Bug 175602

Summary: [GTK] ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) when dragging file into webview
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, calvaris, cgarcia, commit-queue, ews-watchlist, Hironori.Fujii, mcatanzaro
Priority: P2    
Version: Other   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Backtrace
none
Patch
none
Archive of layout-test-results from ews206 for win-future none

Michael Catanzaro
Reported 2017-08-15 15:08:37 PDT
Created attachment 318181 [details] Backtrace I tried dragging a file into Epiphany. It usually works but I guess it is racy as today (using WebKit trunk) I hit this assertion: ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) ../../Source/WTF/wtf/HashTable.h(587) : void WTF::HashTable<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::checkKey(const T&) [with HashTranslator = WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext> >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >; T = _GdkDragContext*; Key = _GdkDragContext*; Value = WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext> >; Extractor = WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext> > >; HashFunctions = WTF::PtrHash<_GdkDragContext*>; Traits = WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext> >::KeyValuePairTraits; KeyTraits = WTF::HashTraits<_GdkDragContext*>] Detailed backtrace attached. Unfortunately I can't reproduce it. Here's the function it's crashing in: template<typename Key, typename Value, typename Extractor, typename HashFunctions, typename Traits, typename KeyTraits> template<typename HashTranslator, typename T> void HashTable<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::checkKey(const T& key) { if (!HashFunctions::safeToCompareToEmptyOrDeleted) return; ASSERT(!HashTranslator::equal(KeyTraits::emptyValue(), key)); // ... } Clearly HashFunctions::safeToCompareToEmptyOrDeleted is returning true, so the function does not return early. Then the assertion fails. It's not clear to me why it is impermissible for a HashMap to contain an empty-valued key, but OK. A naive speculative fix would add a null-check for the gdkContext in DragAndDropHandler.cpp, like this: void DragAndDropHandler::dragLeave(GdkDragContext* context) { DroppingContext* droppingContext = m_droppingContexts.get(context); if (!droppingContext || !droppingContext->gdkContext) return; // ... } But I suspect that's not the right answer. It's not clear to me why the GdkDragContext would ever be null anyway.
Attachments
Backtrace (13.90 KB, text/plain)
2017-08-15 15:08 PDT, Michael Catanzaro 		no flags
Details
Patch (2.11 KB, patch)
2018-06-27 15:19 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews206 for win-future (12.83 MB, application/zip)
2018-06-28 00:36 PDT, EWS Watchlist 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2018-06-27 15:12:53 PDT
Hit this today. I think exploiting this would be very difficult since it would require an attacker to trick the user into dragging a file into the webview, so let's just treat it as a normal bug. ==27598==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030003cd660 at pc 0x7f1d9c1b3fd4 bp 0x7ffcdf424cd0 sp 0x7ffcdf424cc0 READ of size 8 at 0x6030003cd660 thread T0 #0 0x7f1d9c1b3fd3 in bool WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >::equal<_GdkDragContext*, _GdkDragContext*>(_GdkDragContext* const&, _GdkDragContext* const&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:284 #1 0x7f1d9c1b4468 in void WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::checkKey<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*>(_GdkDragContext* const&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:587 #2 0x7f1d9c1b32da in WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >* WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::inlineLookup<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*>(_GdkDragContext* const&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:608 #3 0x7f1d9c1b1a0e in WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >* WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::lookup<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*>(_GdkDragContext* const&) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f5a0e) #4 0x7f1d9c1afedf in WTF::HashTableIterator<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> > WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::find<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*>(_GdkDragContext* const&) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f3edf) #5 0x7f1d9c1aca76 in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::find(_GdkDragContext* const&) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f0a76) #6 0x7f1d9c1a9fd6 in WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::find(_GdkDragContext* const&) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44edfd6) #7 0x7f1d9c199496 in operator() /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:261 #8 0x7f1d9c1a8b77 in call DerivedSources/ForwardingHeaders/wtf/Function.h:101 #9 0x7f1d955cec87 in WTF::Function<void ()>::operator()() const /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/Function.h:56 #10 0x7f1d955fde48 in WTF::RunLoop::performWork() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/RunLoop.cpp:123 #11 0x7f1d956afd09 in operator() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:68 #12 0x7f1d956afd2d in _FUN /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:70 #13 0x7f1d956afcbb in operator() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #14 0x7f1d956afceb in _FUN /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:46 #15 0x7f1dac73d3ad in g_main_dispatch ../../../../Projects/glib/glib/gmain.c:3182 #16 0x7f1dac73e22f in g_main_context_dispatch ../../../../Projects/glib/glib/gmain.c:3835 #17 0x7f1dac73e413 in g_main_context_iterate ../../../../Projects/glib/glib/gmain.c:3908 #18 0x7f1dac73e4d7 in g_main_context_iteration ../../../../Projects/glib/glib/gmain.c:3969 #19 0x7f1dacd69d86 in g_application_run ../../../../Projects/glib/gio/gapplication.c:2470 #20 0x403e88 in main ../../../../../../../../../Projects/epiphany/src/ephy-main.c:437 #21 0x7f1dabdda18a in __libc_start_main (/lib64/libc.so.6+0x2318a) #22 0x402719 in _start (/home/mcatanzaro/Projects/GNOME/install/bin/epiphany+0x402719) 0x6030003cd660 is located 0 bytes inside of 32-byte region [0x6030003cd660,0x6030003cd680) freed by thread T0 here: #0 0x7f1dae2a0e50 in operator delete(void*, unsigned long) (/lib64/libasan.so.5+0xf1e50) #1 0x7f1d9c10620e in std::default_delete<WebKit::DragAndDropHandler::DroppingContext>::operator()(WebKit::DragAndDropHandler::DroppingContext*) const /usr/include/c++/8/bits/unique_ptr.h:81 #2 0x7f1d9c1046f4 in std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >::~unique_ptr() /usr/include/c++/8/bits/unique_ptr.h:274 #3 0x7f1d9c1b4c50 in WTF::KeyValuePairHashTraits<WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::customDeleteBucket(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >&) DerivedSources/ForwardingHeaders/wtf/HashTraits.h:302 #4 0x7f1d9c1b45bf in std::enable_if<WTF::HashTraitHasCustomDelete<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::value, void>::type WTF::hashTraitsDeleteBucket<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >&) DerivedSources/ForwardingHeaders/wtf/HashTraits.h:227 #5 0x7f1d9c1b349c in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::deleteBucket(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:461 #6 0x7f1d9c1b1bbd in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::remove(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >*) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f5bbd) #7 0x7f1d9c1b0130 in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::removeAndInvalidateWithoutEntryConsistencyCheck(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >*) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f4130) #8 0x7f1d9c1ad0df in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::removeWithoutEntryConsistencyCheck(WTF::HashTableIterator<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f10df) #9 0x7f1d9c1aa4ec in WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::remove(WTF::HashTableIteratorAdapter<WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44ee4ec) #10 0x7f1d9c1999a2 in operator() /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:279 #11 0x7f1d9c1a8b77 in call DerivedSources/ForwardingHeaders/wtf/Function.h:101 #12 0x7f1d955cec87 in WTF::Function<void ()>::operator()() const /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/Function.h:56 #13 0x7f1d955fdc64 in WTF::RunLoop::performWork() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/RunLoop.cpp:106 #14 0x7f1d956afd09 in operator() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:68 #15 0x7f1d956afd2d in _FUN /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:70 #16 0x7f1d956afcbb in operator() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #17 0x7f1d956afceb in _FUN /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:46 #18 0x7f1dac73d3ad in g_main_dispatch ../../../../Projects/glib/glib/gmain.c:3182 #19 0x7f1dac73e22f in g_main_context_dispatch ../../../../Projects/glib/glib/gmain.c:3835 #20 0x7f1dac73e413 in g_main_context_iterate ../../../../Projects/glib/glib/gmain.c:3908 #21 0x7f1dac73e4d7 in g_main_context_iteration ../../../../Projects/glib/glib/gmain.c:3969 #22 0x7f1dacd69d86 in g_application_run ../../../../Projects/glib/gio/gapplication.c:2470 #23 0x403e88 in main ../../../../../../../../../Projects/epiphany/src/ephy-main.c:437 #24 0x7f1dabdda18a in __libc_start_main (/lib64/libc.so.6+0x2318a) previously allocated by thread T0 here: #0 0x7f1dae29f870 in operator new(unsigned long) (/lib64/libasan.so.5+0xf0870) #1 0x7f1d9c1a9ca6 in std::_MakeUniq<WebKit::DragAndDropHandler::DroppingContext>::__single_object std::make_unique<WebKit::DragAndDropHandler::DroppingContext, _GdkDragContext*&, WebCore::IntPoint const&>(_GdkDragContext*&, WebCore::IntPoint const&) /usr/include/c++/8/bits/unique_ptr.h:831 #2 0x7f1d9c198b07 in WebKit::DragAndDropHandler::dragDataSelection(_GdkDragContext*, WebCore::IntPoint const&, unsigned int) /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:223 #3 0x7f1d9c199002 in WebKit::DragAndDropHandler::dragMotion(_GdkDragContext*, WebCore::IntPoint const&, unsigned int) /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:241 #4 0x7f1d9c0edbc6 in webkitWebViewBaseDragMotion /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:1222 #5 0x7f1dad5b49c0 in _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT /home/mcatanzaro/.cache/jhbuild/build/gtk/gtk/gtkmarshalers.c:713 #6 0x7f1daca2a555 in g_type_class_meta_marshal ../../../../Projects/glib/gobject/gclosure.c:1003 #7 0x7f1daca29f01 in g_closure_invoke ../../../../Projects/glib/gobject/gclosure.c:810 #8 0x7f1daca47be1 in signal_emit_unlocked_R ../../../../Projects/glib/gobject/gsignal.c:3673 #9 0x7f1daca46e06 in g_signal_emit_valist ../../../../Projects/glib/gobject/gsignal.c:3401 #10 0x7f1daca4745c in g_signal_emit_by_name ../../../../Projects/glib/gobject/gsignal.c:3487 #11 0x7f1dad57e947 in gtk_drag_dest_motion /home/mcatanzaro/Projects/gtk/gtk/gtkdnd.c:1572 #12 0x7f1dad57df00 in gtk_drag_find_widget /home/mcatanzaro/Projects/gtk/gtk/gtkdnd.c:1270 #13 0x7f1dad57d98f in _gtk_drag_dest_handle_event /home/mcatanzaro/Projects/gtk/gtk/gtkdnd.c:1091 #14 0x7f1dad36f88b in gtk_main_do_event /home/mcatanzaro/Projects/gtk/gtk/gtkmain.c:1933 #15 0x7f1daa5d6874 in _gdk_event_emit /home/mcatanzaro/Projects/gtk/gdk/gdkevents.c:73 #16 0x7f1daa652378 in gdk_event_source_dispatch /home/mcatanzaro/Projects/gtk/gdk/wayland/gdkeventsource.c:124 #17 0x7f1dac73d3ad in g_main_dispatch ../../../../Projects/glib/glib/gmain.c:3182 #18 0x7f1dac73e22f in g_main_context_dispatch ../../../../Projects/glib/glib/gmain.c:3835 #19 0x7f1dac73e413 in g_main_context_iterate ../../../../Projects/glib/glib/gmain.c:3908 #20 0x7f1dac73e4d7 in g_main_context_iteration ../../../../Projects/glib/glib/gmain.c:3969 #21 0x7f1dacd69d86 in g_application_run ../../../../Projects/glib/gio/gapplication.c:2470 #22 0x403e88 in main ../../../../../../../../../Projects/epiphany/src/ephy-main.c:437 #23 0x7f1dabdda18a in __libc_start_main (/lib64/libc.so.6+0x2318a) SUMMARY: AddressSanitizer: heap-use-after-free DerivedSources/ForwardingHeaders/wtf/HashTable.h:284 in bool WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >::equal<_GdkDragContext*, _GdkDragContext*>(_GdkDragContext* const&, _GdkDragContext* const&) Shadow bytes around the buggy address: 0x0c0680071a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd 0x0c0680071a80: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa 0x0c0680071a90: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fa 0x0c0680071aa0: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa fd fd 0x0c0680071ab0: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa =>0x0c0680071ac0: fd fd fd fd fa fa fd fd fd fd fa fa[fd]fd fd fd 0x0c0680071ad0: fa fa 00 00 00 00 fa fa 00 00 00 02 fa fa fd fd 0x0c0680071ae0: fd fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa 0x0c0680071af0: fa fa fa fa fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c0680071b00: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c0680071b10: fd fa fa fa fd fd fd fd fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27598==ABORTING
Michael Catanzaro
Comment 2 2018-06-27 15:19:11 PDT
Created attachment 343760 [details] Patch
Fujii Hironori
Comment 3 2018-06-27 23:22:40 PDT
Comment on attachment 343760 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=343760&action=review > Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:260 > + RunLoop::main().dispatch([this, context, droppingContext]() { Nit: 'droppingContext' should not be captured because this can be freed. You should use 'it' instead of 'droppingContext'.
EWS Watchlist
Comment 4 2018-06-28 00:36:15 PDT
Comment on attachment 343760 [details] Patch Attachment 343760 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8367312 New failing tests: http/tests/security/canvas-remote-read-remote-video-localhost.html
EWS Watchlist
Comment 5 2018-06-28 00:36:27 PDT
Created attachment 343801 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Carlos Garcia Campos
Comment 6 2018-06-28 01:02:32 PDT
Comment on attachment 343760 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=343760&action=review >> Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:260 >> + RunLoop::main().dispatch([this, context, droppingContext]() { > > Nit: 'droppingContext' should not be captured because this can be freed. You should use 'it' instead of 'droppingContext'. Good point!
Michael Catanzaro
Comment 7 2018-06-28 05:20:38 PDT
You're right, I will fix it.
Michael Catanzaro
Comment 8 2018-06-28 07:57:51 PDT
The original patch is OK, because droppingContext is guaranteed to be valid if the check at the top of the lambda passes, and it's not used otherwise. But I agree that it would be nicer to not capture a variable that could potentially be invalid, so I rewrote the patch to get the droppingContext directly from the iterator inside the lambda instead, like this: DroppingContext* droppingContext = it->value.get(); ASSERT(droppingContext); But now it is shadowing the droppingContext variable in the above scope, and I don't want to come up with another name for a pointer that's guaranteed to be identical. So then I wound up removing the null check at the top of the function, which is just an optimization to potentially avoid an extra RunLoop dispatch and not required for correctness. But I shouldn't be removing such checks to avoid something that isn't a problem, so I was going to stick with the original version of the patch.... However, I found another theoretical problem here, which is that the GdkDragContext* context pointer could be invalid as well, since we do not do anything to keep it alive inside the lambda. That's not happening in my testing, but I think it could happen, so I don't think my patch is safe, either. It's an opaque struct, not refcounted, so there is no way for us to control the lifetime. I conclude there's no way to safely use it inside the RunLoop dispatch. It's fortunately only needed to get the DroppingContext*, but without it, we don't know if that's valid either. So I'm not sure the best way to fix this.
Michael Catanzaro
Comment 9 2018-06-28 08:08:48 PDT
(In reply to Michael Catanzaro from comment #8) > However, I found another theoretical problem here, which is that the > GdkDragContext* context pointer could be invalid as well, since we do not do > anything to keep it alive inside the lambda. It should be OK so long as we never dereference it (we don't), and it's not happening in any case, so I'm going to commit the original patch.
WebKit Commit Bot
Comment 10 2018-06-28 08:35:48 PDT
Comment on attachment 343760 [details] Patch Clearing flags on attachment: 343760 Committed r233305: <https://trac.webkit.org/changeset/233305>
WebKit Commit Bot
Comment 11 2018-06-28 08:35:50 PDT
All reviewed patches have been landed. Closing bug.
Fujii Hironori
Comment 12 2018-06-28 18:33:38 PDT
(In reply to Michael Catanzaro from comment #8) > The original patch is OK, because droppingContext is guaranteed to be valid > if the check at the top of the lambda passes, and it's not used otherwise. Right. That's the reason I wrote 'Nit:'. It just increases the size of the lambda.:)
Note You need to log in before you can comment on or make changes to this bug.