Bug 226811

Summary:

[GTK] Crash when dragging an account node above WebView

Product:

WebKit

Reporter:

Milan Crha <mcrha>

Component:

WebKitGTK

Assignee:

Michael Catanzaro <mcatanzaro>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

aperez, berto, bugs-noreply, cgarcia, ews-watchlist, gustavo, mcatanzaro, pabs3

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Milan Crha 2021-06-09 03:50:54 PDT

Moving this from a downstream bug report:
https://gitlab.gnome.org/GNOME/evolution/-/issues/1526

In Evolution, when a user drags a mail account node above the composer window, WebKitGTK crashes the application. The preview panel doesn't do that. When I try the "drag above" with the MiniBrowser, then it crashes regardless whether it's being in the editor mode or not.

This is with evolution 3.40.1-1 (from Debian experimental), webkit 2.32.1-1 and GNOME 3.38 on Debian bullseye. (I see that with Fedora 34 and the same evo/WebKitGTK versions as well).

The downstream bug report contains a whole backtrace, with all threads, but it's too long. See it attached at the end of the description there, if needed.

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 42, 834, 5, 94402006640432, 94402006649584, 139949534068928, 94401995203384, 4, 94402006649584, 4, 139949533776257, 140735894193728, 94402029678352, 94401996349664, 140735894194048}}
        pid = <optimized out>
        tid = <optimized out>
#1  0x00007f488f12b537 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x55dbae126840, sa_sigaction = 0x55dbae126840}, sa_mask = {__val = {139949533666252, 0, 0, 94401995203384, 3584923175664, 139948495672560, 94401995201360, 94402029678352, 9272222391884015360, 94401995203344, 94402006649584, 94401995203344, 94402006649584, 94402029678352, 139949533644401, 24395876352}}, sa_flags = -1700043008, sa_restorer = 0x55dbae128af0}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f48899487a8 in WTF::fromUTF8Impl<false>(unsigned char const*, unsigned long) () at ../Source/WTF/wtf/text/WTFString.cpp:845
#3  0x00007f4889947e2e in WTF::String::fromUTF8(unsigned char const*, unsigned long) () at ../Source/WTF/wtf/text/WTFString.cpp:872
#4  0x00007f488c398df2 in WebKit::DropTarget::dataReceived(WebCore::IntPoint&&, _GtkSelectionData*, unsigned int, unsigned int) () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:185
#5  0x00007f488c398fe4 in operator() () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:85
#6  _FUN() () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:85
#7  0x00007f488fd65344 in _gtk_marshal_VOID__OBJECT_INT_INT_BOXED_UINT_UINTv (closure=closure@entry=0x55dbadf4e300, return_value=return_value@entry=0x0, instance=instance@entry=0x55dbaf21f3b0, args=args@entry=0x7fffa0fb13f8, marshal_data=marshal_data@entry=0x0, n_params=n_params@entry=6, param_types=0x55dbacdeafb0) at gtkmarshalers.c:5998
        data1 = 0x55dbaf21f3b0
        data2 = <optimized out>
        callback = 0x7f488c398f90 <_FUN()>
        arg0 = 0x55dbace0f010
        arg1 = 0
        arg2 = -1894507295
        arg3 = 0x7fffa0fb1980
        arg4 = 2700805552
        arg5 = 2700805552
        args_copy = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffa0fb1540, reg_save_area = 0x7fffa0fb1440}}
#8  0x00007f488f6e0889 in _g_closure_invoke_va (closure=closure@entry=0x55dbadf4e300, return_value=return_value@entry=0x0, instance=instance@entry=0x55dbaf21f3b0, args=args@entry=0x7fffa0fb13f8, n_params=6, param_types=0x55dbacdeafb0) at ../../../gobject/gclosure.c:873
        marshal = 0x7f488fd651f0 <_gtk_marshal_VOID__OBJECT_INT_INT_BOXED_UINT_UINTv>
        marshal_data = 0x0
        in_marshal = 0
        real_closure = 0x55dbadf4e2e0
        __func__ = "_g_closure_invoke_va"
#9  0x00007f488f6f8fe8 in g_signal_emit_valist (instance=instance@entry=0x55dbaf21f3b0, signal_id=signal_id@entry=114, detail=detail@entry=0, var_args=var_args@entry=0x7fffa0fb13f8) at ../../../gobject/gsignal.c:3406
        return_accu = <optimized out>
        accu = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
        accumulator = 0x0
        emission = {next = 0x7fffa0fb16f0, instance = 0x55dbaf21f3b0, ihint = {signal_id = 114, detail = 0, run_type = (G_SIGNAL_RUN_LAST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 0x55dbae857d60 [EWebKitEditor/WebKitWebView/WebKitWebViewBase/GtkContainer/GtkWidget/GInitiallyUnowned]}
        signal_id = 114
        instance_type = <optimized out>
        emission_return = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
        rtype = 0x4 [void]
        static_scope = 0
        fastpath_handler = <optimized out>
        closure = <optimized out>
        run_type = <optimized out>
        hlist = <optimized out>
        l = <optimized out>
        fastpath = 1
        instance_and_params = <optimized out>
        signal_return_type = <optimized out>
        param_values = <optimized out>
        node = <optimized out>
        i = <optimized out>
        n_params = <optimized out>
        __func__ = "g_signal_emit_valist"
#10 0x00007f488f6f93ff in g_signal_emit_by_name (instance=instance@entry=0x55dbaf21f3b0, detailed_signal=detailed_signal@entry=0x7f488fd6e6f8 "drag-data-received") at ../../../gobject/gsignal.c:3593
        var_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffa0fb1530, reg_save_area = 0x7fffa0fb1440}}
        detail = 0
        signal_id = 114
        itype = 0x55dbae857d60 [EWebKitEditor/WebKitWebView/WebKitWebViewBase/GtkContainer/GtkWidget/GInitiallyUnowned]
        __func__ = "g_signal_emit_by_name"
#11 0x00007f488fd35d1d in gtk_drag_selection_received (widget=0x55dbadc93a30 [GtkWindow], selection_data=0x7fffa0fb1980, time=501869454, data=0x55dbaf21f3b0) at ../../../../gtk/gtkdnd.c:1189
        site = <optimized out>
        context = 0x55dbace0f010 [GdkWaylandDragContext]
        info = 0x7f2fa06bf410
        drop_widget = 0x55dbaf21f3b0 [EWebKitEditor]
        target = 0x51
#12 0x00007f488fd62b7c in _gtk_marshal_VOID__BOXED_UINTv (closure=closure@entry=0x55dbaf775e50, return_value=return_value@entry=0x0, instance=instance@entry=0x55dbadc93a30, args=args@entry=0x7fffa0fb17f8, marshal_data=marshal_data@entry=0x0, n_params=n_params@entry=2, param_types=0x55dbace09580) at gtkmarshalers.c:3607
        data1 = 0x55dbadc93a30
        data2 = <optimized out>
        callback = 0x7f488fd35be0 <gtk_drag_selection_received>
        arg0 = 0x7fffa0fb1980
        arg1 = 0
        args_copy = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffa0fb1930, reg_save_area = 0x7fffa0fb1840}}
#13 0x00007f488f6e0889 in _g_closure_invoke_va (closure=closure@entry=0x55dbaf775e50, return_value=return_value@entry=0x0, instance=instance@entry=0x55dbadc93a30, args=args@entry=0x7fffa0fb17f8, n_params=2, param_types=0x55dbace09580) at ../../../gobject/gclosure.c:873
        marshal = 0x7f488fd62ad0 <_gtk_marshal_VOID__BOXED_UINTv>
        marshal_data = 0x0
        in_marshal = 0
        real_closure = 0x55dbaf775e30
        __func__ = "_g_closure_invoke_va"
#14 0x00007f488f6f8fe8 in g_signal_emit_valist (instance=instance@entry=0x55dbadc93a30, signal_id=signal_id@entry=102, detail=detail@entry=0, var_args=var_args@entry=0x7fffa0fb17f8) at ../../../gobject/gsignal.c:3406
        return_accu = <optimized out>
        accu = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
        accumulator = 0x0
        emission = {next = 0x7fffa0fb1c60, instance = 0x55dbadc93a30, ihint = {signal_id = 102, detail = 0, run_type = (G_SIGNAL_RUN_FIRST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 0x55dbacdf0a70 [GtkWindow/GtkBin/GtkContainer/GtkWidget/GInitiallyUnowned]}
        signal_id = 102
        instance_type = <optimized out>
        emission_return = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
        rtype = 0x4 [void]
        static_scope = 0
        fastpath_handler = <optimized out>
        closure = <optimized out>
        run_type = <optimized out>
        hlist = <optimized out>
        l = <optimized out>
        fastpath = 1
        instance_and_params = <optimized out>
        signal_return_type = <optimized out>
        param_values = <optimized out>
        node = <optimized out>
        i = <optimized out>
        n_params = <optimized out>
        __func__ = "g_signal_emit_valist"
#15 0x00007f488f6f93ff in g_signal_emit_by_name (instance=0x55dbadc93a30, detailed_signal=detailed_signal@entry=0x7f488fdcb20f "selection-received") at ../../../gobject/gsignal.c:3593
        var_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffa0fb1930, reg_save_area = 0x7fffa0fb1840}}
        detail = 0
        signal_id = 102
        itype = 0x55dbacdf0a70 [GtkWindow/GtkBin/GtkContainer/GtkWidget/GInitiallyUnowned]
        __func__ = "g_signal_emit_by_name"
#16 0x00007f488fc47b64 in gtk_selection_retrieval_report (time=501869454, length=<optimized out>, buffer=<optimized out>, format=<optimized out>, type=<optimized out>, info=0x55dbad975840) at ../../../../gtk/gtkselection.c:3079
        data = {selection = 0x46, target = 0x51, type = 0x0, format = 0, data = 0x0, length = -1, display = 0x55dbacda0130 [GdkWaylandDisplay]}
        owner_widget = <optimized out>
        owner_widget_ptr = 0x55dbadc93790
        selection_data = {selection = 0x46, target = 0x51, type = 0x0, format = 0, data = 0x0, length = -1, display = 0x55dbacda0130 [GdkWaylandDisplay]}
        info = 0x55dbad975840
        tmp_list = <optimized out>
        owner_window = <optimized out>
        display = 0x55dbacda0130 [GdkWaylandDisplay]
        id = <optimized out>
        __func__ = "gtk_selection_convert"
#17 gtk_selection_convert (widget=0x55dbadc93a30 [GtkWindow], selection=0x46, target=0x51, time_=501869454) at ../../../../gtk/gtkselection.c:1172
        owner_widget = <optimized out>
        owner_widget_ptr = 0x55dbadc93790
        selection_data = {selection = 0x46, target = 0x51, type = 0x0, format = 0, data = 0x0, length = -1, display = 0x55dbacda0130 [GdkWaylandDisplay]}
        info = 0x55dbad975840
        tmp_list = <optimized out>
        owner_window = <optimized out>
        display = 0x55dbacda0130 [GdkWaylandDisplay]
        id = <optimized out>
        __func__ = "gtk_selection_convert"
#18 0x00007f488c399837 in WebKit::DropTarget::accept(_GdkDragContext*, WTF::Optional<WebCore::IntPoint>, unsigned int) () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:140
#19 0x00007f488c399a6a in operator() () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:59
#20 _FUN() () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:59
#25 0x00007f488f6f93ff in <emit signal 0x7f488fd9e4ad "drag-motion" on instance 0x55dbaf21f3b0 [EWebKitEditor]> (instance=instance@entry=0x55dbaf21f3b0, detailed_signal=detailed_signal@entry=0x7f488fd9e4ad "drag-motion") at ../../../gobject/gsignal.c:3593
        var_args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffa0fb2010, reg_save_area = 0x7fffa0fb1f20}}
        detail = 0
        signal_id = 111
        itype = 0x55dbae857d60 [EWebKitEditor/WebKitWebView/WebKitWebViewBase/GtkContainer/GtkWidget/GInitiallyUnowned]
        __func__ = "g_signal_emit_by_name"
    #21 0x00007f488fd5eaa7 in _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT (closure=closure@entry=0x55dbad923170, return_value=return_value@entry=0x7fffa0fb1c90, n_param_values=n_param_values@entry=5, param_values=param_values@entry=0x7fffa0fb1cf0, invocation_hint=invocation_hint@entry=0x7fffa0fb1c70, marshal_data=marshal_data@entry=0x0) at gtkmarshalers.c:826
                cc = 0x55dbad923170
                data1 = 0x55dbaf21f3b0
                data2 = <optimized out>
                callback = 0x7f488c399a30 <_FUN()>
                v_return = <optimized out>
                __func__ = "_gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT"
    #22 0x00007f488f6e065f in g_closure_invoke (closure=0x55dbad923170, return_value=return_value@entry=0x7fffa0fb1c90, n_param_values=5, param_values=param_values@entry=0x7fffa0fb1cf0, invocation_hint=invocation_hint@entry=0x7fffa0fb1c70) at ../../../gobject/gclosure.c:810
                marshal = 0x7f488fd5ea30 <_gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT>
                marshal_data = 0x0
                in_marshal = 0
                real_closure = 0x55dbad923150
                __func__ = "g_closure_invoke"
    #23 0x00007f488f6f2ba2 in signal_emit_unlocked_R (node=<optimized out>, detail=detail@entry=0, instance=instance@entry=0x55dbaf21f3b0, emission_return=emission_return@entry=0x7fffa0fb1e20, instance_and_params=instance_and_params@entry=0x7fffa0fb1cf0) at ../../../gobject/gsignal.c:3812
                tmp = <optimized out>
                handler = 0x55dbaf9b2e00
                accumulator = 0x55dbace0a470
                emission = {next = 0x0, instance = 0x55dbaf21f3b0, ihint = {signal_id = 111, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 0x4 [void]}
                class_closure = 0x55dbacd687e0
                hlist = <optimized out>
                handler_list = <optimized out>
                return_accu = 0x7fffa0fb1c90
                accu = {g_type = 0x14 [gboolean], data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                signal_id = 111
                max_sequential_handler_number = 2726343
                return_value_altered = <optimized out>
    #24 0x00007f488f6f87f9 in g_signal_emit_valist (instance=instance@entry=0x55dbaf21f3b0, signal_id=signal_id@entry=111, detail=detail@entry=0, var_args=var_args@entry=0x7fffa0fb1ed8) at ../../../gobject/gsignal.c:3507
                return_value = {g_type = 0x14 [gboolean], data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
                error = 0x0
                rtype = 0x14 [gboolean]
                static_scope = 0
                instance_and_params = 0x7fffa0fb1cf0
                signal_return_type = <optimized out>
                param_values = 0x7fffa0fb1d08
                node = <optimized out>
                i = <optimized out>
                n_params = <optimized out>
                __func__ = "g_signal_emit_valist"
#26 0x00007f488fd36bea in gtk_drag_dest_motion (widget=widget@entry=0x55dbaf21f3b0 [EWebKitEditor], context=context@entry=0x55dbace0f010 [GdkWaylandDragContext], x=206, y=3, time=time@entry=501869454) at ../../../../gtk/gtkdnd.c:1572
        site = 0x55dbafc1a2a0
        action = <optimized out>
        retval = -1881198131
        __func__ = "gtk_drag_dest_motion"
#27 0x00007f488fd37159 in gtk_drag_find_widget (callback=0x7f488fd36a90 <gtk_drag_dest_motion>, time=501869454, y=<optimized out>, x=<optimized out>, info=0x7f2fa06bf410, context=0x55dbace0f010 [GdkWaylandDragContext], widget=0x55dbaf21f3b0 [EWebKitEditor]) at ../../../../gtk/gtkdnd.c:1270
        parent = 0x0
        hierarchy = 0x55dbae94c660 = {0x55dbaf828780, 0x55dbaf7fe470, 0x55dbad83baa0, 0x55dbaf7fe9f0, 0x55dbaf243f10, 0x55dbaf21f3b0}
        found = 0
        window = <optimized out>
        tx = 0
        ty = 0
        found = <optimized out>
        info = 0x7f2fa06bf410
        context = 0x55dbace0f010 [GdkWaylandDragContext]
        __func__ = "_gtk_drag_dest_handle_event"
#28 _gtk_drag_dest_handle_event (toplevel=toplevel@entry=0x55dbaf828780 [EMsgComposer], event=event@entry=0x55dbb19cc5c0) at ../../../../gtk/gtkdnd.c:1091
        window = <optimized out>
        tx = 0
        ty = 0
        found = <optimized out>
        info = 0x7f2fa06bf410
        context = 0x55dbace0f010 [GdkWaylandDragContext]
        __func__ = "_gtk_drag_dest_handle_event"
#29 0x00007f488fbbc91b in gtk_main_do_event (event=0x55dbb19cc5c0) at ../../../../gtk/gtkmain.c:1938
        grab_widget = <optimized out>
        window_group = 0x55dbb0708aa0 [GtkWindowGroup]
        rewritten_event = <optimized out>
        device = 0x55dbace0f0c0 [GdkWaylandDevice]
        tmp_list = <optimized out>
        event_widget = 0x55dbaf828780 [EMsgComposer]
        topmost_widget = <optimized out>
        __func__ = "gtk_main_do_event"
        __func__ = "gtk_main_do_event"
#30 gtk_main_do_event (event=<optimized out>) at ../../../../gtk/gtkmain.c:1690
        __func__ = "gtk_main_do_event"
#31 0x00007f488f039785 in _gdk_event_emit (event=event@entry=0x55dbb19cc5c0) at ../../../../gdk/gdkevents.c:73
#32 0x00007f488f0993a2 in gdk_event_source_dispatch (base=<optimized out>, callback=<optimized out>, data=<optimized out>) at ../../../../../gdk/wayland/gdkeventsource.c:124
        source = <optimized out>
        display = <optimized out>
        event = 0x55dbb19cc5c0
#33 0x00007f488f5ec85b in g_main_dispatch (context=0x55dbacdb1860) at ../../../glib/gmain.c:3337
        dispatch = 0x7f488f099380 <gdk_event_source_dispatch>
        prev_source = 0x0
        begin_time_nsec = 0
        was_in_call = 0
        user_data = 0x0
        callback = 0x0
        cb_funcs = <optimized out>
        cb_data = <optimized out>
        need_destroy = <optimized out>
        source = 0x55dbacdc4020
        current = 0x55dbacd7f640
        i = 0
        __func__ = "g_main_dispatch"
#34 g_main_context_dispatch (context=0x55dbacdb1860) at ../../../glib/gmain.c:4055
#35 0x00007f488f5ecb08 in g_main_context_iterate (context=0x55dbacdb1860, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4131
        max_priority = 2147483647
        timeout = 47
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0x55dbb16911b0
#36 0x00007f488f5ecdfb in g_main_loop_run (loop=loop@entry=0x55dbad53cc80) at ../../../glib/gmain.c:4329
        __func__ = "g_main_loop_run"
#37 0x00007f488fbbba55 in gtk_main () at ../../../../gtk/gtkmain.c:1328
        loop = 0x55dbad53cc80
#38 0x000055dbab65fec2 in main (argc=<optimized out>, argv=<optimized out>) at ./src/shell/main.c:681
        shell = 0x55dbad1b71d0 [EShell]
        settings = <optimized out>
        success = 1
        error = 0x0

Comment 1 Michael Catanzaro 2021-06-09 05:03:40 PDT

(In reply to Milan Crha from comment #0)
> Moving this from a downstream bug report:
> https://gitlab.gnome.org/GNOME/evolution/-/issues/1526
> 
> In Evolution, when a user drags a mail account node above the composer
> window, WebKitGTK crashes the application. The preview panel doesn't do
> that.

Er... where is this mail account node above the composer window? I see a combo box to select the mail account to use to send the mail, but I don't see anything dragable.

> When I try the "drag above" with the MiniBrowser, then it crashes
> regardless whether it's being in the editor mode or not.

How exactly were you able to reproduce with MiniBrowser?

Comment 2 Milan Crha 2021-06-09 05:36:14 PDT

Run:

  $ evolution -c mail

there is a side bar on the left with accounts and folders. Drag the account name, like the "On This Computer", and move the mouse above the MiniBrowser content area.

Comment 3 Michael Catanzaro 2021-06-09 12:07:42 PDT

I'm unable to reproduce. I wonder if it is X11-specific. Are you using X11?

Comment 4 Paul Wise 2021-06-09 16:45:49 PDT

I am using Wayland, haven't tried the MiniBrowser though.

Comment 5 Paul Wise 2021-06-09 16:47:53 PDT

I just tried it with the `MiniBrowser --editor-mode` and `MiniBrowser` and I don't get the crash.

Comment 6 Paul Wise 2021-06-09 16:48:51 PDT

I still do get the crash with the evolution composer window though.

Comment 7 Milan Crha 2021-06-10 01:38:33 PDT

(In reply to Michael Catanzaro from comment #3)
> I'm unable to reproduce. I wonder if it is X11-specific. Are you using X11?

Right, I'm on X11 when trying with the MiniBrowser.

I can partly confirm Paul comments. When on Wayland, MiniBrowser doesn't crash, but for me only when it's in the --editor-mode, where I made it crash. Its console says:

   $ /usr/libexec/webkit2gtk-4.0/MiniBrowser --editor-mode

   (MiniBrowser:2130): Gdk-WARNING **: 04:36:24.066: gdkselection-wayland.c:280: error reading selection buffer: Operation was cancelled
   Aborted (core dumped)

Comment 8 Michael Catanzaro 2021-06-10 10:24:34 PDT

(In reply to Paul Wise from comment #6)
> I still do get the crash with the evolution composer window though.

OK, I see the crash when dragging "On This Computer" into the composer window.

Comment 9 Michael Catanzaro 2021-06-10 10:30:36 PDT

*** Bug 220059 has been marked as a duplicate of this bug. ***

Comment 10 Michael Catanzaro 2021-06-10 12:58:55 PDT

Created attachment 431114 [details]
Patch

Comment 11 Michael Catanzaro 2021-06-10 12:59:52 PDT

Problem is data with zero size is indicated by -1 in the GTK 3 implementation, but the code wasn't prepared for negative size. (The GTK 4 implementation uses unsigned integers to indicate size, and so doesn't have this problem.)

Comment 12 EWS Watchlist 2021-06-10 13:01:05 PDT

Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See https://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API

Comment 13 EWS 2021-06-11 08:00:32 PDT

Committed r278761 (238721@main): <https://commits.webkit.org/238721@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 431114 [details].