Bug 167307

Summary: [GTK] UI process crash in webkit_back_forward_list_get_current_item
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1415737

Description Michael Catanzaro 2017-01-23 08:24:35 PST
I have 51 reports of this UI process crash in webkit_back_forward_list_get_current_item. Looks like this occurs when performing a delayed page load (loading a saved tab for the first time after opening Epiphany):

Thread 1 (Thread 0x7f7119147fc0 (LWP 2493)):
#0  0x00007f71154d8a3c in WTFCrash() () at /usr/src/debug/webkitgtk-2.14.2/Source/WTF/wtf/Assertions.cpp:323
#1  0x00007f7115c8c199 in WTF::CrashOnOverflow::crash() () at /usr/src/debug/webkitgtk-2.14.2/Source/WTF/wtf/CheckedArithmetic.h:85
#2  0x00007f7115c8c199 in WTF::CrashOnOverflow::overflowed() () at /usr/src/debug/webkitgtk-2.14.2/Source/WTF/wtf/CheckedArithmetic.h:78
#3  0x00007f7115c8c199 in WTF::Vector<WTF::RefPtr<WebKit::WebBackForwardListItem>, 0ul, WTF::CrashOnOverflow, 16ul>::at(unsigned long) const (i=<optimized out>, this=<optimized out>) at /usr/src/debug/webkitgtk-2.14.2/Source/WTF/wtf/Vector.h:661
#4  0x00007f7115c8c199 in WTF::Vector<WTF::RefPtr<WebKit::WebBackForwardListItem>, 0ul, WTF::CrashOnOverflow, 16ul>::operator[](unsigned long) const (i=<optimized out>, this=<optimized out>) at /usr/src/debug/webkitgtk-2.14.2/Source/WTF/wtf/Vector.h:676
#5  0x00007f7115c8c199 in WebKit::WebBackForwardList::currentItem() const (this=<optimized out>) at /usr/src/debug/webkitgtk-2.14.2/Source/WebKit2/UIProcess/WebBackForwardList.cpp:212
#6  0x00007f7115e66fd4 in webkit_back_forward_list_get_current_item(WebKitBackForwardList*) (backForwardList=0x560cbd098720 [WebKitBackForwardList]) at /usr/src/debug/webkitgtk-2.14.2/Source/WebKit2/UIProcess/API/gtk/WebKitBackForwardList.cpp:166
#7  0x0000560cbbc45fa2 in load_delayed_request_if_mapped (user_data=user_data@entry=0x560cbc98f2d0) at ephy-embed.c:648
        embed = 0x560cbc98f2d0 [EphyEmbed]
        web_view = 0x560cbd0063d0 [EphyWebView]
        item = <optimized out>
#8  0x00007f71111f688d in g_timeout_dispatch (source=0x560cbcf6c120, callback=0x560cbbc45f00 <load_delayed_request_if_mapped>, user_data=0x560cbc98f2d0) at gmain.c:4674
        timeout_source = 0x560cbcf6c120
        again = <optimized out>

I considered that this might be an Epiphany bug, but I don't think it is. We are careful to ensure that callback is not called after the EphyEmbed is disposed. I think the WebBackForwardList has been somehow corrupted, possibly due to a problem with session state.