can trigger this bug if WebKitGTK+ is built with gcc 4.9, but it works fine if I build using gcc 4.8 (which is also the one used in Debian).

So this might be a gcc bug. I'll try to investigate a bit more, but it would be nice if anyone can double-check in their environment.

Comment 8 Elad Alfassa 2014-07-03 11:09:11 UTC

Might be useful to upload these pages as attachments here or put them online and have links to them, so others can test.

Comment 9 Alberto Garcia 2014-07-03 12:56:06 UTC

It might be the same as this bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=1025576

Comment 10 Elad Alfassa 2014-07-03 13:04:12 UTC

Looks very similar, and the patch in that bug points to upstream angle issue https://code.google.com/p/angleproject/issues/detail?id=651 which was very recently fixed

Comment 11 Alberto Garcia 2014-07-03 13:49:40 UTC

Yeah, I rebuilt WebKitGTK+ with this patch and it seems to solve the issue.

--- a/Source/ThirdParty/ANGLE/src/compiler/SymbolTable.cpp
+++ b/Source/ThirdParty/ANGLE/src/compiler/SymbolTable.cpp
@@ -171,7 +171,8 @@ TFunction::~TFunction()
 TSymbolTableLevel::~TSymbolTableLevel()
 {
     for (tLevel::iterator it = level.begin(); it != level.end(); ++it)
-        delete (*it).second;
+        if ((*it).first == (*it).second->getMangledName())
+            delete (*it).second;
 }
 
 //

Comment 12 Alberto Garcia 2014-07-03 14:15:41 UTC

Anyway, this is a WebKitGTK+ bug, so I've just reported it there:

https://bugs.webkit.org/show_bug.cgi?id=134593

We're planning to make a new stable release very soon that will fix this problem among others.

This epiphany bug can be closed I guess since the problem is not here.

Comment 13 Elad Alfassa 2014-07-03 14:19:02 UTC

Closing as RESOLVED NOTGNOME.

Thanks!