295679 2025-07-09 17:55:59 -0700 Crash in AuxiliaryProcessProxy::connection under WebPageProxy::sendWheelEvent 2025-11-06 15:28:04 -0800 1 1 1 Unclassified WebKit WebKitGTK WebKit Nightly Build PC Linux RESOLVED DUPLICATE 283546 https://bugs.webkit.org/show_bug.cgi?id=282384 P2 Normal --- 1 mcatanzaro mcatanzaro bugs-noreply charliew kdwkleung mcatanzaro webkit-bug-importer oldest_to_newest 2128896 0 mcatanzaro 2025-07-09 17:55:59 -0700 I've been using a laptop instead of a desktop for a few days, and have noticed Epiphany crashes a lot more than I'm used to. It happens when scrolling. (I have no mouse, so there is no mouse wheel; the event must be synthesized somehow.) (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f96a3a811e3 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89 #2 0x00007f96a3a27afe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f96a3a0f6d0 in __GI_abort () at abort.c:73 #4 0x00007f969e62679f in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:931 #5 0x00007f969ec89eb2 in WebKit::AuxiliaryProcessProxy::connection (this=0x7f9682002400) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:137 #6 WebKit::AuxiliaryProcessProxy::protectedConnection (this=0x7f9682002400) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:141 #7 WebKit::WebPageProxy::sendWheelEvent (this=0x7f9682001800, frameID=..., event=..., processingSteps=..., rubberBandableEdges=..., willStartSwipe=std::optional [no contained value], wasHandledForScrolling=<optimized out>) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4148 #8 0x00007f969ec8949c in WebKit::WebPageProxy::continueWheelEventHandling (this=0x213a, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4136 #9 0x00007f969ec88ff2 in WebKit::WebPageProxy::handleWheelEvent (this=0x7f9682001800, wheelEvent=...) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4101 #10 WebKit::WebPageProxy::handleNativeWheelEvent (this=0x7f9682001800, nativeWheelEvent=...) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4067 #11 0x00007f969edbf3b0 in handleScroll (webViewBase=0x55e29b46d4a0, deltaX=0, deltaY=0, isEnd=false, eventController=0x55e29acde470) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:1598 #12 0x00007f96a491dc52 in _g_closure_invoke_va (closure=0x55e29a333db0, return_value=0x0, instance=0x55e29acde470, args=0x7fffb7529ec0, n_params=0, param_types=0x0) at ../gobject/gclosure.c:898 #13 signal_emit_valist_unlocked (instance=instance@entry=0x55e29acde470, signal_id=signal_id@entry=164, detail=detail@entry=0, var_args=var_args@entry=0x7fffb7529ec0) at ../gobject/gsignal.c:3438 #14 0x00007f96a491dd68 in g_signal_emit_valist (instance=0x55e29acde470, signal_id=164, detail=0, var_args=var_args@entry=0x7fffb7529ec0) at ../gobject/gsignal.c:3277 #15 0x00007f96a491de23 in g_signal_emit (instance=instance@entry=0x55e29acde470, signal_id=<optimized out>, detail=detail@entry=0) at ../gobject/gsignal.c:3597 #16 0x00007f96a3c8aa5b in gtk_event_controller_scroll_begin (controller=0x55e29acde470) at ../gtk/gtkeventcontrollerscroll.c:252 #17 gtk_event_controller_scroll_begin (controller=controller@entry=0x55e29acde470) at ../gtk/gtkeventcontrollerscroll.c:245 #18 0x00007f96a3c8ed4a in gtk_event_controller_scroll_handle_hold_event (controller=0x55e29acde470, event=0x55e29b5bd590) at ../gtk/gtkeventcontrollerscroll.c:315 #19 gtk_event_controller_scroll_handle_event (controller=0x55e29acde470, event=0x55e29b5bd590, x=<optimized out>, y=<optimized out>) at ../gtk/gtkeventcontrollerscroll.c:367 #20 0x00007f96a3df87cf in gtk_event_controller_handle_event (controller=0x55e29acde470, event=<optimized out>, target=<optimized out>, x=<optimized out>, y=<optimized out>) at ../gtk/gtkeventcontroller.c:381 #21 gtk_widget_run_controllers (widget=0x55e29b46d4a0, event=0x55e29b5bd590, target=0x55e29b46d4a0, x=1749.87109375, y=<optimized out>, phase=GTK_PHASE_BUBBLE) at ../gtk/gtkwidget.c:4713 #22 0x00007f96a3d06c12 in gtk_propagate_event_internal (widget=widget@entry=0x55e29b46d4a0, event=event@entry=0x55e29b5bd590, topmost=<optimized out>) at ../gtk/gtkmain.c:1982 #23 0x00007f96a3d06e11 in gtk_propagate_event (widget=widget@entry=0x55e29b46d4a0, event=event@entry=0x55e29b5bd590) at ../gtk/gtkmain.c:2032 #24 0x00007f96a3d077b3 in gtk_main_do_event (event=0x55e29b5bd590) at ../gtk/gtkmain.c:1722 #25 0x00007f96a3f9b828 in _gdk_marshal_BOOLEAN__POINTERv (closure=<optimized out>, return_value=0x7fffb752a4f0, instance=<optimized out>, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x55e29a1a1430) at gdk/gdkmarshalers.c:302 #26 0x00007f96a40311ba in gdk_surface_event_marshallerv (closure=0x55e29a4fd6c0, return_value=0x7fffb752a4f0, instance=0x55e29a446140, args=0x7fffb752a5d0, marshal_data=0x0, n_params=1, param_types=0x55e29a1a1430) at ../gdk/gdksurface.c:470 #27 0x00007f96a491dc52 in _g_closure_invoke_va (closure=0x55e29a4fd6c0, return_value=0x7fffb752a4f0, instance=0x55e29a446140, args=0x7fffb752a5d0, n_params=1, param_types=0x55e29a1a1430) at ../gobject/gclosure.c:898 #28 signal_emit_valist_unlocked (instance=instance@entry=0x55e29a446140, signal_id=signal_id@entry=380, detail=detail@entry=0, var_args=var_args@entry=0x7fffb752a5d0) at ../gobject/gsignal.c:3438 #29 0x00007f96a491dd68 in g_signal_emit_valist (instance=0x55e29a446140, signal_id=380, detail=0, var_args=var_args@entry=0x7fffb752a5d0) at ../gobject/gsignal.c:3277 #30 0x00007f96a491de23 in g_signal_emit (instance=instance@entry=0x55e29a446140, signal_id=<optimized out>, detail=detail@entry=0) at ../gobject/gsignal.c:3597 #31 0x00007f96a40332fa in gdk_surface_handle_event.isra.0 (event=event@entry=0x55e29b5bd590) at ../gdk/gdksurface.c:3100 #32 0x00007f96a3fa12bc in _gdk_event_emit (event=0x55e29b5bd590) at ../gdk/gdkevents.c:491 #33 gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at ../gdk/broadway/gdkeventsource.c:377 #34 0x00007f96a47e2880 in g_main_dispatch (context=0x55e299823610) at ../glib/gmain.c:3398 #35 g_main_context_dispatch_unlocked (context=0x55e299823610) at ../glib/gmain.c:4249 #36 0x00007f96a47eb7c8 in g_main_context_iterate_unlocked (context=context@entry=0x55e299823610, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4314 #37 0x00007f96a47eb973 in g_main_context_iteration (context=context@entry=0x55e299823610, may_block=may_block@entry=1) at ../glib/gmain.c:4379 #38 0x00007f96a4a0802d in g_application_run (application=0x55e29983e7a0, argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2715 #39 0x000055e28fa2e322 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:445 We hit the release assert here in AuxiliaryProcessProxy.h: IPC::Connection& connection() const { RELEASE_ASSERT(m_connection); return *m_connection; } This is surely a sequel to bug #282384. The commit 289017@main doesn't look like enough; it added a guard lower in the function, but the crash occurs higher, at the same place as before: legacyMainFrameProcess->protectedConnection()->send(Messages::EventDispatcher::WheelEvent(webPageIDInMainFrameProcess(), event, rubberBandableEdges), 0, { }, Thread::QOS::UserInteractive); Now that I see there is a hasConnection() function, it's easy to just add a check for that and not crash. Probably there are similar problems elsewhere, though. Let's check at least WebPageProxy::handleKeyboardEvent, WebPageProxy::handleMouseEvent, and WebPageProxy::handleTouchEvent. It's weird that events can still happen after the connection is closed. Or maybe it's before the connection is opened, although that's weird too. 2146599 1 mcatanzaro 2025-09-28 07:44:09 -0700 *** Bug 299687 has been marked as a duplicate of this bug. *** 2153031 2 mcatanzaro 2025-10-21 11:02:09 -0700 I'm now seeing this crash also on my desktop computer. 2153076 3 mcatanzaro 2025-10-21 12:21:06 -0700 Here's what we failed to notice the first time we investigated this: > #8 0x00007f969ec8949c in WebKit::WebPageProxy::continueWheelEventHandling (this=0x213a, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) > at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4136 this=0x213a is a dangling pointer. The WebPageProxy is already toast *before* WebPageProxy::sendWheelEvent is ever called, so that can't be the right place to fix the bug. It's even more obvious using the stack trace from bug #299687: > #8 0x00007f9a1c344263 in WebKit::WebPageProxy::continueWheelEventHandling (this=0x2, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:4183 2153078 4 mcatanzaro 2025-10-21 12:34:32 -0700 Although the frame above and below both have normal this pointers. From this stack trace: #7 WebKit::WebPageProxy::sendWheelEvent (this=0x7f9682001800, frameID=..., event=..., processingSteps=..., rubberBandableEdges=..., willStartSwipe=std::optional [no contained value], wasHandledForScrolling=<optimized out>) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4148 #8 0x00007f969ec8949c in WebKit::WebPageProxy::continueWheelEventHandling (this=0x213a, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4136 #9 0x00007f969ec88ff2 in WebKit::WebPageProxy::handleWheelEvent (this=0x7f9682001800, wheelEvent=...) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4101 Both are 0x7f9682001800. Then from the stack trace in bug #299687: #7 WebKit::WebPageProxy::sendWheelEvent (this=0x7f9a0a031400, frameID=..., event=..., processingSteps=..., rubberBandableEdges=..., willStartSwipe=std::optional [no contained value], wasHandledForScrolling=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:4195 process = {static isRef = <optimized out>, m_ptr = 0x7f9a0a1e0c00} #8 0x00007f9a1c344263 in WebKit::WebPageProxy::continueWheelEventHandling (this=0x2, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:4183 rubberBandingBehavior = {m_sides = {_M_elems = {WebCore::RubberBandingBehavior::Always, WebCore::RubberBandingBehavior::Always, WebCore::RubberBandingBehavior::Always, WebCore::RubberBandingBehavior::Always}}} rubberBandableEdges = {m_sides = {_M_elems = {<optimized out>, <optimized out>, <optimized out>, <optimized out>}}} #9 0x00007f9a1c343ed4 in WebKit::WebPageProxy::handleWheelEvent (this=0x7f9a0a031400, wheelEvent=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:4148 Both are 0x7f9a0a031400. Huh. 2153105 5 mcatanzaro 2025-10-21 13:43:45 -0700 So, I'm just going to ignore the suspicious this pointer is frame 8. Lacking a connection is actually an expected state. An AuxiliaryProcessProxy *initially* has a connection, but it may be null after process termination (AuxiliaryProcessProxy::State::Terminated). At first I guessed that we should just add a WebPageProxy::hasConnection check here and then move on, but there is actually a different function WebPageProxy::hasRunningProcess that ought to be used instead, which is already used by WebPageProxy::handleKeyboardEvent, WebPageProxy::handleMouseEvent, WebPageProxy::handleTouchEvent, and actually even WebPageProxy::sendWheelEvent itself. But the lambda in WebPageProxy::sendWheelEvent is only checking for WebPageProxy::isClosed, which is probably not enough. 2153106 6 mcatanzaro 2025-10-21 13:45:34 -0700 (In reply to Michael Catanzaro from comment #5) > At first I guessed that we > should just add a WebPageProxy::hasConnection check here and then move on, > but there is actually a different function WebPageProxy::hasRunningProcess > that ought to be used instead, which is already used by > WebPageProxy::handleKeyboardEvent, WebPageProxy::handleMouseEvent, > WebPageProxy::handleTouchEvent, and actually even > WebPageProxy::sendWheelEvent itself. Er wait, I added that check to WebPageProxy::sendWheelEvent myself. Oops. There is a preexisting check in WebPageProxy::handleWheelEvent, though. 2153123 7 mcatanzaro 2025-10-21 14:27:53 -0700 Pull request: https://github.com/WebKit/WebKit/pull/52764 2153699 8 ews-feeder 2025-10-23 07:40:13 -0700 Committed 302030@main (7c79d4d8b355): <https://commits.webkit.org/302030@main> Reviewed commits have been landed. Closing PR #52764 and removing active labels. 2157095 9 mcatanzaro 2025-11-06 15:24:59 -0800 Reopening. Unfortunately I just hit the crash again with WebKitGTK 2.51.1. Stack trace isn't even any different, just the line numbers have changed: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007fd2f189d5e3 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89 #2 0x00007fd2f18433be in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007fd2f182a8ed in __GI_abort () at abort.c:77 #4 0x00007fd2ec30c08f in WTFCrashWithInfo () at ./_builddir/WTF/Headers/wtf/Assertions.h:980 #5 0x00007fd2ec97a936 in WebKit::AuxiliaryProcessProxy::connection (this=0x7fd2da020c00) at ./Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:139 #6 WebKit::AuxiliaryProcessProxy::protectedConnection (this=0x7fd2da020c00) at ./Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:143 #7 WebKit::WebPageProxy::sendWheelEvent (this=0x7fd2da029600, frameID=..., event=..., processingSteps=..., rubberBandableEdges=..., willStartSwipe=std::optional [no contained value], wasHandledForScrolling=<optimized out>) at ./Source/WebKit/UIProcess/WebPageProxy.cpp:4245 #8 0x00007fd2ec97a063 in WebKit::WebPageProxy::continueWheelEventHandling (this=0x2, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at ./Source/WebKit/UIProcess/WebPageProxy.cpp:4230 #9 0x00007fd2ec979cdc in WebKit::WebPageProxy::handleWheelEvent (this=0x7fd2da029600, wheelEvent=...) at ./Source/WebKit/UIProcess/WebPageProxy.cpp:4195 #10 WebKit::WebPageProxy::handleNativeWheelEvent (this=0x7fd2da029600, nativeWheelEvent=<optimized out>) at ./Source/WebKit/UIProcess/WebPageProxy.cpp:4161 #11 0x00007fd2ecaa881d in handleScroll (webViewBase=0x559fed0fea30 [EphyWebView], deltaX=0, deltaY=-1, isEnd=false, eventController=0x559fece0f2c0 [GtkEventControllerScroll]) at ./_builddir/./Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:1609 #16 0x00007fd2f2a8d173 in <emit signal 'scroll' on instance 0x559fece0f2c0 [GtkEventControllerScroll]> (instance=instance@entry=0x559fece0f2c0, signal_id=<optimized out>, detail=detail@entry=0) at ../gobject/gsignal.c:3598 2157100 10 mcatanzaro 2025-11-06 15:28:04 -0800 *** This bug has been marked as a duplicate of bug 283546 ***