241954 2022-06-23 20:55:20 -0700 [GTK] Segfault in firstChild when clicking on a pull request on GitHub while logged in 2022-08-07 03:44:36 -0700 1 1 1 Unclassified WebKit WebCore JavaScript WebKit Local Build PC Linux RESOLVED DUPLICATE 238429 https://bugs.webkit.org/show_bug.cgi?id=238429 Gtk P3 Normal --- 1 bouanto webkit-unassigned aperez fujii iamleot+webkit-bugzilla mcatanzaro svillar xry111 oldest_to_newest 1878109 0 bouanto 2022-06-23 20:55:20 -0700 Hi. Reproduction steps: * Login to GitHub in Epiphany * Navigate to https://github.com/GNOME/gtk/pulls?q=is:pr+is:closed * Click on a PR link. * The page crash with the message: "Something went wrong while displaying this page. Please reload or visit a different page to continue." It reproduces 100% of the time (assuming you are logged in; when logged out, the problem doesn't happen). Here's the stacktrace: Core was generated by `/usr/lib/webkit2gtk-4.0/WebKitWebProcess 16 32'. Program terminated with signal SIGSEGV, Segmentation fault. #0 WebCore::ContainerNode::firstChild() const () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/ContainerNode.h:43 #1 WebCore::RenderFileUploadControl::uploadButton() const () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/RenderFileUploadControl.cpp:246 #2 WebCore::RenderFileUploadControl::updateFromElement() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/RenderFileUploadControl.cpp:78 #3 0x00007f0137fbfe36 in WebCore::HTMLFormControlElement::didAttachRenderers() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/html/HTMLFormControlElement.cpp:215 #4 WebCore::HTMLInputElement::didAttachRenderers() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/html/HTMLInputElement.cpp:875 #5 0x00007f01386a48b6 in WebCore::RenderTreeUpdater::updateAfterDescendants(WebCore::Element&, WebCore::Style::ElementUpdates const*) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:272 #6 WebCore::RenderTreeUpdater::popParent() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:237 #7 0x00007f01386a4cb8 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:250 #8 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:158 #9 0x00007f0137e0206b in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:125 #10 WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:113 #11 WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:1983 #12 0x00007f0137e02b0b in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2087 #13 0x00007f0137e03545 in WebCore::Document::updateStyleIfNeeded() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2182 #14 0x00007f0137e03729 in WebCore::Document::updateLayout() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2203 #15 0x00007f0138b301b5 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) [clone .constprop.0] () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2229 #16 0x00007f0137e254b2 in WebCore::Element::offsetParent() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Element.cpp:1322 #17 WebCore::Element::offsetParentForBindings() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Element.cpp:1312 #18 0x00007f0137599361 in jsHTMLElement_offsetParentGetter () at /usr/src/debug/build/WebCore/DerivedSources/JSHTMLElement.cpp:4105 #19 get<WebCore::jsHTMLElement_offsetParentGetter, (WebCore::CastedThisErrorBehavior)3> () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/bindings/js/JSDOMAttribute.h:88 #20 jsHTMLElement_offsetParent() () at /usr/src/debug/build/WebCore/DerivedSources/JSHTMLElement.cpp:4110 #21 0x00007f0135531c58 in JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/PropertySlot.cpp:47 #22 0x00007f013528b64e in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/PropertySlot.h:408 #23 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1021 #24 performLLIntGetByID() () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:814 #25 0x00007f013528c443 in llint_slow_path_get_by_id() () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:888 #26 0x00007f01349569a8 in llint_op_get_by_id () at /usr/lib/libjavascriptcoregtk-4.0.so.18 #27 0xfffe000000000002 in () #28 0x00007f00d7fff1d8 in () #29 0x00007fff2da790b0 in () #30 0x00007f01349697a9 in op_call_slow_return_location () at /usr/lib/libjavascriptcoregtk-4.0.so.18 #31 0x0000000000000000 in () Thanks to fix this issue. 1878110 1 bouanto 2022-06-23 21:01:17 -0700 Epiphany version: Web 42.2 Webkit2gtk version: webkit2gtk-4.1 2.36.3-1 1878162 2 iamleot+webkit-bugzilla 2022-06-24 06:48:22 -0700 I'm seeing that too with WebKitGTK 2.36.3 on NetBSD (not 100% reproducible but happens very often). Possible interesting data point: this started only recently (less than 24 hours ago, i.e. probably since today (2022-06-24)) so I think that some github.com change started triggering that. 1878861 3 fujii 2022-06-28 13:43:48 -0700 *** Bug 242066 has been marked as a duplicate of this bug. *** 1888150 4 svillar 2022-08-01 13:15:08 -0700 I hit this constantly as well, seems weird that only GTK is affected. 1888836 5 aperez 2022-08-04 05:36:12 -0700 I've done a bisection to find the commit which fixed this issue, because it is not a problem anymore in ToT. After some churning, the patch from bug #238429 seems to fix this in my limited testing. I am doing now a release build with the patch applied on top of the 2.36 branch to use it for a few hours to be completely certain before closing this bug :) 1888850 6 iamleot+webkit-bugzilla 2022-08-04 06:48:26 -0700 Wow, great catch! Thank you Adrian! 1888856 7 xry111 2022-08-04 07:35:05 -0700 Can we merge the patch for 2.36.6 then? 1889089 8 aperez 2022-08-05 02:51:44 -0700 (In reply to Xi Ruoyao from comment #7) > Can we merge the patch for 2.36.6 then? I have been testing a build with the patch applied (and additionally a related patch on top) and in half a day of continuous usage I have not hit any crashes in GitHub anymore. I have pushed both to the 2.36 release branch, so version 2.36.6 will have this resolved =) *** This bug has been marked as a duplicate of bug 238429 *** 1889092 9 iamleot+webkit-bugzilla 2022-08-05 03:12:37 -0700 (In reply to Adrian Perez from comment #8) > (In reply to Xi Ruoyao from comment #7) > > Can we merge the patch for 2.36.6 then? > > I have been testing a build with the patch applied (and additionally > a related patch on top) and in half a day of continuous usage I have > not hit any crashes in GitHub anymore. I have pushed both to the 2.36 > release branch, so version 2.36.6 will have this resolved =) > > *** This bug has been marked as a duplicate of bug 238429 *** That's great! Thank you very much again Adrian for bisecting and backporting it! 1889499 10 aperez 2022-08-07 03:44:36 -0700 (In reply to Leonardo Taccari from comment #9) > (In reply to Adrian Perez from comment #8) > > (In reply to Xi Ruoyao from comment #7) > > > Can we merge the patch for 2.36.6 then? > > > > I have been testing a build with the patch applied (and additionally > > a related patch on top) and in half a day of continuous usage I have > > not hit any crashes in GitHub anymore. I have pushed both to the 2.36 > > release branch, so version 2.36.6 will have this resolved =) > > > > *** This bug has been marked as a duplicate of bug 238429 *** > > That's great! > > Thank you very much again Adrian for bisecting and backporting it! You're welcome! The new release that includes the fix has been published: https://webkitgtk.org/2022/08/07/webkitgtk2.36.6-released.html