225970 2021-05-19 09:17:40 -0700 [GTK] REGRESSION(r277425) Oops on navigation after back 2021-05-25 06:39:13 -0700 1 1 1 Unclassified WebKit History WebKit Local Build Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 jmason webkit-unassigned bugs-noreply fred.wang mcatanzaro oldest_to_newest 1761548 0 jmason 2021-05-19 09:17:40 -0700 ***NOTE: Checking the ChangeLog just now, I see this is apparently a dup of 225795, which I am not authorized to access. Due to the fact I cannot view 225795, search does not find it, so I want to enter a **publicly visible** bug to document it for anyone else who experiences this issue. It is not at all clear to me why a regression would be marked restricted access in the bug database. I spent a couple days tracking this down; hiding bugs like this is not helpful. Based on the ChangeLog, I surmise the issue has been resolved, but due to lack of access to 225795, I don't know for sure. I'm building now to find out. Here are my findings: Since r277425, when I click on a link in a page after browser back, I get an Oops in epiphany. Steps to reproduce: 1) open https://zookeeper.stanford.edu/ 2) click on any link in the page 3) back 4) click on another link in page. Oops. WebKitWebProcess segfaults with this backtrace: Thread 17 received signal SIGSEGV, Segmentation fault. 0x00007fff4a7a3710 in WebCore::FrameTree::parent() const () from /usr/lib/64/libwebkit2gtk-4.0.so.37 (gdb) bt #0 0x00007fff4a7a3710 in WebCore::FrameTree::parent() const () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #1 0x00007fff4a24d939 in WebCore::FrameSelection::selectFrameElementInParentIfFullySelected() () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #2 0x00007fff4a24e305 in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #3 0x00007fff4a24e6e8 in WebCore::FrameSelection::willBeRemovedFromFrame() () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #4 0x00007fff4a11729d in WebCore::Document::willBeRemovedFromFrame() () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #5 0x00007fff4a2f3c5c in WebCore::CachedFrame::destroy() () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #6 0x00007fff4a2f3d1e in WebCore::CachedPage::~CachedPage() () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #7 0x00007fff4a2f516f in WebCore::BackForwardCache::prune(WebCore::PruningReason) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #8 0x00007fff4a2f5adb in WebCore::BackForwardCache::addIfCacheable(WebCore::HistoryItem&, WebCore::Page*) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #9 0x00007fff4a68c0a1 in WebCore::FrameLoader::commitProvisionalLoad() () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #10 0x00007fff4a657ea0 in WebCore::DocumentLoader::commitLoad(char const*, int) --Type <RET> for more, q to quit, c to continue without paging--c () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #11 0x00007fff4a714fe1 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) [clone .part.0] () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #12 0x00007fff4a715424 in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) [clone .part.0] () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #13 0x00007fff4a6cf857 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #14 0x00007fff4a6cf9bb in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #15 0x00007fff48d6928d in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long)) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #16 0x00007fff48d68fd4 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #17 0x00007fff48f08275 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #18 0x00007fff48f0996d in IPC::Connection::dispatchOneIncomingMessage() () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #19 0x00007fff460c1ab4 in WTF::RunLoop::performWork() () at /usr/lib/64/libjavascriptcoregtk-4.0.so.18 #20 0x00007fff4612f8f9 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () at /usr/lib/64/libjavascriptcoregtk-4.0.so.18 #21 0x00007fff46130469 in WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) () at /usr/lib/64/libjavascriptcoregtk-4.0.so.18 #22 0x00007fff4637e2b0 in g_main_context_dispatch () at /usr/lib/64/libglib-2.0.so.0 #23 0x00007fff4637e638 in g_main_context_iterate.constprop () at /usr/lib/64/libglib-2.0.so.0 #24 0x00007fff4637e923 in g_main_loop_run () at /usr/lib/64/libglib-2.0.so.0 #25 0x00007fff461305a0 in WTF::RunLoop::run() () at /usr/lib/64/libjavascriptcoregtk-4.0.so.18 #26 0x00007fff49340622 in WebKit::WebProcessMain(int, char**) () at /usr/lib/64/libwebkit2gtk-4.0.so.37 #27 0x0000000000400d9c in _start () 1761685 1 mcatanzaro 2021-05-19 13:53:36 -0700 (If it's just a null pointer dereference, it's safe for it to be public. Bugs with dangling pointers should be private.) 1761805 2 fred.wang 2021-05-19 18:14:20 -0700 This should be fixed by r277600 I guess? 1763496 3 mcatanzaro 2021-05-25 06:39:13 -0700 (In reply to Frédéric Wang (:fredw) from comment #2) > This should be fixed by r277600 I guess? I was seeing this crash very frequently prior to r277600, but I don't see it anymore. It's probably fixed.