Bug 183091

Summary: REGRESSION(r221514): [GTK] UI process crash in WebKit::WaylandCompositor::Surface::flushPendingFrameCallbacks
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, bugzilla, calvaris, cgarcia, mcatanzaro
Priority: P2    
Version: Other   
Hardware: PC   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1493283
https://bugzilla.redhat.com/show_bug.cgi?id=1530638
https://bugzilla.redhat.com/show_bug.cgi?id=1535075
https://bugzilla.redhat.com/show_bug.cgi?id=1548530
https://bugs.webkit.org/show_bug.cgi?id=175942
https://bugzilla.redhat.com/show_bug.cgi?id=1559255
https://bugzilla.redhat.com/show_bug.cgi?id=1560228
https://bugzilla.redhat.com/show_bug.cgi?id=1563787
https://bugzilla.redhat.com/show_bug.cgi?id=1564572
Attachments:
Description Flags
Patch mcatanzaro: review+

Michael Catanzaro
Reported 2018-02-23 12:44:09 PST
We have 569 reports of this crash in Fedora: Thread 1 (Thread 0x7f05c353aac0 (LWP 8748)): #0 0x00007f05bdce0430 in WebKit::WaylandCompositor::Surface::flushPendingFrameCallbacks() (this=this@entry=0x7f05ab0f0d10) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp:258 resource = <optimized out> __for_range = <synthetic pointer>: {<WTF::VectorBuffer<wl_resource*, 0>> = {<WTF::VectorBufferBase<wl_resource*>> = {m_buffer = 0x616d612d73656761, m_capacity = <optimized out>, m_size = <optimized out>}, <No data fields>}, <No data fields>} __for_begin = 0x616d612d73656761 list = {<WTF::VectorBuffer<wl_resource*, 0>> = {<WTF::VectorBufferBase<wl_resource*>> = {m_buffer = 0x616d612d73656761, m_capacity = <optimized out>, m_size = <optimized out>}, <No data fields>}, <No data fields>} #1 0x00007f05bdce0496 in WebKit::WaylandCompositor::Surface::setWebPage(WebKit::WebPageProxy*) (this=0x7f05ab0f0d10, webPage=0x0) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp:181 #2 0x00007f05bdcd8663 in WebKit::AcceleratedBackingStoreWayland::~AcceleratedBackingStoreWayland() (this=0x7f054839c030, __in_chrg=<optimized out>) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreWayland.cpp:61 #3 0x00007f05bdcd8689 in WebKit::AcceleratedBackingStoreWayland::~AcceleratedBackingStoreWayland() (this=0x7f054839c030, __in_chrg=<optimized out>) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/gtk/AcceleratedBackingStoreWayland.cpp:62 #4 0x00007f05bdcc2f3a in std::default_delete<WebKit::AcceleratedBackingStore>::operator()(WebKit::AcceleratedBackingStore*) const (this=<optimized out>, __ptr=<optimized out>) at /usr/include/c++/7/bits/unique_ptr.h:78 __ptr = <optimized out> webView = 0x55e3c6bcbdd0 [EphyWebView] #5 0x00007f05bdcc2f3a in std::unique_ptr<WebKit::AcceleratedBackingStore, std::default_delete<WebKit::AcceleratedBackingStore> >::reset(WebKit::AcceleratedBackingStore*) (__p=<optimized out>, this=<optimized out>) at /usr/include/c++/7/bits/unique_ptr.h:376 webView = 0x55e3c6bcbdd0 [EphyWebView] #6 0x00007f05bdcc2f3a in std::unique_ptr<WebKit::AcceleratedBackingStore, std::default_delete<WebKit::AcceleratedBackingStore> >::operator=(decltype(nullptr)) (this=<optimized out>) at /usr/include/c++/7/bits/unique_ptr.h:312 webView = 0x55e3c6bcbdd0 [EphyWebView] #7 0x00007f05bdcc2f3a in webkitWebViewBaseDispose(GObject*) (gobject=0x55e3c6bcbdd0 [EphyWebView]) at /usr/src/debug/webkitgtk4-2.18.5-1.fc27.x86_64/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:508 webView = 0x55e3c6bcbdd0 [EphyWebView] #8 0x00007f05c2c56e5c in g_object_run_dispose (object=0x55e3c6bcbdd0 [EphyWebView]) at gobject.c:1100 __func__ = "g_object_run_dispose" #9 0x00007f05c1eee690 in gtk_overlay_forall (overlay=<optimized out>, include_internals=<optimized out>, callback=0x7f05c2003750 <gtk_widget_destroy>, callback_data=0x0) at gtkoverlay.c:625 priv = 0x55e3c72845c0 child = <optimized out> children = <optimized out> main_widget = <optimized out> #10 0x00007f05c1deee0e in gtk_container_destroy (widget=0x55e3c72846f0 [GtkOverlay]) at gtkcontainer.c:1700 container = 0x55e3c72846f0 [GtkOverlay] priv = 0x55e3c72845e0
Attachments
Patch (2.53 KB, patch)
2018-02-26 00:36 PST, Carlos Garcia Campos 		mcatanzaro: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2018-02-23 13:15:16 PST
I guess the WaylandCompositor::Surface is already destroyed before the call to flushPendingFrameCallbacks? It's not clear. The use of auto list = WTFMove(m_*CallbackList) throughout this file is confusing: I guess that swaps the member variable vector with the default-initialized empty vector, so it's probably OK, but maybe too clever.
Carlos Garcia Campos
Comment 2 2018-02-26 00:36:26 PST
Created attachment 334595 [details] Patch
Michael Catanzaro
Comment 3 2018-02-26 08:47:33 PST
Comment on attachment 334595 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=334595&action=review Thanks > Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp:354 > auto* surface = static_cast<WaylandCompositor::Surface*>(wl_resource_get_user_data(resource)); > + WaylandCompositor::singleton().willDestroySurface(surface); > delete surface; Aha, so this is what I missed when staring at this bug the other day. > Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp:571 > + break; You could equivalently use return instead.
Carlos Garcia Campos
Comment 4 2018-03-01 01:24:36 PST
Committed r229126: <https://trac.webkit.org/changeset/229126>
Xabier Rodríguez Calvar
Comment 5 2018-07-30 01:09:50 PDT
Michael, after giving my first son's blood I managed to get a backtrace with asan for the crash I am having lately that could be causing https://gitlab.gnome.org/GNOME/gtk/issues/1232 and it looks like it is this one? Carlos, do you know when this is going to be released in GNOME JHBuild conf?
Michael Catanzaro
Comment 6 2018-08-04 11:31:45 PDT
(In reply to Xabier Rodríguez Calvar from comment #5) > Michael, after giving my first son's blood I managed to get a backtrace with > asan for the crash Poor Simon :( > I am having lately that could be causing > https://gitlab.gnome.org/GNOME/gtk/issues/1232 and it looks like it is this > one? > > Carlos, do you know when this is going to be released in GNOME JHBuild conf? This was committed way back in March. Exactly what version of WebKitGTK+ are you using? Could you please post the trace from asan?
Michael Catanzaro
Comment 7 2018-08-04 11:33:38 PDT
(In reply to Michael Catanzaro from comment #6) > This was committed way back in March. And it was backported for 2.19.92.
Note You need to log in before you can comment on or make changes to this bug.