REOPENED275099
[WPE] WPEWebProcess : allocateMoreOutOfLineStorage crash 
https://bugs.webkit.org/show_bug.cgi?id=275099
Summary [WPE] WPEWebProcess : allocateMoreOutOfLineStorage crash
Wouter Vanhauwaert
Reported 2024-06-04 01:39:58 PDT
In our application (sending and interpreting websocket data on regular time, running on imx53 if that matters), after a while we get a crash of WPEWebProcess. This results in a screen which shows: "The renderer process crashed. Reloading the page may fix intermittent failures." Backtrace got me to: (gdb) bt #0 0xb4701ebc in JSC::JSObject::allocateMoreOutOfLineStorage(JSC::VM&, unsigned int, unsigned int) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #1 0xb478ba26 in JSC::LiteralParser<unsigned char>::parseRecursively(JSC::VM&, unsigned char*) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #2 0xb4789b32 in JSC::LiteralParser<unsigned char>::parseRecursively(JSC::VM&, unsigned char*) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #3 0xb4789b32 in JSC::LiteralParser<unsigned char>::parseRecursively(JSC::VM&, unsigned char*) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #4 0xb478884c in JSC::LiteralParser<unsigned char>::parseRecursively(JSC::VM&, unsigned char*) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #5 0xb4789b32 in JSC::LiteralParser<unsigned char>::parseRecursively(JSC::VM&, unsigned char*) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #6 0xb4789b32 in JSC::LiteralParser<unsigned char>::parseRecursively(JSC::VM&, unsigned char*) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #7 0xb478f1d2 in JSC::LiteralParser<unsigned char>::parseRecursivelyEntry(JSC::VM&) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #8 0xb46f5b22 in JSC::jsonProtoFuncParse(JSC::JSGlobalObject*, JSC::CallFrame*) () from /home/wv/debugfs/usr/lib/libWPEWebKit-2.0.so.1 #9 0xad2ff128 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) Anyone has an idea? Of idea to dig further?
Attachments
Add attachment proposed patch, testcase, etc.
Wouter Vanhauwaert
Comment 1 2024-06-13 04:33:15 PDT
same function, different backtrace #0 0xb471eebc in JSC::JSObject::allocateMoreOutOfLineStorage(JSC::VM&, unsigned int, unsigned int) () from /opt/nfsroot/rootfs_imx53_scarthgap/usr/lib/libWPEWebKit-2.0.so.1.3.2 #1 0xb423dad4 in WTF::ASCIILiteral JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) () from /opt/nfsroot/rootfs_imx53_scarthgap/usr/lib/libWPEWebKit-2.0.so.1.3.2 #2 0xb4527966 in llint_slow_path_put_by_id () from /opt/nfsroot/rootfs_imx53_scarthgap/usr/lib/libWPEWebKit-2.0.so.1.3.2 #3 0xb6508ab8 in llint_op_put_by_id () from /opt/nfsroot/rootfs_imx53_scarthgap/usr/lib/libWPEWebKit-2.0.so.1.3.2
Adrian Perez
Comment 2 2025-09-18 05:10:09 PDT
It looks like this is the same as bug #295780 as pointer by Wouter in the WPE chat room -- the other one has a bit more of information, so I am going to close this one as duplicate. *** This bug has been marked as a duplicate of bug 295780 ***
Wouter Vanhauwaert
Comment 3 2026-01-19 00:28:18 PST
It appears no duplicate of the earlier mentioned bug. Result looks the same (issue in memory allocation), but origin differs. I took a step back and avoided the recursive parsing by adding JSC_useRecursiveJSONParse=false to the environment and issue seems gone
Wouter Vanhauwaert
Comment 4 2026-01-19 00:30:03 PST
Hitting same on imx6q, rdk-vivante backend (no cog) Core was generated by `/usr/libexec/wpe-webkit-1.1/WPEWebProcess 23 27 31'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x7419c8ec in JSC::JSObject::allocateMoreOutOfLineStorage(JSC::VM&, unsigned int, unsigned int) () from ./usr/lib/libWPEWebKit-1.1.so.0 [Current thread is 1 (LWP 700)] (gdb) bt #0 0x7419c8ec in JSC::JSObject::allocateMoreOutOfLineStorage(JSC::VM&, unsigned int, unsigned int) () from ./usr/lib/libWPEWebKit-1.1.so.0 #1 0x742741c6 in JSC::LiteralParser<unsigned char, (JSC::JSONReviverMode)0>::parseRecursively(JSC::VM&, unsigned char*) () from ./usr/lib/libWPEWebKit-1.1.so.0 #2 0x7427093c in JSC::LiteralParser<unsigned char, (JSC::JSONReviverMode)0>::parseRecursively(JSC::VM&, unsigned char*) () from ./usr/lib/libWPEWebKit-1.1.so.0 #3 0x7427093c in JSC::LiteralParser<unsigned char, (JSC::JSONReviverMode)0>::parseRecursively(JSC::VM&, unsigned char*) () from ./usr/lib/libWPEWebKit-1.1.so.0 #4 0x7426fc60 in JSC::LiteralParser<unsigned char, (JSC::JSONReviverMode)0>::parseRecursively(JSC::VM&, unsigned char*) () from ./usr/lib/libWPEWebKit-1.1.so.0 #5 0x7427093c in JSC::LiteralParser<unsigned char, (JSC::JSONReviverMode)0>::parseRecursively(JSC::VM&, unsigned char*) () from ./usr/lib/libWPEWebKit-1.1.so.0 #6 0x7427093c in JSC::LiteralParser<unsigned char, (JSC::JSONReviverMode)0>::parseRecursively(JSC::VM&, unsigned char*) () from ./usr/lib/libWPEWebKit-1.1.so.0 #7 0x7427a0a0 in JSC::LiteralParser<unsigned char, (JSC::JSONReviverMode)0>::parseRecursivelyEntry(JSC::VM&) () from ./usr/lib/libWPEWebKit-1.1.so.0 #8 0x74192484 in JSC::jsonProtoFuncParse(JSC::JSGlobalObject*, JSC::CallFrame*) () from ./usr/lib/libWPEWebKit-1.1.so.0 #9 0x6c2ff148 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) Idem for rockchip rk3288 with wayland/cog. No backtrace of this one, but I suspect the same
Note You need to log in before you can comment on or make changes to this bug.