183091 2018-02-23 12:44:09 -0800 REGRESSION(r221514): [GTK] UI process crash in WebKit::WaylandCompositor::Surface::flushPendingFrameCallbacks 2018-08-04 11:33:38 -0700 1 1 1 Unclassified WebKit WebKitGTK Other PC Linux RESOLVED FIXED https://bugzilla.redhat.com/show_bug.cgi?id=1493283 https://bugzilla.redhat.com/show_bug.cgi?id=1530638 https://bugzilla.redhat.com/show_bug.cgi?id=1535075 https://bugzilla.redhat.com/show_bug.cgi?id=1548530 https://bugs.webkit.org/show_bug.cgi?id=175942 https://bugzilla.redhat.com/show_bug.cgi?id=1559255 https://bugzilla.redhat.com/show_bug.cgi?id=1560228 https://bugzilla.redhat.com/show_bug.cgi?id=1563787 https://bugzilla.redhat.com/show_bug.cgi?id=1564572 P2 Normal --- 1 mcatanzaro webkit-unassigned bugs-noreply bugzilla calvaris cgarcia mcatanzaro oldest_to_newest 1401787 0 mcatanzaro 2018-02-23 12:44:09 -0800 We have 569 reports of this crash in Fedora: Thread 1 (Thread 0x7f05c353aac0 (LWP 8748)): #0 0x00007f05bdce0430 in WebKit::WaylandCompositor::Surface::flushPendingFrameCallbacks() (this=this@entry=0x7f05ab0f0d10) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp:258 resource = <optimized out> __for_range = <synthetic pointer>: {<WTF::VectorBuffer<wl_resource*, 0>> = {<WTF::VectorBufferBase<wl_resource*>> = {m_buffer = 0x616d612d73656761, m_capacity = <optimized out>, m_size = <optimized out>}, <No data fields>}, <No data fields>} __for_begin = 0x616d612d73656761 list = {<WTF::VectorBuffer<wl_resource*, 0>> = {<WTF::VectorBufferBase<wl_resource*>> = {m_buffer = 0x616d612d73656761, m_capacity = <optimized out>, m_size = <optimized out>}, <No data fields>}, <No data fields>} #1 0x00007f05bdce0496 in WebKit::WaylandCompositor::Surface::setWebPage(WebKit::WebPageProxy*) (this=0x7f05ab0f0d10, webPage=0x0) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp:181 #2 0x00007f05bdcd8663 in WebKit::AcceleratedBackingStoreWayland::~AcceleratedBackingStoreWayland() (this=0x7f054839c030, __in_chrg=<optimized out>) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreWayland.cpp:61 #3 0x00007f05bdcd8689 in WebKit::AcceleratedBackingStoreWayland::~AcceleratedBackingStoreWayland() (this=0x7f054839c030, __in_chrg=<optimized out>) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreWayland.cpp:62 #4 0x00007f05bdcc2f3a in std::default_delete<WebKit::AcceleratedBackingStore>::operator()(WebKit::AcceleratedBackingStore*) const (this=<optimized out>, __ptr=<optimized out>) at /usr/include/c++/7/bits/unique_ptr.h:78 __ptr = <optimized out> webView = 0x55e3c6bcbdd0 [EphyWebView] #5 0x00007f05bdcc2f3a in std::unique_ptr<WebKit::AcceleratedBackingStore, std::default_delete<WebKit::AcceleratedBackingStore> >::reset(WebKit::AcceleratedBackingStore*) (__p=<optimized out>, this=<optimized out>) at /usr/include/c++/7/bits/unique_ptr.h:376 webView = 0x55e3c6bcbdd0 [EphyWebView] #6 0x00007f05bdcc2f3a in std::unique_ptr<WebKit::AcceleratedBackingStore, std::default_delete<WebKit::AcceleratedBackingStore> >::operator=(decltype(nullptr)) (this=<optimized out>) at /usr/include/c++/7/bits/unique_ptr.h:312 webView = 0x55e3c6bcbdd0 [EphyWebView] #7 0x00007f05bdcc2f3a in webkitWebViewBaseDispose(GObject*) (gobject=0x55e3c6bcbdd0 [EphyWebView]) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:508 webView = 0x55e3c6bcbdd0 [EphyWebView] #8 0x00007f05c2c56e5c in g_object_run_dispose (object=0x55e3c6bcbdd0 [EphyWebView]) at gobject.c:1100 __func__ = "g_object_run_dispose" #9 0x00007f05c1eee690 in gtk_overlay_forall (overlay=<optimized out>, include_internals=<optimized out>, callback=0x7f05c2003750 <gtk_widget_destroy>, callback_data=0x0) at gtkoverlay.c:625 priv = 0x55e3c72845c0 child = <optimized out> children = <optimized out> main_widget = <optimized out> #10 0x00007f05c1deee0e in gtk_container_destroy (widget=0x55e3c72846f0 [GtkOverlay]) at gtkcontainer.c:1700 container = 0x55e3c72846f0 [GtkOverlay] priv = 0x55e3c72845e0 1401796 1 mcatanzaro 2018-02-23 13:15:16 -0800 I guess the WaylandCompositor::Surface is already destroyed before the call to flushPendingFrameCallbacks? It's not clear. The use of auto list = WTFMove(m_*CallbackList) throughout this file is confusing: I guess that swaps the member variable vector with the default-initialized empty vector, so it's probably OK, but maybe too clever. 1401985 2 334595 cgarcia 2018-02-26 00:36:26 -0800 Created attachment 334595 Patch 1402054 3 334595 mcatanzaro 2018-02-26 08:47:33 -0800 Comment on attachment 334595 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=334595&action=review Thanks > Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp:354 > auto* surface = static_cast<WaylandCompositor::Surface*>(wl_resource_get_user_data(resource)); > + WaylandCompositor::singleton().willDestroySurface(surface); > delete surface; Aha, so this is what I missed when staring at this bug the other day. > Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp:571 > + break; You could equivalently use return instead. 1402845 4 cgarcia 2018-03-01 01:24:36 -0800 Committed r229126: <https://trac.webkit.org/changeset/229126> 1446173 5 calvaris 2018-07-30 01:09:50 -0700 Michael, after giving my first son's blood I managed to get a backtrace with asan for the crash I am having lately that could be causing https://gitlab.gnome.org/GNOME/gtk/issues/1232 and it looks like it is this one? Carlos, do you know when this is going to be released in GNOME JHBuild conf? 1447924 6 mcatanzaro 2018-08-04 11:31:45 -0700 (In reply to Xabier Rodríguez Calvar from comment #5) > Michael, after giving my first son's blood I managed to get a backtrace with > asan for the crash Poor Simon :( > I am having lately that could be causing > https://gitlab.gnome.org/GNOME/gtk/issues/1232 and it looks like it is this > one? > > Carlos, do you know when this is going to be released in GNOME JHBuild conf? This was committed way back in March. Exactly what version of WebKitGTK+ are you using? Could you please post the trace from asan? 1447926 7 mcatanzaro 2018-08-04 11:33:38 -0700 (In reply to Michael Catanzaro from comment #6) > This was committed way back in March. And it was backported for 2.19.92. 334595 2018-02-26 00:36:26 -0800 2018-02-26 08:47:33 -0800 Patch wk2-wayland-crash.diff text/plain 2587 cgarcia ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nIGIvU291cmNlL1dlYktpdC9DaGFu Z2VMb2cKaW5kZXggZTA2ZTFhMzI2YTAuLjBiODYxYTVhN2U0IDEwMDY0NAotLS0gYS9Tb3VyY2Uv V2ViS2l0L0NoYW5nZUxvZworKysgYi9Tb3VyY2UvV2ViS2l0L0NoYW5nZUxvZwpAQCAtMSwzICsx LDE2IEBACisyMDE4LTAyLTI2ICBDYXJsb3MgR2FyY2lhIENhbXBvcyAgPGNnYXJjaWFAaWdhbGlh LmNvbT4KKworICAgICAgICBSRUdSRVNTSU9OKHIyMjE1MTQpOiBbR1RLXSBVSSBwcm9jZXNzIGNy YXNoIGluIFdlYktpdDo6V2F5bGFuZENvbXBvc2l0b3I6OlN1cmZhY2U6OmZsdXNoUGVuZGluZ0Zy YW1lQ2FsbGJhY2tzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD0xODMwOTEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAg ICAgICBJbnZhbGlkYXRlIHRoZSBzdXJmYWNlIGluIHRoZSBwYWdlIG1hcCB3aGVuIHRoZSBiYWNr aW5nIHN0b3JlIGlzIGRlc3Ryb3llZC4KKworICAgICAgICAqIFVJUHJvY2Vzcy9ndGsvV2F5bGFu ZENvbXBvc2l0b3IuY3BwOgorICAgICAgICAoV2ViS2l0OjpXYXlsYW5kQ29tcG9zaXRvcjo6d2ls bERlc3Ryb3lTdXJmYWNlKToKKyAgICAgICAgKiBVSVByb2Nlc3MvZ3RrL1dheWxhbmRDb21wb3Np dG9yLmg6CisKIDIwMTgtMDItMjUgIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEBhcHBsZS5jb20+ CiAKICAgICAgICAgRm9udCBzbW9vdGhpbmcgZG9lc24ndCBnZXQgZGlzYWJsZWQgaWYgdGhlIHBy ZWZlcmVuY2UgaXMgc2V0IGJlZm9yZSBsYXVuY2hpbmcgV2ViQ29udGVudCBwcm9jZXNzCmRpZmYg LS1naXQgYS9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vzcy9ndGsvV2F5bGFuZENvbXBvc2l0b3IuY3Bw IGIvU291cmNlL1dlYktpdC9VSVByb2Nlc3MvZ3RrL1dheWxhbmRDb21wb3NpdG9yLmNwcAppbmRl eCBkNmUxNzJkZDIxZC4uNmFhZDUyN2IwYTggMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvVUlQ cm9jZXNzL2d0ay9XYXlsYW5kQ29tcG9zaXRvci5jcHAKKysrIGIvU291cmNlL1dlYktpdC9VSVBy b2Nlc3MvZ3RrL1dheWxhbmRDb21wb3NpdG9yLmNwcApAQCAtMzUwLDYgKzM1MCw3IEBAIHN0YXRp YyBjb25zdCBzdHJ1Y3Qgd2xfY29tcG9zaXRvcl9pbnRlcmZhY2UgY29tcG9zaXRvckludGVyZmFj ZSA9IHsKICAgICAgICAgICAgIHdsX3Jlc291cmNlX3NldF9pbXBsZW1lbnRhdGlvbihzdXJmYWNl UmVzb3VyY2UsICZzdXJmYWNlSW50ZXJmYWNlLCBuZXcgV2F5bGFuZENvbXBvc2l0b3I6OlN1cmZh Y2UoKSwKICAgICAgICAgICAgICAgICBbXShzdHJ1Y3Qgd2xfcmVzb3VyY2UqIHJlc291cmNlKSB7 CiAgICAgICAgICAgICAgICAgICAgIGF1dG8qIHN1cmZhY2UgPSBzdGF0aWNfY2FzdDxXYXlsYW5k Q29tcG9zaXRvcjo6U3VyZmFjZSo+KHdsX3Jlc291cmNlX2dldF91c2VyX2RhdGEocmVzb3VyY2Up KTsKKyAgICAgICAgICAgICAgICAgICAgV2F5bGFuZENvbXBvc2l0b3I6OnNpbmdsZXRvbigpLndp bGxEZXN0cm95U3VyZmFjZShzdXJmYWNlKTsKICAgICAgICAgICAgICAgICAgICAgZGVsZXRlIHN1 cmZhY2U7CiAgICAgICAgICAgICAgICAgfSk7CiAgICAgICAgIH0gZWxzZQpAQCAtNTYyLDYgKzU2 MywxNiBAQCB2b2lkIFdheWxhbmRDb21wb3NpdG9yOjp1bnJlZ2lzdGVyV2ViUGFnZShXZWJQYWdl UHJveHkmIHdlYlBhZ2UpCiAgICAgICAgIHN1cmZhY2UtPnNldFdlYlBhZ2UobnVsbHB0cik7CiB9 CiAKK3ZvaWQgV2F5bGFuZENvbXBvc2l0b3I6OndpbGxEZXN0cm95U3VyZmFjZShTdXJmYWNlKiBz dXJmYWNlKQoreworICAgIGZvciAoYXV0byBpdCA6IG1fcGFnZU1hcCkgeworICAgICAgICBpZiAo aXQudmFsdWUgPT0gc3VyZmFjZSkgeworICAgICAgICAgICAgaXQudmFsdWUgPSBudWxscHRyOwor ICAgICAgICAgICAgYnJlYWs7CisgICAgICAgIH0KKyAgICB9Cit9CisKIH0gLy8gbmFtZXNwYWNl IFdlYktpdAogCiAjZW5kaWYgLy8gUExBVEZPUk0oV0FZTEFORCkgJiYgVVNFKEVHTCkKZGlmZiAt LWdpdCBhL1NvdXJjZS9XZWJLaXQvVUlQcm9jZXNzL2d0ay9XYXlsYW5kQ29tcG9zaXRvci5oIGIv U291cmNlL1dlYktpdC9VSVByb2Nlc3MvZ3RrL1dheWxhbmRDb21wb3NpdG9yLmgKaW5kZXggZmVh NzAzNmEwNTAuLjBmYmExYTI2NjBhIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vz cy9ndGsvV2F5bGFuZENvbXBvc2l0b3IuaAorKysgYi9Tb3VyY2UvV2ViS2l0L1VJUHJvY2Vzcy9n dGsvV2F5bGFuZENvbXBvc2l0b3IuaApAQCAtMTEzLDYgKzExMyw3IEBAIHB1YmxpYzoKICAgICB2 b2lkIGJpbmRTdXJmYWNlVG9XZWJQYWdlKFN1cmZhY2UqLCB1aW50NjRfdCBwYWdlSUQpOwogICAg IHZvaWQgcmVnaXN0ZXJXZWJQYWdlKFdlYlBhZ2VQcm94eSYpOwogICAgIHZvaWQgdW5yZWdpc3Rl cldlYlBhZ2UoV2ViUGFnZVByb3h5Jik7CisgICAgdm9pZCB3aWxsRGVzdHJveVN1cmZhY2UoU3Vy ZmFjZSopOwogCiAgICAgYm9vbCBnZXRUZXh0dXJlKFdlYlBhZ2VQcm94eSYsIHVuc2lnbmVkJiwg V2ViQ29yZTo6SW50U2l6ZSYpOwogCg==