Bug 264360

Summary:	[WPE] frameDisplayed may be called after View has been deleted
Product:	WebKit	Reporter:	Yury Semikhatsky <yurys>
Component:	WPE WebKit	Assignee:	Yury Semikhatsky <yurys>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bugs-noreply, dpino, max
Priority:	P2
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Yury Semikhatsky

Reported 2023-11-07 13:09:36 PST

We observe the following crash in Playwright: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fbde1311857 in WKWPE::View::View(wpe_view_backend*, API::PageConfiguration const&)::$_5::__invoke(void*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 [Current thread is 1 (Thread 0x7fbdd9282a00 (LWP 2240445))] (gdb) bt #0 0x00007fbde1311857 in WKWPE::View::View(wpe_view_backend*, API::PageConfiguration const&)::$_5::__invoke(void*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #1 0x00007fbde6ddae31 in wpe_view_backend_dispatch_frame_displayed () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libwpe-1.0.so.1 #2 0x00007fbde6debe8a in ViewBackend::~ViewBackend() () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1 #3 0x00007fbde6deb12e in $_1::__invoke(void*) () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1 #4 0x00007fbde6ddab81 in wpe_view_backend_destroy () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libwpe-1.0.so.1 #5 0x00007fbde6deb012 in wpe_view_backend_exportable_fdo_destroy () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1 #6 0x00005644402cfe97 in WPEToolingBackends::HeadlessViewBackend::~HeadlessViewBackend() () #7 0x00007fbde13179f7 in void WTF::derefGPtr<_WebKitWebViewBackend>(_WebKitWebViewBackend*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #8 0x00007fbde130502d in webkit_web_view_finalize(_GObject*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #9 0x00007fbdda804c79 in g_object_unref () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0 #10 0x00007fbdda823514 in g_value_unset () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0 #11 0x00007fbdda816c4a in g_signal_emit_valist () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0 #12 0x00007fbdda816dee in g_signal_emit () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0 ... It turns out that View::frameDisplayed is called after the View object has been destroyed.

Attachments
Add attachment proposed patch, testcase, etc.

Yury Semikhatsky

Comment 1 2023-11-07 13:17:51 PST

Pull request: https://github.com/WebKit/WebKit/pull/20123

EWS

Comment 2 2023-11-09 17:44:04 PST

Committed 270493@main (7d464f717df9): <https://commits.webkit.org/270493@main> Reviewed commits have been landed. Closing PR #20123 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.