search

LadybirdBrowser / ladybird

Truly independent web browser
https://ladybird.org
BSD 2-Clause "Simplified" License
21.25k stars 925 forks source link

Lexical Playground crashes the WebContent #1492

Open mkljczk opened 4 weeks ago

mkljczk commented 4 weeks ago

When trying to test https://github.com/facebook/lexical on playground.lexical.dev, the page crashes, I get the following logs:

17457.689 WebContent(139075): ImageDecoderClient: Invalid bitmap for request 2 at index 0
VERIFICATION FAILED: i < m_size at /home/marcin/projects/ladybird/AK/Vector.h:148
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-ak.so.0(ak_verification_failed+0x81) [0x7fb6fb5496d1]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::DeclarativeEnvironment::shrink_to_fit() 0) [0x7fb6fb0c2c10]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x17e66e) [0x7fb6faf7e66e]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0x2142) [0x7fb6faf9d602]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::WebIDL::call_user_object_operation(Web::WebIDL::CallbackType&, AK::String const&, AK::Optional<JS::Value>, JS::MarkedVector<JS::Value, 0ul>) 0x102) [0x7fb6fc265972]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 JS::Completion Web::WebIDL::call_user_object_operation<Web::DOM::Event*&>(Web::WebIDL::CallbackType&, AK::String const&, AK::Optional<JS::Value>, Web::DOM::Event*&) 0x144) [0x7fb6fbddb4a4]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::DOM::EventDispatcher::inner_invoke(Web::DOM::Event&, AK::Vector<JS::Handle<Web::DOM::DOMEventListener>, 0ul>&, Web::DOM::Event::Phase, bool) 0x1ce) [0x7fb6fbdda32e]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::DOM::EventDispatcher::invoke(Web::DOM::Event::PathEntry&, Web::DOM::Event&, Web::DOM::Event::Phase) 0x13d) [0x7fb6fbdda5ed]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::DOM::EventDispatcher::dispatch(JS::NonnullGCPtr<Web::DOM::EventTarget>, Web::DOM::Event&, bool) 0x9ff) [0x7fb6fbddb2cf]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::EventHandler::fire_keyboard_event(AK::FlyString const&, Web::HTML::Navigable&, Web::UIEvents::KeyCode, unsigned int, unsigned int) 0xdc) [0x7fb6fc14ad7c]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::EventHandler::handle_keydown(Web::UIEvents::KeyCode, unsigned int, unsigned int) 0x2be) [0x7fb6fc14ccfe]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent() [0x445493]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0(+0xbb1279) [0x7fb6fc1b1279]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-core.so.0 Core::Timer::timer_event(Core::TimerEvent&) 0xb2) [0x7fb6fdbde612]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-core.so.0 Core::EventReceiver::dispatch_event(Core::Event&, Core::EventReceiver*) 0x51) [0x7fb6fdbc5be1]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent() [0x42acf7]
/lib64/libQt6Core.so.6(+0x1fc8f2) [0x7fb6fddfc8f2]
/lib64/libQt6Core.so.6 QTimer::timeout(QTimer::QPrivateSignal) 0x3d) [0x7fb6fde0bcbd]
/lib64/libQt6Core.so.6 QObject::event(QEvent*) 0x1df) [0x7fb6fddedd5f]
/lib64/libQt6Core.so.6 QCoreApplication::notifyInternal2(QObject*, QEvent*) 0x159) [0x7fb6fdd96e69]
/lib64/libQt6Core.so.6 QTimerInfoList::activateTimers() 0x5c7) [0x7fb6fdf52b47]
/lib64/libQt6Core.so.6(+0x484fd9) [0x7fb6fe084fd9]
/lib64/libglib-2.0.so.0(+0x5ce8c) [0x7fb6f9b0ee8c]
/lib64/libglib-2.0.so.0(+0xbec98) [0x7fb6f9b70c98]
/lib64/libglib-2.0.so.0(g_main_context_iteration+0x33) [0x7fb6f9b10383]
/lib64/libQt6Core.so.6 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) 0x73) [0x7fb6fe0851a3]
/lib64/libQt6Core.so.6 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) 0x1b3) [0x7fb6fdda3bc3]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-core.so.0 Core::EventLoop::exec() 0x44) [0x7fb6fdbbe5e4]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent() [0x43ab3c]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent(main+0x81) [0x429d21]
/lib64/libc.so.6(+0x2a088) [0x7fb6f7239088]
/lib64/libc.so.6(__libc_start_main+0x8b) [0x7fb6f723914b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent() [0x429ec5]
ADKaster commented 4 weeks ago

Oo interesting, a javascript crash. Looks like we got a keydown, which the page had hooked, and then messed something up when executing the bytecode that invalidated the declarative environment for some user code.

If you could somehow minimize the page into something small-ish (<50 lines of HTML+JS) that repros directly from keydown that would be amazing, otherwise I'm sure someone will get to it soon, as this looks pretty serious!

teaalltr commented 4 weeks ago

@ADKaster Looks like it's possibly the same as #1453 but for another overloaded definition. Both are in the at() operator of the Vector class

ADKaster commented 4 weeks ago

The same type of crash, but without a debug build and real symbols for Interpreter::run_bytecode, and JS::DeclarativeEnvironment we can't possibly know for sure.

Everyone uses AK::Vector everywhere, and its member functions are aggressively inlined.

Attaching a debugger to such a build after --debug-web-content and getting an actual line number from the backtrace command would be very helpful.