Bug 113286 - segfault in UIProcess when webprocess crash while printing
Summary: segfault in UIProcess when webprocess crash while printing
Status: UNCONFIRMED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-26 02:36 PDT by Alban Browaeys
Modified: 2017-03-11 11:03 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alban Browaeys 2013-03-26 02:36:10 PDT 
drawPagesForPrintingCompleted dereference wkPrintError thus segfault ensue when invalidate print handlers while
a printoperation is pending.(ie webprocess segfault while printing : this happens because 
 UIProcess send webpageproxy endPrinting at the end of  printFrame which calls endPrint on WebProcess,
this free webkit print operation gtk unix while still gtk enumerating the printers with handler
 enumeratePrintersFunction(GtkPrinter* printer, WebPrintOperationGtkUnix* printOperation) 
ie the print operation is still referenced by the gtk printer list and "printer-added" happens. Though that
will deserve another bug report).

the segfault happens when on :
Source/WebKit2/UIProcess/API/gtk/WebKitPrintOperation.cpp:265
static void drawPagesForPrintingCompleted(WKErrorRef wkPrintError, WKErrorRef, void* context)
const WebCore::ResourceError& resourceError = toImpl(wkPrintError)->platformError();

after :
Source/WebKit2/UIProcess/GenericCallback.h:138
m_callback(0, toAPI(error.get()), context());

NB: the issue is that in invalidate WebKit::WebError* is passed as second argument and "0"  as first argument. While
drawPagesForPrintingCompleted use first argument as error and second is ignored.
Not that easy since  WebKit::WebPageProxy::printFinishedCallback also calls 
drawPagesForPrintingCompleted  via:
Source/WebKit2/UIProcess/GenericCallback.h:128
performCallbackWithReturnValue(InternalReturnValueType returnValue)
 m_callback(toAPI(returnValue), 0, context());
Note how here WebKit::WebError ends up as first argument.

I worked around this locally via mangling drawPagesForPrintingCompleted  from:
"
static void drawPagesForPrintingCompleted(WKErrorRef wkPrintError, WKErrorRef, void* context)
{
    GRefPtr<WebKitPrintOperation> printOperation = adoptGRef(WEBKIT_PRINT_OPERATION(context));
    WebPageProxy* page = webkitWebViewBaseGetPage(WEBKIT_WEB_VIEW_BASE(printOperation->priv->webView));
    page->endPrinting();

    const WebCore::ResourceError& resourceError =  toImpl(wkPrintError)->platformError();
"
to:
"
static void drawPagesForPrintingCompleted(WKErrorRef wkPrintError, WKErrorRef wkInvalidateError, void* context)
{
    GRefPtr<WebKitPrintOperation> printOperation = adoptGRef(WEBKIT_PRINT_OPERATION(context));
    WebPageProxy* page = webkitWebViewBaseGetPage(WEBKIT_WEB_VIEW_BASE(printOperation->priv->webView));
    page->endPrinting();

    const WebCore::ResourceError& resourceError = (!wkPrintError  && wkInvalidateError) ? toImpl(wkInvalidateError)->platformError() 
        : toImpl(wkPrintError)->platformError();
"



#0  drawPagesForPrintingCompleted (wkPrintError=0x0, context=0x196c780)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/webkitgtk-1.11.92/Source/WebKit2/UIProcess/API/gtk/WebKitPrintOperation.cpp:260

#2  WebKit::GenericCallback<OpaqueWKError const*, WebKit::WebError*>::invalidate (this=0x7fff85cc3028)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/webkitgtk-1.11.92/Source/WebKit2/UIProcess/GenericCallback.h:137
#3  0x00007ffff4e812f5 in WebKit::invalidateCallbackMap<WTF::RefPtr<WebKit::GenericCallback<OpaqueWKError const*, WebKit::WebError*> > > (map=...)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/webkitgtk-1.11.92/Source/WebKit2/UIProcess/GenericCallback.h:249
#4  0x00007ffff4e74f5e in WebKit::WebPageProxy::processDidCrash (this=0x7fffe0456000)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/webkitgtk-1.11.92/Source/WebKit2/UIProcess/WebPageProxy.cpp:3680
#5  0x00007ffff4eb1b3a in WebKit::WebProcessProxy::didClose (this=0x7fffe0459dc0)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/webkitgtk-1.11.92/Source/WebKit2/UIProcess/WebProcessProxy.cpp:400
#6  0x00007ffff5c864c3 in operator() (this=<synthetic pointer>)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/webkitgtk-1.11.92/Source/WTF/wtf/Functional.h:704
#7  WebCore::RunLoop::performWork (this=0x7fffe0403c30)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/webkitgtk-1.11.92/Source/WebCore/platform/RunLoop.cpp:91
#8  0x00007ffff60edfe9 in WebCore::RunLoop::queueWork (runLoop=<optimized out>)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/webkitgtk-1.11.92/Source/WebCore/platform/gtk/RunLoopGtk.cpp:104
#9  0x00007ffff0ae522f in g_idle_dispatch (source=0x7fff7c003920, callback=0x7ffff60edfe0 <WebCore::RunLoop::queueWork(WebCore::RunLoop*)>, 
    user_data=0x7fffe0403c30) at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/glib/glib/gmain.c:5205
#10 0x00007ffff0ae2ad4 in g_main_dispatch (context=0x72d490) at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/glib/glib/gmain.c:3054
#11 0x00007ffff0ae382b in g_main_context_dispatch (context=0x72d490) at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/glib/glib/gmain.c:3630
#12 0x00007ffff0ae3a1d in g_main_context_iterate (context=0x72d490, block=1, dispatch=1, self=0x77e2d0)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/glib/glib/gmain.c:3701
#13 0x00007ffff0ae3ae1 in g_main_context_iteration (context=0x72d490, may_block=1)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/glib/glib/gmain.c:3762
#14 0x00007ffff1318052 in g_application_run (application=0x8ea080 [EphyShell], argc=1, argv=0x7fffffffbd08)
    at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/glib/gio/gapplication.c:1623
#15 0x00000000004339a6 in main (argc=1, argv=0x7fffffffbd08) at /home/prahal/Projects/Devel/Gnome/jhbuild/gnome/epiphany/src/ephy-main.c:472