PhantomJS 2.0 Segmentation Fault

[tgt]

The following code causes PhantomJS 2.0 to consistently crash. I've reproduced this using the official Windows binary on Windows 7 and a manually built version on Linux. I've been unable to build PJS with debug symbols on Linux by using deploy/build-and-package.sh as suggested. I've also been unable to generate a stack trace from the dump file on Windows as there's no information about how to do so on http://phantomjs.org/crash-reporting.html.

I found this issue whilst investigating the cause of #12750 as this is one of the resources that results in 'Operation canceled' when trying to load http://www.bbc.co.uk/ through an HTTP proxy.

The crash dump can be found at https://www.dropbox.com/s/nbis427g3cfvfeq/de0d2d45-00fe-4f9e-90b9-6c473cd2d603.dmp?dl=0

var page = require('webpage').create();

page.open('http://static.bbci.co.uk/news/1.66.2287/img/correspondents/circles/carriegracie.png', function (status) {
    phantom.exit();
});

[zackw]

Confirmed (Linux). Here's a stack trace from gdb:

Program received signal SIGSEGV, Segmentation fault.
0x000000000062106d in WebCore::CachedImage::addIncrementalDataBuffer(WebCore::ResourceBuffer*) ()
(gdb) bt
#0  0x000000000062106d in WebCore::CachedImage::addIncrementalDataBuffer(WebCore::ResourceBuffer*) ()
#1  0x00000000005afcb0 in WebCore::ImageDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, unsigned long) ()
#2  0x0000000000645389 in WebCore::DocumentWriter::end() ()
#3  0x0000000000496be7 in QWebFrame::setUrl(QUrl const&) ()
#4  0x000000000042cc31 in Phantom::doExit(int) ()
#5  0x000000000042ce5a in Phantom::exit(int) ()
#6  0x000000000048e4b7 in Phantom::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) ()
#7  0x000000000048e79f in Phantom::qt_metacall(QMetaObject::Call, int, void**) ()
#8  0x00000000005378cb in JSC::Bindings::QtRuntimeMethod::call(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) ()
#9  0x0000000001541f7e in JSC::JSCallbackFunction::call(JSC::ExecState*) ()
#10 0x000000000172c312 in llint_slow_path_call ()
#11 0x0000000001734a51 in llint_op_call ()

Looks like probably an upstream Webkit image decoding bug. I'm attaching the offending image in case it gets taken down or modified.

[zackw]

Exactly the same crash with the image loaded from a file:/// URL, so it's not something weird with the BBC's image server.

[HelioGuilherme66]

For your information, crash also happens with the 1.9.8 version. Here is my test output: [helio@localhost Test]$ phantomjs --version 1.9.8 [helio@localhost Test]$ phantomjs phantomjs_crash.js PhantomJS has crashed. Please read the crash reporting guide at https://github.com/ariya/phantomjs/wiki/Crash-Reporting and file a bug report at https://github.com/ariya/phantomjs/issues/new with the crash dump file attached: /tmp/137880dc-0940-2087-35f637bf-50a8de15.dmp Segmentation fault (core dumped) [helio@localhost Test]$ file ~/bin/phantomjs /home/helio/bin/phantomjs: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

[scone]

Edited: Possibly unrelated as my crash happens after rendering completes successfully. Looks like segfault occurs on phantom.exit(0) in the case below.

This crash also occurs with the attached PNG. (Ubuntu 14.04) It looks like

$ bin/phantomjs rasterize.js test3.png 1440px phantomJS
DATA
{"redirects":["test3.png -> file:///home/s0cket/phantomjs-2.0.0/test3.png"],"resources":["file:///home/s0cket/phantomjs-2.0.0/test3.png"]}
ENDDATA

PhantomJS has crashed. Please read the crash reporting guide at
http://phantomjs.org/crash-reporting.html and file a bug report at
https://github.com/ariya/phantomjs/issues/new.
Please attach the crash dump file:
/tmp/2a5c0a0b-9576-0ff1-4400c54d-55b2518c.dmp
Segmentation fault (core dumped)
$ file bin/phantomjs
bin/phantomjs: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux),
dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=e054c2e485a8bd615009642107e9de86a5183f00, not stripped

[jafferhaider]

Seeing this behavior too, PhantomJS 2.0.0 crashes when phantom.exit(0); is called. Works fine on version 1.9.7.

[whiler]

PhantomJS 1.9.8 and 2.0.1-development crash when phantom.exit() is called.

var page = require("webpage").create();
page.open("https://www.google.com/images/srpr/logo11w.png", function(status) {
    return phantom.exit();
});

[dr-dimitru]

+1 on v2.0.0, page has no any images, but has canvas generated by trianglify
Called command:

'/bin/sh -c phantomjs  --load-images=no --ssl-protocol=TLSv1 --ignore-ssl-errors=true --web-security=false /var/www/example/programs/server/assets/packages/jazeee_spiderable-longer-timeout/lib/phantom_script.js "https://example.com"'

See phantom_script.js for more info

[rafalradomski]

any news?

[csvan]

The same thing happens in 2.1.1 on Windows (Cygwin) when running the following script:

var page = require('webpage').create();
page.content = '<html><body></body></html>';

page.includeJs('http://d3js.org/d3.v3.min.js', function() {
  var html = page.evaluate(function() {
    var body = d3.select('body');
    var svg = body.append('svg');
    svg.append('rect');
    svg.append('circle');
    return body.html();
  });
  console.log(html);
  phantom.exit();
});

It does seem to actually work and produce valid results though, even though it ends up crashing. Output is:

$ ./phantomjs.exe d3example.js
<script src="http://d3js.org/d3.v3.min.js"></script><svg><rect></rect><circle></circle></svg>
Fatal Windows exception, code 0xc0000005.
PhantomJS has crashed. Please read the bug reporting guide at
<http://phantomjs.org/bug-reporting.html> and file a bug report.
Segmentation fault

[derlaft]

Any news? Still segfaulting

[csvan]

@derlaft PhantomJS is abandoned, I recommend you switch to Chrome Headless.

[derlaft]

@csvan, Thank you. Already switched to Chrome Headless with cdp.

[stale]

Due to our very limited maintenance capacity (see #14541 for more details), we need to prioritize our development focus on other tasks. Therefore, this issue will be automatically closed. In the future, if we see the need to attend to this issue again, then it will be reopened. Thank you for your contribution!