Bug 144903

Summary: [GTK] Crash at WebCore::FrameView::removeChild()
Product: WebKit Reporter: Tomas Popela <tpopela>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: bugs-noreply, cgarcia, mcatanzaro, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugzilla.gnome.org/show_bug.cgi?id=740710
https://bugzilla.redhat.com/show_bug.cgi?id=1219986
https://bugzilla.redhat.com/show_bug.cgi?id=1533470
https://bugzilla.redhat.com/show_bug.cgi?id=1701709
Attachments:
Description Flags
Backtrace
none
Newer backtrace none

Tomas Popela
Reported 2015-05-11 23:38:05 PDT
Moving from downstream reports[0-2]. Below are truncated backtraces from WK1 (2.4.8) and WK2 (2.6.5). The WK1 crashes are from Evolution (simply opening it was enough to crash it (I was not able to reproduce it)). WK2 crash was probably from Epiphany (opening http://zyalt.livejournal.com/1259245.html and trying to scroll the page). WK1 backtrace - (full at https://bugzilla.redhat.com/attachment.cgi?id=978448) #0 WebCore::FrameView::removeChild (this=0x7f74a412cc00, widget=0x0) at Source/WebCore/page/FrameView.cpp:3984 No locals. #1 0x0000003781658d8b in WebCore::ScrollView::setHasVerticalScrollbar (this=this@entry=0x7f74a412cc00, hasBar=hasBar@entry=false, contentSizeAffected=contentSizeAffected@entry=0x7fff1c13a920) at Source/WebCore/platform/ScrollView.cpp:125 wasOverlayScrollbar = false #2 0x000000378165994a in WebCore::ScrollView::updateScrollbars (this=this@entry=0x7f74a412cc00, desiredOffset=...) at Source/WebCore/platform/ScrollView.cpp:609 changeAffectsContentSize = false sendContentResizedNotification = false docSize = {m_width = 1, m_height = 8} fullVisibleSize = <optimized out> needAnotherPass = true hasOverlayScrollbars = <optimized out> hasHorizontalScrollbar = false vScroll = <optimized out> newHasHorizontalScrollbar = false newHasVerticalScrollbar = false hScroll = <optimized out> adjustedScrollPosition = {m_x = 87204992, m_y = 0} oldScrollCornerRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}} hasVerticalScrollbar = <optimized out> scrollbarAddedOrRemoved = false #3 0x000000378165a90b in WebCore::ScrollView::setFrameRect (this=this@entry=0x7f74a412cc00, newRect=...) at Source/WebCore/platform/ScrollView.cpp:956 oldRect = <optimized out> #4 0x0000003780e7bcf8 in WebCore::FrameView::setFrameRect (this=this@entry=0x7f74a412cc00, newRect=...) at Source/WebCore/page/FrameView.cpp:432 newRect = @0x7fff1c13aa10: {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 1090, m_height = 55}} this = 0x7f74a412cc00 #5 0x0000003780683f14 in resize (h=55, w=1090, this=0x7f74a412cc00) at Source/WebCore/platform/Widget.h:123 No locals. #6 resizeWebViewFromAllocation (webView=webView@entry=0x532a480, allocation=allocation@entry=0x7fff1c13aa70, sizeChanged=sizeChanged@entry=true) at Source/WebKit/gtk/webkit/webkitwebview.cpp:881 page = 0x45b3ca0 oldSize = {m_width = 1, m_height = 1} frameView = 0x7f74a412cc00 #7 0x000000378068400f in webkitWebViewMap (widget=0x532a480) at Source/WebKit/gtk/webkit/webkitwebview.cpp:920 webView = 0x532a480 allocation = {x = 1, y = 1, width = 1090, height = 55} #8 0x000000360ce0feb2 in _g_closure_invoke_va (closure=closure@entry=0x1bce620, return_value=return_value@entry=0x0, instance=instance@entry=0x532a480, args=args@entry=0x7fff1c13aca0, n_params=0, param_types=0x0) at gclosure.c:831 marshal = <optimized out> marshal_data = <optimized out> in_marshal = 1 real_closure = 0x1bce600 __FUNCTION__ = "_g_closure_invoke_va" #9 0x000000360ce29b60 in g_signal_emit_valist (instance=0x532a480, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fff1c13aca0) at gsignal.c:3218 return_accu = 0x0 accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} accumulator = 0x0 emission = {next = 0x7fff1c13af40, instance = 0x532a480, ihint = {signal_id = 6, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 29806320} signal_id = 6 instance_type = 29806320 emission_return = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} rtype = 4 static_scope = 0 fastpath_handler = <optimized out> closure = 0x1bce620 run_type = <optimized out> l = <optimized out> fastpath = <optimized out> instance_and_params = <optimized out> signal_return_type = <optimized out> param_values = <optimized out> node = <optimized out> i = <optimized out> n_params = <optimized out> __FUNCTION__ = "g_signal_emit_valist" #10 0x000000360ce2a3af in g_signal_emit (instance=instance@entry=0x532a480, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3365 var_args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fff1c13ad80, reg_save_area = 0x7fff1c13acc0}} #11 0x000000377d92c029 in gtk_widget_map (widget=0x532a480) at gtkwidget.c:5045 priv = 0x532a3a0 __FUNCTION__ = "gtk_widget_map" #12 0x000000377d8641fe in gtk_scrolled_window_forall (container=0x5691530, include_internals=1, callback=0x377d73d270 <gtk_container_map_child>, callback_data=0x0) at gtkscrolledwindow.c:1786 priv = <optimized out> scrolled_window = <optimized out> __FUNCTION__ = "gtk_scrolled_window_forall" #13 0x000000377d7408bf in gtk_container_map (widget=0x5691530) at gtkcontainer.c:3445 No locals. #14 0x000000377d863e51 in gtk_scrolled_window_map (widget=0x5691530) at gtkscrolledwindow.c:3165 scrolled_window = 0x5691530 WK2 backtrace - (full at https://bugzilla.redhat.com/attachment.cgi?id=982121) 0 WebCore::FrameView::removeChild (this=0x7f0e403af400, widget=0x0) at /usr/src/debug/webkitgtk-2.6.4/Source/WebCore/page/FrameView.cpp:4271 No locals. #1 0x00007f0e6bfc5730 in WebCore::ScrollView::setHasHorizontalScrollbar (this=this@entry=0x7f0e403af400, hasBar=hasBar@entry=false, contentSizeAffected=contentSizeAffected@entry=0x7ffff277b730) at /usr/src/debug/webkitgtk-2.6.4/Source/WebCore/platform/ScrollView.cpp:99 wasOverlayScrollbar = false #2 0x00007f0e6bfc75dd in WebCore::ScrollView::updateScrollbars (this=this@entry=0x7f0e403af400, desiredOffset=...) at /usr/src/debug/webkitgtk-2.6.4/Source/WebCore/platform/ScrollView.cpp:633 changeAffectsContentSize = false sendContentResizedNotification = false docSize = {m_width = 0, m_height = 0} cMaxUpdateScrollbarsPass = <optimized out> fullVisibleSize = <optimized out> needAnotherPass = true hasOverlayScrollbars = <optimized out> hasHorizontalScrollbar = true vScroll = <optimized out> newHasHorizontalScrollbar = false newHasVerticalScrollbar = false hScroll = <optimized out> adjustedScrollPosition = {m_x = -227035312, m_y = 32767} oldScrollCornerRect = {m_location = {m_x = -13, m_y = -13}, m_size = {m_width = 13, m_height = 13}} hasVerticalScrollbar = <optimized out> scrollbarAddedOrRemoved = false #3 0x00007f0e6bfc963c in WebCore::ScrollView::setContentsSize (this=this@entry=0x7f0e403af400, newSize=...) at /usr/src/debug/webkitgtk-2.6.4/Source/WebCore/platform/ScrollView.cpp:385 newSize = <optimized out> this = 0x7f0e403af400 #4 0x00007f0e6bf50f10 in WebCore::FrameView::setContentsSize (this=this@entry=0x7f0e403af400, size=...) at /usr/src/debug/webkitgtk-2.6.4/Source/WebCore/page/FrameView.cpp:554 page = 0x0 #5 0x00007f0e6bf51074 in WebCore::FrameView::adjustViewSize (this=this@entry=0x7f0e403af400) at /usr/src/debug/webkitgtk-2.6.4/Source/WebCore/page/FrameView.cpp:584 renderView = <optimized out> rect = <optimized out> size = @0x7ffff277b800: {m_width = 0, m_height = 0} #6 0x00007f0e6bf51540 in WebCore::FrameView::layout (this=0x7f0e403af400, allowSubtree=<optimized out>) at /usr/src/debug/webkitgtk-2.6.4/Source/WebCore/page/FrameView.cpp:1332 cookie = {m_instrumentingAgents = {m_ptr = 0x0}, m_timelineAgentId = 0} subtree = <optimized out> root = 0x7f0de83c1800 layoutPhaseRestorer = {m_scopedVariable = @0x7f0e403af588, m_originalValue = (anonymous namespace)::FrameView::OutsideLayout} inChildFrameLayoutWithFrameFlattening = false layer = 0x7f0dea8b6120 neededFullRepaint = false protect = {m_ptr = 0x7f0e403af400} changeInProgrammaticScroll = {m_scopedVariable = @0x7f0e403af681, m_originalValue = <optimized out>} #7 0x00007f0e6bfd492d in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x7f0e501266e0) at /usr/src/debug/webkitgtk-2.6.4/Source/WebCore/platform/ThreadTimers.cpp:132 timer = 0x7f0e403af528 interval = 0 fireTime = 3870.6213769999999 timeToQuit = 3870.6713770000001 this = 0x7f0e501266e0 #8 0x00007f0e6a31ada1 in WTF::GMainLoopSource::voidCallback (this=0x7f0e6d5581c0 <WebCore::gSharedTimer>) at /usr/src/debug/webkitgtk-2.6.4/Source/WTF/wtf/gobject/GMainLoopSource.cpp:364 context = {source = {m_ptr = 0x3a36f60}, cancellable = {m_ptr = 0x0}, socketCancellable = {m_ptr = 0x0}, voidCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f0e6bfd4940 <WebCore::ThreadTimers::sharedTimerFired()>, _M_const_object = 0x7f0e6bfd4940 <WebCore::ThreadTimers::sharedTimerFired()>, _M_function_pointer = 0x7f0e6bfd4940 <WebCore::ThreadTimers::sharedTimerFired()>, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f0e6bfd4940 <WebCore::ThreadTimers::sharedTimerFired()>, this adjustment 514508593}, _M_pod_data = "@I\375k\016\177\000\000\061\307\252\036\000\000\000"}, _M_manager = 0x7f0e6c34d090 <std::_Function_base::_Base_manager<void (*)()>::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x7f0e6c34d080 <std::_Function_handler<void (), void (*)()>::_M_invoke(std::_Any_data const&)>}, boolCallback = {<std::_Maybe_unary_or_binary_function<bool>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f0e6d6b0778, _M_const_object = 0x7f0e6d6b0778, _M_function_pointer = 0x7f0e6d6b0778, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f0e6d6b0778, this adjustment 140736328363767}, _M_pod_data = "x\akm\016\177\000\000\367\356\333\272\377\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f0dba8641b0}, socketCallback = {<std::_Maybe_unary_or_binary_function<bool, GIOCondition>> = {<std::unary_function<GIOCondition, bool>> = {<No data fields>}, <No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f0dba8641b0, _M_const_object = 0x7f0dba8641b0, _M_function_pointer = 0x7f0dba8641b0, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f0dba8641b0, this adjustment 139697742396344}, _M_pod_data = "\260A\206\272\r\177\000\000\270\273O\352\r\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7ffff277b880}, destroyCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x39847b0, _M_const_object = 0x39847b0, _M_function_pointer = 0x39847b0, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x39847b0, this adjustment 139699887646713}, _M_pod_data = "\260G\230\003\000\000\000\000\371\247-j\016\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f0e6bfd4600 <WebCore::ThreadTimers::updateSharedTimer()+96>}} #9 0x00007f0e6a315fca in WTF::GMainLoopSource::voidSourceCallback (source=<optimized out>) at /usr/src/debug/webkitgtk-2.6.4/Source/WTF/wtf/gobject/GMainLoopSource.cpp:454 No locals. #10 0x00007f0e6a31602f in operator() (__closure=0x0, userData=<optimized out>, callback=<optimized out>, source=0x3a36f60) at /usr/src/debug/webkitgtk-2.6.4/Source/WTF/wtf/gobject/GMainLoopSource.cpp:247 repeat = <optimized out> #11 WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer) () at /usr/src/debug/webkitgtk-2.6.4/Source/WTF/wtf/gobject/GMainLoopSource.cpp:251 No locals. #12 0x00007f0e6786eaeb in g_main_dispatch (context=0x1dcfb90) at gmain.c:3111 dispatch = 0x7f0e6a316020 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)> prev_source = 0x0 was_in_call = 0 user_data = 0x7f0e6d5581c0 <WebCore::gSharedTimer> callback = 0x7f0e6a315fc0 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)> cb_funcs = 0x7f0e67b5c8c0 <g_source_callback_funcs> cb_data = 0x3a33570 need_destroy = <optimized out> source = 0x3a36f60 current = 0x1db9ab0 i = 0 #13 g_main_context_dispatch (context=context@entry=0x1dcfb90) at gmain.c:3710 No locals. #14 0x00007f0e6786ee88 in g_main_context_iterate (context=0x1dcfb90, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781 max_priority = 120 timeout = 0 some_ready = 1 nfds = <optimized out> allocated_nfds = 5 fds = 0x2456390 #15 0x00007f0e6786f1b2 in g_main_loop_run (loop=0x1e61380) at gmain.c:3975 __FUNCTION__ = "g_main_loop_run" #16 0x00007f0e6b8abbe9 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=<optimized out>) at /usr/src/debug/webkitgtk-2.6.4/Source/WebKit2/Shared/unix/ChildProcessMain.h:61 childMain = {<WebKit::ChildProcessMainBase> = {_vptr.ChildProcessMainBase = 0x7f0e6d3baf10 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {m_impl = {m_ptr = 0x0}}, clientIdentifier = {m_impl = {m_ptr = 0x0}}, connectionIdentifier = 45, extraInitializationData = {m_impl = {static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}}}, <No data fields>} #17 0x00007f0e6a658fe0 in __libc_start_main (main=0x400780 <main(int, char**)>, argc=2, argv=0x7ffff277bc88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffff277bc78) at libc-start.c:289 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 7287830293301919461, 4196267, 140737261321344, 0, 0, -7287818819679584539, -7260005729635434779}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x4008b0 <__libc_csu_init>, 0x7ffff277bc88}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4196528}}} not_first_call = <optimized out> #18 0x00000000004007d4 in _start () [0] - https://bugzilla.redhat.com/show_bug.cgi?id=1219986 (WK1) [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1184307 (WK2) [2] - https://bugzilla.redhat.com/show_bug.cgi?id=1180784 (WK1)
Attachments
Backtrace (57.42 KB, text/plain)
2018-03-28 10:02 PDT, Michael Catanzaro 		no flags
Details
Newer backtrace (91.37 KB, text/plain)
2019-04-21 08:32 PDT, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1 2015-05-11 23:48:17 PDT
WebCore::FrameView::removeChild (this=0x7f74a412cc00, widget=0x0) This can't happen in trunk, since it now receives a reference, not a pointer. And the same in 2.8, so I guess this is a blocker only for wk1.
Zan Dobersek
Comment 2 2015-05-12 11:38:24 PDT
(In reply to comment #1) > WebCore::FrameView::removeChild (this=0x7f74a412cc00, widget=0x0) > > This can't happen in trunk, since it now receives a reference, not a > pointer. And the same in 2.8, so I guess this is a blocker only for wk1. It can happen, but one would have to try a bit harder to dereference a null pointer into the removeChild() call.
Michael Catanzaro
Comment 3 2018-03-28 10:02:20 PDT
Still happening as of 2.18.4. Full backtrace attached. Truncated backtrace: Truncated backtrace: Thread no. 1 (10 frames) #0 WTF::TypeCastTraits<WebCore::FrameView const, WebCore::Widget const, false>::isType at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/page/FrameView.h:945 #1 WTF::TypeCastTraits<WebCore::FrameView const, WebCore::Widget const, false>::isOfType at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/page/FrameView.h:945 #2 WTF::is<WebCore::FrameView, WebCore::Widget> at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WTF/wtf/TypeCasts.h:59 #3 WebCore::FrameView::removeChild at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/page/FrameView.cpp:5100 #4 WebCore::ScrollView::setHasScrollbarInternal at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/platform/ScrollView.cpp:97 #5 WebCore::ScrollView::setHasHorizontalScrollbar at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/platform/ScrollView.cpp:72 #6 WebCore::ScrollView::updateScrollbars at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/platform/ScrollView.cpp:644 #7 WebCore::ScrollView::setFrameRect at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/platform/ScrollView.cpp:1011 #8 WebCore::FrameView::setFrameRect at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/page/FrameView.cpp:533 #9 WebCore::Widget::resize at /usr/src/debug/webkitgtk4-2.18.4-1.fc27.x86_64/Source/WebCore/platform/Widget.h:116
Michael Catanzaro
Comment 4 2018-03-28 10:02:36 PDT
Created attachment 336671 [details] Backtrace
Michael Catanzaro
Comment 5 2018-03-28 10:05:26 PDT
We have 91 reports of this in Fedora, including 29 reports against 2.18.6. None against 2.20 yet, but that's to be expected because that is still in updates-testing. (In reply to Zan Dobersek from comment #2) > It can happen, but one would have to try a bit harder to dereference a null > pointer into the removeChild() call. My guess would be the pointer is non-null, but the FrameView has already been destroyed.
Carlos Garcia Campos
Comment 6 2018-04-02 02:36:53 PDT
(In reply to Michael Catanzaro from comment #5) > We have 91 reports of this in Fedora, including 29 reports against 2.18.6. > None against 2.20 yet, but that's to be expected because that is still in > updates-testing. > > (In reply to Zan Dobersek from comment #2) > > It can happen, but one would have to try a bit harder to dereference a null > > pointer into the removeChild() call. > > My guess would be the pointer is non-null, but the FrameView has already > been destroyed. I don't think that's possible. The FrameView is the main frame one, got in WebPage::setSize() with m_page->mainFrame().view(); Then FrameView::resize() is called which calls FrameView::setFrameRect() that protects this at the beginning, before calling ScrollView::setFrameRect() which is the one calling updateScrollbars().
Michael Catanzaro
Comment 7 2019-04-21 08:32:08 PDT
Created attachment 367912 [details] Newer backtrace
Michael Catanzaro
Comment 8 2019-04-21 08:35:30 PDT
Still crashing here in 2.24.1. This time it's occurring during a call to WebCore::AccessibilityObject::updateBackingStore, but that might be just coincidence. Sadly gdb is no longer showing the value for the widget parameter: #3 WebCore::FrameView::removeChild (this=0x7f5f92e00438, widget=...) at ../Source/WebCore/page/FrameView.cpp:4959 No locals.
Note You need to log in before you can comment on or make changes to this bug.