Lexical Playground crashes the WebContent #1492

mkljczk · 2024-09-22T21:49:49Z

When trying to test https://github.com/facebook/lexical on playground.lexical.dev, the page crashes, I get the following logs:

17457.689 WebContent(139075): ImageDecoderClient: Invalid bitmap for request 2 at index 0
VERIFICATION FAILED: i < m_size at /home/marcin/projects/ladybird/AK/Vector.h:148
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-ak.so.0(ak_verification_failed+0x81) [0x7fb6fb5496d1]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::DeclarativeEnvironment::shrink_to_fit() 0) [0x7fb6fb0c2c10]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x17e66e) [0x7fb6faf7e66e]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0x2142) [0x7fb6faf9d602]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0(+0x1a3628) [0x7fb6fafa3628]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const 0x8b) [0x7fb6faf97c5b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0xd26) [0x7fb6faf9c1e6]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0x1fa) [0x7fb6faf9f9ea]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xd6) [0x7fb6fb0c8476]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0x128) [0x7fb6fb0c9288]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::WebIDL::call_user_object_operation(Web::WebIDL::CallbackType&, AK::String const&, AK::Optional<JS::Value>, JS::MarkedVector<JS::Value, 0ul>) 0x102) [0x7fb6fc265972]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 JS::Completion Web::WebIDL::call_user_object_operation<Web::DOM::Event*&>(Web::WebIDL::CallbackType&, AK::String const&, AK::Optional<JS::Value>, Web::DOM::Event*&) 0x144) [0x7fb6fbddb4a4]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::DOM::EventDispatcher::inner_invoke(Web::DOM::Event&, AK::Vector<JS::Handle<Web::DOM::DOMEventListener>, 0ul>&, Web::DOM::Event::Phase, bool) 0x1ce) [0x7fb6fbdda32e]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::DOM::EventDispatcher::invoke(Web::DOM::Event::PathEntry&, Web::DOM::Event&, Web::DOM::Event::Phase) 0x13d) [0x7fb6fbdda5ed]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::DOM::EventDispatcher::dispatch(JS::NonnullGCPtr<Web::DOM::EventTarget>, Web::DOM::Event&, bool) 0x9ff) [0x7fb6fbddb2cf]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::EventHandler::fire_keyboard_event(AK::FlyString const&, Web::HTML::Navigable&, Web::UIEvents::KeyCode, unsigned int, unsigned int) 0xdc) [0x7fb6fc14ad7c]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0 Web::EventHandler::handle_keydown(Web::UIEvents::KeyCode, unsigned int, unsigned int) 0x2be) [0x7fb6fc14ccfe]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent() [0x445493]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-web.so.0(+0xbb1279) [0x7fb6fc1b1279]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-core.so.0 Core::Timer::timer_event(Core::TimerEvent&) 0xb2) [0x7fb6fdbde612]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-core.so.0 Core::EventReceiver::dispatch_event(Core::Event&, Core::EventReceiver*) 0x51) [0x7fb6fdbc5be1]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent() [0x42acf7]
/lib64/libQt6Core.so.6(+0x1fc8f2) [0x7fb6fddfc8f2]
/lib64/libQt6Core.so.6 QTimer::timeout(QTimer::QPrivateSignal) 0x3d) [0x7fb6fde0bcbd]
/lib64/libQt6Core.so.6 QObject::event(QEvent*) 0x1df) [0x7fb6fddedd5f]
/lib64/libQt6Core.so.6 QCoreApplication::notifyInternal2(QObject*, QEvent*) 0x159) [0x7fb6fdd96e69]
/lib64/libQt6Core.so.6 QTimerInfoList::activateTimers() 0x5c7) [0x7fb6fdf52b47]
/lib64/libQt6Core.so.6(+0x484fd9) [0x7fb6fe084fd9]
/lib64/libglib-2.0.so.0(+0x5ce8c) [0x7fb6f9b0ee8c]
/lib64/libglib-2.0.so.0(+0xbec98) [0x7fb6f9b70c98]
/lib64/libglib-2.0.so.0(g_main_context_iteration+0x33) [0x7fb6f9b10383]
/lib64/libQt6Core.so.6 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) 0x73) [0x7fb6fe0851a3]
/lib64/libQt6Core.so.6 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) 0x1b3) [0x7fb6fdda3bc3]
/home/marcin/projects/ladybird/Build/ladybird/libexec/../lib64/liblagom-core.so.0 Core::EventLoop::exec() 0x44) [0x7fb6fdbbe5e4]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent() [0x43ab3c]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent(main+0x81) [0x429d21]
/lib64/libc.so.6(+0x2a088) [0x7fb6f7239088]
/lib64/libc.so.6(__libc_start_main+0x8b) [0x7fb6f723914b]
/home/marcin/projects/ladybird/Build/ladybird/libexec/WebContent() [0x429ec5]

The text was updated successfully, but these errors were encountered:

ADKaster · 2024-09-23T01:05:48Z

Oo interesting, a javascript crash. Looks like we got a keydown, which the page had hooked, and then messed something up when executing the bytecode that invalidated the declarative environment for some user code.

If you could somehow minimize the page into something small-ish (<50 lines of HTML+JS) that repros directly from keydown that would be amazing, otherwise I'm sure someone will get to it soon, as this looks pretty serious!

teaalltr · 2024-09-23T16:51:03Z

@ADKaster Looks like it's possibly the same as #1453 but for another overloaded definition. Both are in the at() operator of the Vector class

ADKaster · 2024-09-23T17:00:40Z

The same type of crash, but without a debug build and real symbols for Interpreter::run_bytecode, and JS::DeclarativeEnvironment we can't possibly know for sure.

Everyone uses AK::Vector everywhere, and its member functions are aggressively inlined.

Attaching a debugger to such a build after --debug-web-content and getting an actual line number from the backtrace command would be very helpful.

ADKaster added js bug Something isn't working labels Sep 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Lexical Playground crashes the WebContent #1492

Lexical Playground crashes the WebContent #1492

mkljczk commented Sep 22, 2024

ADKaster commented Sep 23, 2024

teaalltr commented Sep 23, 2024 •

edited

Loading

ADKaster commented Sep 23, 2024

Lexical Playground crashes the WebContent #1492

Lexical Playground crashes the WebContent #1492

Comments

mkljczk commented Sep 22, 2024

ADKaster commented Sep 23, 2024

teaalltr commented Sep 23, 2024 • edited Loading

ADKaster commented Sep 23, 2024

teaalltr commented Sep 23, 2024 •

edited

Loading