Bug#909366: libqt5webkit5: segfault in JSC::Structure::globalObject()
Package: libqt5webkit5
Version: 5.212.0~alpha2-15
Programs that use QtWebKit (at least wkhtmltopdf and arora) crash on the
attached HTML file:
$ wkhtmltopdf --quiet crash.html tmp.pdf
QApplication: invalid style override passed, ignoring it.
libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
Segmentation fault
Backtrace:
#0 0xf5f6bb65 in JSC::Structure::globalObject() const () at ../Source/JavaScriptCore/runtime/Structure.h:247
#1 0xf5f6bb65 in JSC::JSObject::globalObject() const () at ../Source/JavaScriptCore/runtime/JSObject.h:648
#2 0xf5f6bb65 in WebCore::JSDOMObject::globalObject() const () at ../Source/WebCore/bindings/js/JSDOMWrapper.h:40
#3 0xf5f6bb65 in WebCore::JSDOMObject::scriptExecutionContext() const () at ../Source/WebCore/bindings/js/JSDOMWrapper.h:41
#4 0xf5f6bb65 in WebCore::DOMConstructorWithDocument::document() const () at ../Source/WebCore/bindings/js/DOMConstructorWithDocument.h:35
#5 0xf5f6bb65 in WebCore::JSDOMNamedConstructor<WebCore::JSHTMLImageElement>::construct(JSC::ExecState*) () at ../Source/WebCore/bindings/js/JSImageConstructor.cpp:50
#6 0xf586a3ea in handleHostCall() () at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1131
#7 0xf5874e04 in JSC::LLInt::genericCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind) () at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1238
#8 0xf5874e04 in llint_slow_path_construct() () at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1250
#9 0xf56a892f in llint_entry () at /usr/lib/i386-linux-gnu/libQt5WebKit.so.5
#10 0xf56a3e9c in vmEntryToJavaScript () at /usr/lib/i386-linux-gnu/libQt5WebKit.so.5
#11 0xf564133c in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) () at ../Source/JavaScriptCore/jit/JITCode.cpp:80
#12 0xf560a1a1 in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) () at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:971
#13 0xf53a54dc in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () at ../Source/JavaScriptCore/runtime/Completion.cpp:106
#14 0xf53a574a in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () at ../Source/JavaScriptCore /runtime/Completion.cpp:121
#15 0xf6018477 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () at ../Source/WebCore/bindings/js/JSMainThreadExecState.h:80
#16 0xf6018477 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) () at ../Source/WebCore/bindings/js/ScriptController.cpp:164
#17 0xf60187a8 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) () at ../Source/WebCore/bindings/js/ScriptController.cpp:180
#18 0xf5e16c35 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) () at ../Source/WebCore/dom/ScriptElement.cpp:314
#19 0xf5e170de in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) () at ../Source/WebCore/dom/ScriptElement.cpp:245
#20 0xf60ae292 in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) () at ../Source/WebCore/html/parser/HTMLScriptRunner.cpp:302
#21 0xf60aec5a in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) () at ../Source/WebCore/html/parser/HTMLScriptRunner.cpp:175
#22 0xf60a23c9 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() () at ../Source/WebCore/html/parser/HTMLDocumentParser.cpp:195
#23 0xf60a24ac in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) () at ../Source/WebCore/html/parser/HTMLDocumentParser.cpp:213
#24 0xf60a443e in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) () at ../Source/WebCore/html/parser/HTMLDocumentParser.cpp:201
#25 0xf60a443e in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) () at ../Source/WebCore/html/parser/HTMLDocumentParser.cpp:252
#26 0xf60a57cb in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) () at ../Source/WebCore/html/parser/HTMLDocumentParser.cpp:382
#27 0xf5dac513 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) () at ../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#28 0xf60fa1d7 in WebCore::DocumentWriter::end() () at ../Source/WebCore/loader/DocumentWriter.cpp:260
#29 0xf60f00cd in WebCore::DocumentLoader::finishedLoading(double) () at ../Source/WebCore/loader/DocumentLoader.cpp:435
#30 0xf60f029d in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) () at ../Source/WebCore/loader/DocumentLoader.cpp:382
#31 0xf6161311 in WebCore::CachedResource::checkNotify() () at ../Source/WebCore/loader/cache/CachedResource.cpp:296
#32 0xf615c621 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) () at ../Source/WebCore/loader/cache/CachedRawResource.cpp:103
#33 0xf61450c9 in WebCore::SubresourceLoader::didFinishLoading(double) () at ../Source/WebCore/loader/SubresourceLoader.cpp:428
#34 0xf6430fc3 in WebCore::QNetworkReplyHandler::finish() () at ../Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:524
#35 0xf6430915 in WebCore::QNetworkReplyHandlerCallQueue::flush() () at ../Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:258
#36 0xf6430b1b in WebCore::QNetworkReplyHandlerCallQueue::flush() () at ../Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:252
#37 0xf6430b1b in WebCore::QNetworkReplyHandlerCallQueue::push(void (WebCore::QNetworkReplyHandler::*)()) () at ../Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:218
#38 0xf6430b1b in WebCore::QNetworkReplyWrapper::didReceiveFinished() () at ../Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:417
#39 0xf3b5490f in QMetaObject::activate(QObject*, int, int, void**) (sender=<optimized out>, signalOffset=<optimized out>, local_signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3771
#40 0xf3b54eed in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (sender=0x5775f2d0, m=0xf3fe3da8 <QNetworkReply::staticMetaObject>, local_signal_index=1, argv=0x0) at kernel/qobject.cpp:3633
#41 0xf3f3a702 in QNetworkReply::finished() (this=0x5775f2d0) at .moc/moc_qnetworkreply.cpp:380
#42 0xf3f3ab79 in QNetworkReply::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (_o=0x5775f2d0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x57784530) at .moc/moc_qnetworkreply.cpp:222
#43 0xf3b51796 in QMetaCallEvent::placeMetaCall(QObject*) (this=0x57784550, object=0x5775f2d0) at kernel/qobject.cpp:506
#44 0xf3b551ab in QObject::event(QEvent*) (this=0x5775f2d0, e=0x57784550) at kernel/qobject.cpp:1251
#45 0xf4a310a6 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=0x576d32b0, receiver=0x5775f2d0, e=0x57784550) at kernel/qapplication.cpp:3727
#46 0xf4a38fd9 in QApplication::notify(QObject*, QEvent*) (this=0xffd1414c, receiver=0x5775f2d0, e=0x57784550) at kernel/qapplication.cpp:3486
#47 0xf3b28aaa in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x5775f2d0, event=0x57784550) at ../../include/QtCore/../../src/corelib/kernel/qobject.h:142
#48 0xf3b2bdb9 in QCoreApplication::sendEvent(QObject*, QEvent*) (event=0x57784550, receiver=<optimized out>) at kernel/qcoreapplication.h:234
#49 0xf3b2bdb9 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (receiver=<optimized out>, event_type=<optimized out>, data=0x576badb0) at kernel/qcoreapplication.cpp:1745
#50 0xf3b2c1c7 in QCoreApplication::sendPostedEvents(QObject*, int) (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1599
#51 0xf3b81b13 in postEventSourceDispatch(GSource*, GSourceFunc, gpointer) (s=0x576fc0c0) at kernel/qeventdispatcher_glib.cpp:276
#52 0xf1d92b2d in g_main_context_dispatch () at /usr/lib/i386-linux-gnu/libglib-2.0.so.0
#53 0xf1d92de9 in () at /usr/lib/i386-linux-gnu/libglib-2.0.so.0
#54 0xf1d92e94 in g_main_context_iteration () at /usr/lib/i386-linux-gnu/libglib-2.0.so.0
#55 0xf3b810d8 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x576fa360, flags=...) at kernel/qeventdispatcher_glib.cpp:423
#56 0xee929373 in QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x576fa360, flags=...) at qeventdispatcher_glib.cpp:69
#57 0xf3b28bf0 in QCoreApplication::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (flags=...) at /usr/include/c++/8/bits/atomic_base.h:707
#58 0x5658bf7a in wkhtmltopdf::ConverterPrivate::convert() (this=0x576fbc00) at ../lib/converter.cc:94
#59 0x56572984 in main(int, char**) (argc=<optimized out>, argv=0xffd145a4) at wkhtmltopdf.cc:234
-- System Information:
Architecture: i386
Versions of packages libqt5webkit5 depends on:
ii dpkg 1.19.0.5+b1
ii libc6 2.27-6
ii libgcc1 1:8.2.0-7
ii libglib2.0-0 2.58.1-2
ii libgstreamer-plugins-base1.0-0 1.14.3-2
ii libgstreamer1.0-0 1.14.3-1
ii libhyphen0 2.8.8-5
ii libicu60 60.2-6
ii libjpeg62-turbo 1:1.5.2-2+b1
ii libpng16-16 1.6.34-2
ii libqt5core5a [qtbase-abi-5-11-0] 5.11.1+dfsg-8
ii libqt5gui5 5.11.1+dfsg-8
ii libqt5network5 5.11.1+dfsg-8
ii libqt5positioning5 5.11.1+dfsg-4
ii libqt5printsupport5 5.11.1+dfsg-8
ii libqt5qml5 [qtdeclarative-abi-5-11-0] 5.11.1-5
ii libqt5quick5 5.11.1-5
ii libqt5sensors5 5.11.1-3
ii libqt5webchannel5 5.11.1-3
ii libqt5widgets5 5.11.1+dfsg-8
ii libsqlite3-0 3.25.1-1
ii libstdc++6 8.2.0-7
ii libwebp6 0.6.1-2
ii libwoff1 1.0.2-1
ii libxml2 2.9.4+dfsg1-7+b1
ii libxslt1.1 1.1.32-2
ii zlib1g 1:1.2.11.dfsg-1
--
Jakub Wilk
Reply to: