Bug 289999

When loading https://www.firstalert4.com/2024/08/29/explosion-causes-manhole-covers-blow-off-north-st-louis/ the page crashed immediately with the following stack trace. Unfortunately, it is not reproducible, but fortunately the problem is clear enough: WebGeolocationClient is dereferencing its WeakPtr m_page without first checking whether it's still valid, an obvious error since using WeakPtr indicates you expect the object to be destroyed out from under you. (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007fef3c89ae23 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78 #2 0x00007fef3c84208e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007fef3c829882 in __GI_abort () at abort.c:79 #4 0x00007fef3d12fc5f in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:931 #5 0x00007fef3db4ad45 in WTF::WeakRef<WebKit::WebPage, WTF::DefaultWeakPtrImpl>::get (this=0x7fef1b1ad690) at WTF/Headers/wtf/WeakRef.h:103 #6 WebKit::WebGeolocationClient::geolocationDestroyed (this=0x7fef1b1ad680) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/WebProcess/WebCoreSupport/WebGeolocationClient.cpp:49 #7 0x00007fef3e72ee00 in WebCore::GeolocationController::~GeolocationController (this=0x7fef1b1dad80) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/Modules/geolocation/GeolocationController.cpp:56 #8 0x00007fef3e72f062 in WebCore::GeolocationController::~GeolocationController (this=0x2) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/Modules/geolocation/GeolocationController.cpp:48 #9 0x00007fef3f66f829 in std::default_delete<WebCore::Supplement<WebCore::Page> >::operator() (this=0x7fef1b1daee0, __ptr=0x2) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/14.2.0/../../../../include/c++/14.2.0/bits/unique_ptr.h:93 #10 std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > >::~unique_ptr (this=0x7fef1b1daee0) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/14.2.0/../../../../include/c++/14.2.0/bits/unique_ptr.h:398 #11 WTF::KeyValuePair<WTF::ASCIILiteral, std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > > >::~KeyValuePair (this=0x7fef1b1daed0) at WTF/Headers/wtf/KeyValuePair.h:33 #12 WTF::HashTable<WTF::ASCIILiteral, WTF::KeyValuePair<WTF::ASCIILiteral, std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ASCIILiteral, std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > > > >, WTF::DefaultHash<WTF::ASCIILiteral>, WTF::HashMap<WTF::ASCIILiteral, std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > >, WTF::DefaultHash<WTF::ASCIILiteral>, WTF::HashTraits<WTF::ASCIILiteral>, WTF::HashTraits<std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > > >, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::HashTraits<WTF::ASCIILiteral>, (WTF::ShouldValidateKey)0>::deallocateTable (table=0x7fef1b1dae70) at WTF/Headers/wtf/HashTable.h:1202 #13 WTF::HashTable<WTF::ASCIILiteral, WTF::KeyValuePair<WTF::ASCIILiteral, std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ASCIILiteral, std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > > > >, WTF::DefaultHash<WTF::ASCIILiteral>, WTF::HashMap<WTF::ASCIILiteral, std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > >, WTF::DefaultHash<WTF::ASCIILiteral>, WTF::HashTraits<WTF::ASCIILiteral>, WTF::HashTraits<std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > > >, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::HashTraits<WTF::ASCIILiteral>, (WTF::ShouldValidateKey)0>::~HashTable (this=0x7fef1a001810) at WTF/Headers/wtf/HashTable.h:429 #14 WTF::HashMap<WTF::ASCIILiteral, std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > >, WTF::DefaultHash<WTF::ASCIILiteral>, WTF::HashTraits<WTF::ASCIILiteral>, WTF::HashTraits<std::unique_ptr<WebCore::Supplement<WebCore::Page>, std::default_delete<WebCore::Supplement<WebCore::Page> > > >, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::~HashMap (this=0x7fef1a001810) at WTF/Headers/wtf/Forward.h:151 #15 WebCore::Supplementable<WebCore::Page>::~Supplementable (this=0x7fef1a001810) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/Supplementable.h:98 #16 WebCore::Page::~Page (this=0x7fef1a001800) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/Page.cpp:556 #17 0x00007fef3f518ec0 in WTF::RefCounted<WebCore::Page>::deref (this=0x7fef1a001808) at WTF/Headers/wtf/RefCounted.h:200 #18 WTF::RefCountedAndCanMakeWeakPtr<WebCore::Page>::deref (this=0x7fef1a001800) at WTF/Headers/wtf/RefCountedAndCanMakeWeakPtr.h:37 #19 WTF::DefaultRefDerefTraits<WebCore::Page>::derefIfNotNull (ptr=0x7fef1a001800) at WTF/Headers/wtf/Ref.h:62 #20 WTF::RefPtr<WebCore::Page, WTF::RawPtrTraits<WebCore::Page>, WTF::DefaultRefDerefTraits<WebCore::Page> >::~RefPtr (this=<optimized out>) at WTF/Headers/wtf/RefPtr.h:60 #21 WebCore::HistoryController::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType, WebCore::ShouldTreatAsContinuingLoad)::$_0::~$_0() (this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/HistoryController.cpp:318 #22 WTF::Detail::CallableWrapper<WebCore::HistoryController::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType, WebCore::ShouldTreatAsContinuingLoad)::$_0, void, bool>::~CallableWrapper (this=<optimized out>) at WTF/Headers/wtf/Function.h:47 #23 WTF::Detail::CallableWrapper<WebCore::HistoryController::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType, WebCore::ShouldTreatAsContinuingLoad)::$_0, void, bool>::~CallableWrapper (this=<optimized out>) at WTF/Headers/wtf/Function.h:47 #24 0x00007fef3d6c3e41 in WTF::Function<void(IPC::Decoder*)>::operator() (in=0x0, this=<optimized out>) at WTF/Headers/wtf/Function.h:82 #25 WTF::CompletionHandler<void(IPC::Decoder*)>::operator() (this=<optimized out>, in=0x0) at WTF/Headers/wtf/CompletionHandler.h:78 #26 IPC::Connection::sendMessageWithAsyncReply(WTF::UniqueRef<IPC::Encoder>&&, IPC::ConnectionAsyncReplyHandler, WTF::OptionSet<IPC::SendOption>, std::optional<WTF::Thread::QOS>)::$_0::operator()() (this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:711 #27 WTF::Detail::CallableWrapper<IPC::Connection::sendMessageWithAsyncReply(WTF::UniqueRef<IPC::Encoder>&&, IPC::ConnectionAsyncReplyHandler, WTF::OptionSet<IPC::SendOption>, std::optional<WTF::Thread::QOS>)::$_0, void>::call (this=<optimized out>) at WTF/Headers/wtf/Function.h:53 #28 0x00007fef3bf1b385 in WTF::Function<void()>::operator() (this=0x7ffc91d0b8d0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:82 #29 WTF::RunLoop::performWork (this=0x7fef1b0140e0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147 #30 0x00007fef3bfc881d in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const (userData=0x2, userData@entry=0x7fef1b0140e0, this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #31 WTF::RunLoop::RunLoop()::$_0::__invoke(void*) (userData=0x2) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:79 #32 0x00007fef3bfc7ab1 in WTF::RunLoop::$_0::operator() (source=0x5560a427b740, callback=0x7fef3bfc8810 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7fef1b0140e0, this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #33 WTF::RunLoop::$_0::__invoke (source=0x5560a427b740, callback=0x7fef3bfc8810 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7fef1b0140e0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #34 0x00007fef3829ab1a in g_main_dispatch (context=context@entry=0x5560a423b9c0) at ../glib/gmain.c:3398 #35 0x00007fef3829ce37 in g_main_context_dispatch_unlocked (context=0x5560a423b9c0) at ../glib/gmain.c:4249 #36 g_main_context_iterate_unlocked (context=0x5560a423b9c0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4314 #37 0x00007fef3829d937 in g_main_loop_run (loop=0x5560a427b690) at ../glib/gmain.c:4516 #38 0x00007fef3bfc7f8d in WTF::RunLoop::run () at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 #39 0x00007fef3dbeae34 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run (this=0x7ffc91d0bb20, argc=<optimized out>, argv=<optimized out>) --Type <RET> for more, q to quit, c to continue without paging--c at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:77 #40 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk> (argc=4, argv=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Shared/AuxiliaryProcessMain.h:103 #41 0x00007fef3c82b188 in __libc_start_call_main (main=main@entry=0x55608cbba150 <main(int, char**)>, argc=argc@entry=4, argv=argv@entry=0x7ffc91d0bcb8) at ../sysdeps/nptl/libc_start_call_main.h:58 #42 0x00007fef3c82b24b in __libc_start_main_impl (main=0x55608cbba150 <main(int, char**)>, argc=4, argv=0x7ffc91d0bcb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc91d0bca8) at ../csu/libc-start.c:360 #43 0x000055608cbba085 in _start () at ../sysdeps/x86_64/start.S:115