#983416 JavaScriptCore crashes if the CPU does not support SSE4

Package:
src:webkit2gtk
Source:
webkit2gtk
Submitter:
Сергей Дмитриенко
Date:
2023-08-21 17:45:09 UTC
Severity:
normal
Tags:
#983416#5
Date:
2021-02-23 20:49:57 UTC
From:
To:
Package: libjavascriptcoregtk-4.0-18
Version: 2.30.4-1~deb10u1
Priority: optional
Section: libs
Source: webkit2gtk
Maintainer: Debian WebKit Maintainers
<pkg-webkit-maintainers@lists.alioth.debian.org>
Installed-Size: 23,6 MB
Depends: libc6 (>= 2.17), libgcc1 (>= 1:3.4), libglib2.0-0 (>= 2.41.1),
libicu63 (>= 63.1-1~), libstdc++6 (>= 6), libsystemd0, zlib1g (>= 1:1.1.4)
Homepage: https://webkitgtk.org/
Tag: role::shared-lib
Download-Size: 5 594 kB
APT-Sources: http://deb.debian.org/debian buster/main amd64 Packages

1. Open www.avito.ru in Epiphany browser

2. Click "Login®istration"

3. Login form appear

4. But! After 1 sec...

Firefox worked without any errors
**

*
*

*/var/log/kern.log*

Feb 23 23:40:42 z61t kernel: [ 1386.228685] traps: WebKitWebProces[2035]
trap invalid opcode ip:7fb5d4627254 sp:7fff15e6ee50 error:0 in
libjavascriptcoregtk-4.0.so.18.17.13[7fb5d414e000+15e0000]

*uname -a*

Linux z61t 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
GNU/Linux

*cat /proc/cpuinfo*

processor    : 0
vendor_id    : GenuineIntel
cpu family    : 6
model        : 15
model name    : Intel(R) Core(TM)2 CPU         T5500  @ 1.66GHz
stepping    : 6
microcode    : 0xc7
cpu MHz        : 997.199
cache size    : 2048 KB
physical id    : 0
siblings    : 2
core id        : 0
cpu cores    : 2
apicid        : 0
initial apicid    : 0
fpu        : yes
fpu_exception    : yes
cpuid level    : 10
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall
nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf
pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm lahf_lm pti dtherm
bugs        : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf
mds swapgs itlb_multihit
bogomips    : 3323.99
clflush size    : 64
cache_alignment    : 64
address sizes    : 36 bits physical, 48 bits virtual
power management:

processor    : 1
vendor_id    : GenuineIntel
cpu family    : 6
model        : 15
model name    : Intel(R) Core(TM)2 CPU         T5500  @ 1.66GHz
stepping    : 6
microcode    : 0xc7
cpu MHz        : 997.199
cache size    : 2048 KB
physical id    : 0
siblings    : 2
core id        : 1
cpu cores    : 2
apicid        : 1
initial apicid    : 1
fpu        : yes
fpu_exception    : yes
cpuid level    : 10
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall
nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf
pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm lahf_lm pti dtherm
bugs        : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf
mds swapgs itlb_multihit
bogomips    : 3323.99
clflush size    : 64
cache_alignment    : 64
address sizes    : 36 bits physical, 48 bits virtual
power management:

#983416#10
Date:
2021-02-24 10:09:08 UTC
From:
To:
Control: tags -1 moreinfo

I cannot reproduce the problem with 2.30.5-1~deb10u1, can you also try
with that version?

Thanks!

Berto

#983416#17
Date:
2021-02-24 18:38:35 UTC
From:
To:
Can you try with the MiniBrowser?

$ /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/MiniBrowser https://www.avito.ru/

Does the problem still happen?

Berto

#983416#22
Date:
2021-02-24 19:23:24 UTC
From:
To:
I don't have an account there, but if I try to log in I get one of
these errors:

   Неправильный телефон или почта

   Неправильный пароль

Berto

#983416#27
Date:
2021-02-25 13:28:54 UTC
From:
To:
No. I have an account, but the button "Login" doesn't respond when clicked.

And the same error in kern.log:

Feb 25 17:07:44 z61t kernel: [21036.696350] do_trap: 7 callbacks suppressed
Feb 25 17:07:44 z61t kernel: [21036.696355] traps: WebKitWebProces[6720]
trap invalid opcode ip:7fd6ac8ce254 sp:7fff0fde8000 error:0 in
libjavascriptcoregtk-4.0.so.18.17.13[7fd6ac3f5000+15e0000]
Feb 25 17:16:15 z61t kernel: [21547.743728] traps: WebKitWebProces[7202]
trap invalid opcode ip:7fb88f3d4254 sp:7ffc092fa200 error:0 in
libjavascriptcoregtk-4.0.so.18.17.13[7fb88eefb000+15e0000]

24.02.2021 23:23, Alberto Garcia пишет:

#983416#32
Date:
2021-02-25 14:08:42 UTC
From:
To:
I see, does it work if run epiphany like this?

$ JavaScriptCoreUseJIT=0 epiphany

Also, can you confirm that both machines that you have (the Z61t and
the ThinkCentre) are both running buster (amd64) and the same version
of WebKitGTK?

Thanks!

Berto

#983416#37
Date:
2021-02-25 14:37:28 UTC
From:
To:
*$ JavaScriptCoreUseJIT=0 epiphany***

Yes! It work!

*z61t:*

uname -a

Linux z61t 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
GNU/Linux

dpkg -l libwebkit* | grep ii

ii  libwebkit2gtk-4.0-37:amd64 2.30.5-1~deb10u1 amd64        Web content
engine library for GTK

*ThinkCentre:*

uname -a

Linux debian 4.19.0-14-686-pae #1 SMP Debian 4.19.171-2 (2021-01-30)
i686 GNU/Linux

dpkg -l libwebkit* | grep ii

ii  libwebkit2gtk-4.0-37:i386 2.30.4-1~deb10u1 i386        Web content
engine library for GTK

25.02.2021 18:08, Alberto Garcia пишет:

#983416#42
Date:
2021-02-25 15:19:56 UTC
From:
To:
Ok, that's good to know.

Hmmm, one of your computers runs a 64-bit system but the other one is
32-bit so we cannot really compare.

My guess is that the JavaScriptCore JIT compiler is producing opcodes
that don't run in an Intel Core 2. I actually have an old computer
with one of those processors, so I can give it a try later.

I'll come back with my findings.

Berto

#983416#47
Date:
2021-02-25 18:47:02 UTC
From:
To:
Ok, Berto

Thank You very much!

25.02.2021 19:19, Alberto Garcia пишет:

#983416#52
Date:
2021-03-05 10:24:22 UTC
From:
To:
Control: tags -1 - moreinfo + confirmed

So I tried with an older computer and I can also reproduce the
crash reliably, here's the CPU information and I'm also attaching a
backtrace.

vendor_id       : GenuineIntel
cpu family      : 6
model           : 15
model name      : Intel(R) Core(TM)2 Duo CPU     L7500  @ 1.60GHz
stepping        : 11
microcode       : 0xba
cpu MHz         : 933.888
cache size      : 4096 KB
physical id     : 0
siblings        : 2
core id         : 1
cpu cores       : 2
apicid          : 1
initial apicid  : 1
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl cpuid aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm pti tpr_shadow vnmi flexpriority dtherm ida
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit
bogomips        : 3191.95
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:

Berto

#983416#61
Date:
2021-03-05 10:41:57 UTC
From:
To:
More findings from the core dump:

Program terminated with signal SIGILL, Illegal instruction.
#0  0x00007f00eb999254 in wasm_entry ()
    at ../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:547
547     ../Source/JavaScriptCore/llint/LowLevelInterpreter.cpp: No such file or directory.
[Current thread is 1 (Thread 0x7f00e4913ac0 (LWP 4154))]
(gdb) layout asm

 │0x7f00eb999254 <wasm_entry+56936>       roundss $0x2,%xmm0,%xmm1     │
 │0x7f00eb99925a <wasm_entry+56942>       movsbq 0x1(%r13,%r8,1),%r9   │
 │0x7f00eb999260 <wasm_entry+56948>       movss  %xmm1,0x0(%rbp,%r9,8) │
 │0x7f00eb999267 <wasm_entry+56955>       add    $0x3,%r8              │

So here it is, the 'roundss' opcode was added in SSE4, which this CPU
does not support.

Berto

#983416#66
Date:
2021-03-05 16:04:54 UTC
From:
To:
Not yet, ideally WebKit should detect whether those instructions are
not supported and either produce different ones or disable the JIT
automatically. I'll check with upstream.

Berto