RESOLVED FIXED 142343
[GTK] [WebKit1] Crash under WebCore::ScrollView::contentsToWindow()
https://bugs.webkit.org/show_bug.cgi?id=142343
Summary [GTK] [WebKit1] Crash under WebCore::ScrollView::contentsToWindow()
Milan Crha
Reported 2015-03-05 07:12:33 PST
Created attachment 247951 [details] reproducer (wk-crash.c) Moving this from a downstream bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1198758 A user of Evolution experienced a crash with below backtrace when selecting certain message. I do not know how much interesting this might be for you, because the crash is related to GtkWidget plugin (a response to "create-plugin-widget" signal of the WebKitWebView). When a widget is returned, WebKitGtk crashes. If not, or the signal handler is not used, then it doesn't crash. The attached is a minimal reproducer, just run it and it'll crash. The first line contains a comment with a command line to compile and run the reproducer. Valgrind claims an invalid read of size 1. This is with webkitgtk3-2.4.8-1.fc21. Core was generated by `evolution'. Program terminated with signal SIGSEGV, Segmentation fault. #0 WebCore::ScrollView::contentsToWindow (this=0x0, contentsPoint=...) at Source/WebCore/platform/ScrollView.cpp:824 824 if (delegatesScrolling()) Thread 1 (Thread 0xb772f900 (LWP 25845)): #0 WebCore::ScrollView::contentsToWindow (this=0x0, contentsPoint=...) at Source/WebCore/platform/ScrollView.cpp:824 viewPoint = {m_x = 0, m_y = 0} #1 0x4c7cb3aa in WebCore::GtkPluginWidget::frameRectsChanged (this=0xb1f00870) at Source/WebCore/platform/gtk/GtkPluginWidget.cpp:66 rect = {m_location = {m_x = 10, m_y = 151}, m_size = {m_width = <optimized out>, m_height = <optimized out>}} allocation = {x = 10, y = 151, width = 0, height = 1153654784} #2 0x4b6e5b7d in WebCore::Widget::setFrameRect (this=0xb1f00870, rect=...) at Source/WebCore/platform/gtk/WidgetGtk.cpp:110 No locals. #3 0x4c06c940 in WebCore::RenderWidget::setWidgetGeometry (this=this@entry=0xb1e7c960, frame=...) at Source/WebCore/rendering/RenderWidget.cpp:137 clipRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 1235, m_height = 1563}} oldFrameRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}} weakThis = {m_ref = {m_ptr = 0xb1eecd58}} newFrameRect = {m_location = {m_x = 10, m_y = 151}, m_size = {m_width = 1215, m_height = 0}} #4 0x4c06d132 in WebCore::RenderWidget::updateWidgetGeometry (this=0xb1e7c960) at Source/WebCore/rendering/RenderWidget.cpp:163 contentBox = {m_location = {m_x = {m_value = 0}, m_y = {m_value = 0}}, m_size = {m_width = {m_value = 77760}, m_height = {m_value = 0}}} absoluteContentBox = {m_location = {m_x = {m_value = 640}, m_y = {m_value = 9664}}, m_size = {m_width = {m_value = 77760}, m_height = {m_value = 0}}} this = 0xb1e7c960 #5 0x4c06db21 in WebCore::RenderWidget::setWidget (this=this@entry=0xb1e7c960, widget=...) at Source/WebCore/rendering/RenderWidget.cpp:186 weakThis = {m_ref = {m_ptr = 0xb1eecd58}} #6 0x4bd7944f in WebCore::SubframeLoader::loadPlugin (this=this@entry=0xb22c840, pluginElement=..., url=..., mimeType=..., paramNames=..., paramValues=..., useFallback=useFallback@entry=false) at Source/WebCore/loader/SubframeLoader.cpp:458 renderer = 0xb1e7c960 contentSize = {m_width = 1215, m_height = 0} widget = {m_ptr = 0xb1f00870} #7 0x4bd796dc in WebCore::SubframeLoader::requestPlugin (this=0xb22c840, ownerElement=..., url=..., mimeType=..., paramNames=..., paramValues=..., useFallback=false) at Source/WebCore/loader/SubframeLoader.cpp:157 useFallback = false paramValues = @0xbfddbfc0: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>} mimeType = @0xbfddbfb0: {m_impl = {m_ptr = 0xb43ecbd0}} url = @0xbfddbe9c: {m_string = {m_impl = {m_ptr = 0xb1f0a7c0}}, m_isValid = true, m_protocolIsInHTTPFamily = false, m_schemeEnd = 4, m_userStart = 7, m_userEnd = 7, m_passwordEnd = 7, m_hostEnd = 12, m_portEnd = 12, m_pathAfterLastSlash = 18, m_pathEnd = 41, m_queryEnd = 41, m_fragmentEnd = 41} this = 0xb22c840 paramNames = @0xbfddbfb4: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>} ownerElement = @0xc1a17d0: {<WebCore::HTMLPlugInElement> = {<WebCore::HTMLFrameOwnerElement> = {<WebCore::HTMLElement> = {<WebCore::StyledElement> = {<WebCore::Element> = {<WebCore::ContainerNode> = {<WebCore::Node> = {<WebCore::EventTarget> = {_vptr.EventTarget = 0x4d281dc8 <vtable for WebCore::HTMLObjectElement+8>}, <WebCore::ScriptWrappable> = {m_wrapper = {m_impl = 0x0}}, <WebCore::TreeShared<WebCore::Node>> = {m_refCount = 4}, m_nodeFlags = 1057054, m_parentNode = 0xdae4080, m_treeScope = 0xb1f0e42c, m_previous = 0xbb3fc50, m_next = 0xdc54500, m_data = {m_renderer = 0xb1e7c960, m_rareData = 0xb1e7c960}}, m_firstChild = 0x0, m_lastChild = 0x0}, m_tagName = {m_impl = 0xb43daf60}, m_elementData = {m_ptr = 0xb2a073a8}}, <No data fields>}, <No data fields>}, m_contentFrame = 0x0, m_sandboxFlags = 0}, m_inBeforeLoadEventHandler = false, m_instance = {m_ptr = 0x0}, m_swapRendererTimer = {<WebCore::TimerBase> = {_vptr.TimerBase = 0x4d256220 <vtable for WebCore::Timer<WebCore::HTMLPlugInElement>+8>, m_nextFireTime = 0, m_unalignedNextFireTime = 0, m_repeatInterval = 0, m_heapIndex = -1, m_heapInsertionOrder = 1, m_cachedThreadGlobalTimerHeap = 0x0}, m_function = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 8, static _M_max_align = 4, _M_functor = {_M_unused = {_M_object = 0xd826478, _M_const_object = 0xd826478, _M_function_pointer = 0xd826478, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0xd826478}, _M_pod_data = "xd\202\r\000\000\000"}, _M_manager = 0x4bb5f3d0 <std::_Function_base::_Base_manager<std::_Bind<std::_Mem_fn<void (WebCore::HTMLPlugInElement::*)(WebCore::Timer<WebCore::HTMLPlugInElement>&)> (WebCore::HTMLPlugInElement*, std::reference_wrapper<WebCore::Timer<WebCore::HTMLPlugInElement> >)> >::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x4bb5f470 <std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (WebCore::HTMLPlugInElement::*)(WebCore::Timer<WebCore::HTMLPlugInElement>&)> (WebCore::HTMLPlugInElement*, std::reference_wrapper<WebCore::Timer<WebCore::HTMLPlugInElement> >)> >::_M_invoke(std::_Any_data const&)>}}, m_pluginReplacement = {m_ptr = 0x0}, m_NPObject = 0x0, m_isCapturingMouseEvents = false, m_displayState = WebCore::HTMLPlugInElement::Playing}, m_imageLoader = {m_ptr = 0x0}, m_serviceType = {m_impl = {m_ptr = 0xb43ecbd0}}, m_url = {m_impl = {m_ptr = 0xb443e990}}, m_loadedUrl = {m_string = {m_impl = {m_ptr = 0xb1f0a7c0}}, m_isValid = true, m_protocolIsInHTTPFamily = false, m_schemeEnd = 4, m_userStart = 7, m_userEnd = 7, m_passwordEnd = 7, m_hostEnd = 12, m_portEnd = 12, m_pathAfterLastSlash = 18, m_pathEnd = 41, m_queryEnd = 41, m_fragmentEnd = 41}, m_needsWidgetUpdate = false, m_shouldPreferPlugInsForImages = false, m_needsDocumentActivationCallbacks = true, m_pendingClickEventFromSnapshot = {m_ptr = 0x0}, m_simulatedMouseClickTimer = {<WebCore::TimerBase> = {_vptr.TimerBase = 0x4d256238 <vtable for WebCore::DeferrableOneShotTimer<WebCore::HTMLPlugInImageElement>+8>, m_nextFireTime = 0, m_unalignedNextFireTime = 0, m_repeatInterval = 0, m_heapIndex = -1, m_heapInsertionOrder = 194433464, m_cachedThreadGlobalTimerHeap = 0x0}, m_object = 0xc1a17d0, m_function = (void (WebCore::HTMLPlugInImageElement::*)(WebCore::HTMLPlugInImageElement * const, WebCore::DeferrableOneShotTimer<WebCore::HTMLPlugInImageElement> &)) 0x4bb609d0 <WebCore::HTMLPlugInImageElement::simulatedMouseClickTimerFired(WebCore::DeferrableOneShotTimer<WebCore::HTMLPlugInImageElement>&)>, m_delay = 0.75, m_shouldRestartWhenTimerFires = false}, m_removeSnapshotTimer = {<WebCore::TimerBase> = {_vptr.TimerBase = 0x4d256250 <vtable for WebCore::Timer<WebCore::HTMLPlugInImageElement>+8>, m_nextFireTime = 0, m_unalignedNextFireTime = 0, m_repeatInterval = 0, m_heapIndex = -1, m_heapInsertionOrder = 2147483648, m_cachedThreadGlobalTimerHeap = 0x0}, m_function = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 8, static _M_max_align = 4, _M_functor = {_M_unused = {_M_object = 0xb3383b8, _M_const_object = 0xb3383b8, _M_function_pointer = 0xb3383b8, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0xb3383b8}, _M_pod_data = "\270\203\063\v\000\000\000"}, _M_manager = 0x4bb64640 <std::_Function_base::_Base_manager<std::_Bind<std::_Mem_fn<void (WebCore::HTMLPlugInImageElement::*)(WebCore::Timer<WebCore::HTMLPlugInImageElement>&)> (WebCore::HTMLPlugInImageElement*, std::reference_wrapper<WebCore::Timer<WebCore::HTMLPlugInImageElement> >)> >::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x4bb646e0 <std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (WebCore::HTMLPlugInImageElement::*)(WebCore::Timer<WebCore::HTMLPlugInImageElement>&)> (WebCore::HTMLPlugInImageElement*, std::reference_wrapper<WebCore::Timer<WebCore::HTMLPlugInImageElement> >)> >::_M_invoke(std::_Any_data const&)>}}, m_snapshotImage = {m_ptr = 0x0}, m_createdDuringUserGesture = false, m_isRestartedPlugin = false, m_needsCheckForSizeChange = false, m_plugInWasCreated = true, m_deferredPromotionToPrimaryPlugIn = false, m_sizeWhenSnapshotted = {m_width = 0, m_height = 0}, m_snapshotDecision = WebCore::HTMLPlugInImageElement::NeverSnapshot} #8 0x4bd7a51a in WebCore::SubframeLoader::requestObject (this=this@entry=0xb22c840, ownerElement=..., url=..., frameName=..., mimeType=..., paramNames=..., paramValues=...) at Source/WebCore/loader/SubframeLoader.cpp:225 success = <optimized out> completedURL = {m_string = {m_impl = {m_ptr = 0xb1f0a7c0}}, m_isValid = true, m_protocolIsInHTTPFamily = false, m_schemeEnd = 4, m_userStart = 7, m_userEnd = 7, m_passwordEnd = 7, m_hostEnd = 12, m_portEnd = 12, m_pathAfterLastSlash = 18, m_pathEnd = 41, m_queryEnd = 41, m_fragmentEnd = 41} hasFallbackContent = false useFallback = false #9 0x4bb64490 in WebCore::HTMLPlugInImageElement::requestObject (this=this@entry=0xc1a17d0, url=..., mimeType=..., paramNames=..., paramValues=...) at Source/WebCore/html/HTMLPlugInImageElement.cpp:774 loader = @0xb22c840: {m_containsPlugins = false, m_frame = @0xb43e0e00} paramValues = @0xbfddbfc0: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>} mimeType = @0xbfddbfb0: {m_impl = {m_ptr = 0xb43ecbd0}} url = @0xbfddbfac: {m_impl = {m_ptr = 0xb443e990}} this = 0xc1a17d0 paramNames = @0xbfddbfb4: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>} #10 0x4bb54448 in WebCore::HTMLObjectElement::updateWidget (this=0xc1a17d0, pluginCreationOption=WebCore::CreateOnlyNonNetscapePlugins) at Source/WebCore/html/HTMLObjectElement.cpp:332 url = {m_impl = {m_ptr = 0xb443e990}} serviceType = {m_impl = {m_ptr = 0xb43ecbd0}} paramValues = {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>} protect = {m_ptr = 0xc1a17d0} beforeLoadAllowedLoad = <optimized out> success = true paramNames = {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>} #11 0x4bb62146 in WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary (this=0xc1a17d0) at Source/WebCore/html/HTMLPlugInImageElement.cpp:282 this = 0xc1a17d0 #12 0x4bb6217e in WebCore::HTMLPlugInImageElement::updateWidgetCallback (node=...) at Source/WebCore/html/HTMLPlugInImageElement.cpp:326 No locals. #13 0x4b909a99 in WebCore::ContainerNode::dispatchPostAttachCallbacks () at Source/WebCore/dom/ContainerNode.cpp:817 info = <optimized out> callback = <optimized out> params = {first = {m_ptr = 0xc1a17d0}, second = <optimized out>} i = 5 #14 0x4b909bdb in WebCore::ContainerNode::resumePostAttachCallbacks (document=...) at Source/WebCore/dom/ContainerNode.cpp:784 protect = {m_ptr = 0xb1f12a00} #15 0x4b922539 in ~PostAttachCallbackDisabler (this=<synthetic pointer>, __in_chrg=<optimized out>) at Source/WebCore/dom/Element.h:826 No locals. #16 WebCore::Document::recalcStyle (this=this@entry=0xb1f12a00, change=<optimized out>, change@entry=WebCore::Style::NoChange) at Source/WebCore/dom/Document.cpp:1766 disabler = {m_document = @0xb1f12a00} suspendWidgetHierarchyUpdates = {static s_widgetHierarchyUpdateSuspendCount = 0} repaintRegionAccumulator = {m_rootView = 0xb2af4960, m_wasAccumulatingRepaintRegion = false} cookie = {m_instrumentingAgents = {m_ptr = 0x0}, m_timelineAgentId = 0} #17 0x4b9235ad in WebCore::Document::updateStyleIfNeeded (this=this@entry=0xb1f12a00) at Source/WebCore/dom/Document.cpp:1802 animationUpdateBlock = <optimized out> #18 0x4b92630a in WebCore::Document::finishedParsing (this=0xb1f12a00) at Source/WebCore/dom/Document.cpp:4457 f = {m_ptr = 0xb449e000} #19 0x4bb95080 in WebCore::HTMLConstructionSite::finishedParsing (this=this@entry=0xb1f0984c) at Source/WebCore/html/parser/HTMLConstructionSite.cpp:392 No locals. #20 0x4bbc6a43 in WebCore::HTMLTreeBuilder::finished (this=0xb1f09840) at Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3025 No locals. #21 0x4bb9c3d4 in WebCore::HTMLDocumentParser::end (this=this@entry=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:439 No locals. #22 0x4bb9c420 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=this@entry=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:450 No locals. #23 0x4bb9fba3 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:165 protect = {m_ptr = 0xb444f800} #24 0x4bb9c4a5 in WebCore::HTMLDocumentParser::attemptToEnd (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:462 this = 0xb444f800 #25 0x4bb9c597 in WebCore::HTMLDocumentParser::finish (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:490 No locals. #26 0x4bd2cc35 in WebCore::DocumentWriter::end (this=this@entry=0xb4404054) at Source/WebCore/loader/DocumentWriter.cpp:248 protect = {m_ptr = 0xb449e000} #27 0x4bd21afb in WebCore::DocumentLoader::finishedLoading (this=0xb4404000, finishTime=0) at Source/WebCore/loader/DocumentLoader.cpp:440 protect = {m_ptr = 0xb4404000} responseEndTime = 898606.09792700002 #28 0x4bd21cca in WebCore::DocumentLoader::notifyFinished (this=0xb4404000, resource=0xb1f0fa00) at Source/WebCore/loader/DocumentLoader.cpp:374 No locals. #29 0x4bd098b1 in WebCore::CachedResource::checkNotify (this=0xb1f0fa00) at Source/WebCore/loader/cache/CachedResource.cpp:332 w = {m_clientSet = @0xb1f0fa04, m_clientVector = {<WTF::VectorBuffer<WebCore::CachedResourceClient*, 0u>> = {<WTF::VectorBufferBase<WebCore::CachedResourceClient*>> = {m_buffer = 0xb1eec8b8, m_capacity = 2, m_size = 1}, <No data fields>}, <No data fields>}, m_index = 1} #30 0x4bd0878a in WebCore::CachedResource::finishLoading (this=this@entry=0xb1f0fa00) at Source/WebCore/loader/cache/CachedResource.cpp:348 No locals. #31 0x4bd05cd1 in WebCore::CachedRawResource::finishLoading (this=0xb1f0fa00, data=0xb1f0b100) at Source/WebCore/loader/cache/CachedRawResource.cpp:94 protect = {<WebCore::CachedResourceHandleBase> = {m_resource = 0xb1f0fa00}, <No data fields>} dataBufferingPolicy = WebCore::BufferData #32 0x4bd7b37a in WebCore::SubresourceLoader::didFinishLoading (this=0xb43e7580, finishTime=0) at Source/WebCore/loader/SubresourceLoader.cpp:309 protect = {m_ptr = 0xb43e7580} protectResource = {<WebCore::CachedResourceHandleBase> = {m_resource = 0xb1f0fa00}, <No data fields>} #33 0x4bd7019a in WebCore::ResourceLoader::didFinishLoading (this=0xb43e7580, finishTime=0) at Source/WebCore/loader/ResourceLoader.cpp:517 No locals. #34 0x4c62c328 in WebCore::readCallback (asyncResult=0xd3d3e68, data=0xb1f0b590) at Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1339 handle = {m_ptr = 0xb1f0b590} bytesRead = 0 d = 0xb1ec9c00 error = {m_ptr = 0x0} currentPosition = <optimized out> encodedDataLength = <optimized out> #35 0x467e29ec in async_ready_callback_wrapper () from /lib/libgio-2.0.so.0 No symbol table info available. #36 0x4680d202 in g_task_return_now () from /lib/libgio-2.0.so.0 No symbol table info available. #37 0x4680d23c in complete_in_idle_cb () from /lib/libgio-2.0.so.0 No symbol table info available. #38 0x46623a11 in g_idle_dispatch () from /lib/libglib-2.0.so.0 No symbol table info available. #39 0x466271d3 in g_main_context_dispatch () from /lib/libglib-2.0.so.0 No symbol table info available. #40 0x46627598 in g_main_context_iterate.isra () from /lib/libglib-2.0.so.0 No symbol table info available. #41 0x46627923 in g_main_loop_run () from /lib/libglib-2.0.so.0 No symbol table info available. #42 0x49fe552d in ?? () No symbol table info available. #43 0x0b044110 in ?? () No symbol table info available. #44 0x4628be7e in __libc_start_main () from /lib/libc.so.6 No symbol table info available. #45 0x0804ae69 in _start ()
Attachments
reproducer (wk-crash.c) (32.35 KB, text/x-log)
2015-03-05 07:12 PST, Milan Crha
no flags
naive solution (624 bytes, patch)
2015-03-05 11:03 PST, Milan Crha
cgarcia: review+
cgarcia: commit-queue-
Milan Crha
Comment 1 2015-03-05 11:03:41 PST
Created attachment 247969 [details] naive solution A naive solution, which fixes the crash. I didn't spot any side-effects, the widget seems to be placed to the right place, thus I'd say it's also one possible solution for the crash (not only the naive solution).
WebKit Commit Bot
Comment 2 2015-03-05 11:06:38 PST
Attachment 247969 [details] did not pass style-queue: Total errors found: 0 in 0 files If any of these errors are false positives, please file a bug against check-webkit-style.
Carlos Garcia Campos
Comment 3 2015-04-07 06:26:04 PDT
Note You need to log in before you can comment on or make changes to this bug.