Bug 142343 - [GTK] [WebKit1] Crash under WebCore::ScrollView::contentsToWindow()
Summary: [GTK] [WebKit1] Crash under WebCore::ScrollView::contentsToWindow()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 420+
Hardware: Unspecified Unspecified
: P2 Critical
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-05 07:12 PST by Milan Crha
Modified: 2015-04-07 06:26 PDT (History)
4 users (show)

See Also:


Attachments
reproducer (wk-crash.c) (32.35 KB, text/x-log)
2015-03-05 07:12 PST, Milan Crha
no flags Details
naive solution (624 bytes, patch)
2015-03-05 11:03 PST, Milan Crha
cgarcia: review+
cgarcia: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Milan Crha 2015-03-05 07:12:33 PST
Created attachment 247951 [details]
reproducer (wk-crash.c)

Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1198758

A user of Evolution experienced a crash with below backtrace when selecting certain message. I do not know how much interesting this might be for you, because the crash is related to GtkWidget plugin (a response to "create-plugin-widget" signal of the WebKitWebView). When a widget is returned, WebKitGtk crashes. If not, or the signal handler is not used, then it doesn't crash.

The attached is a minimal reproducer, just run it and it'll crash. The first line contains a comment with a command line to compile and run the reproducer. Valgrind claims an invalid read of size 1.

This is with webkitgtk3-2.4.8-1.fc21.

Core was generated by `evolution'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  WebCore::ScrollView::contentsToWindow (this=0x0, contentsPoint=...) at Source/WebCore/platform/ScrollView.cpp:824
824	    if (delegatesScrolling())

Thread 1 (Thread 0xb772f900 (LWP 25845)):
#0  WebCore::ScrollView::contentsToWindow (this=0x0, contentsPoint=...) at Source/WebCore/platform/ScrollView.cpp:824
        viewPoint = {m_x = 0, m_y = 0}
#1  0x4c7cb3aa in WebCore::GtkPluginWidget::frameRectsChanged (this=0xb1f00870) at Source/WebCore/platform/gtk/GtkPluginWidget.cpp:66
        rect = {m_location = {m_x = 10, m_y = 151}, m_size = {m_width = <optimized out>, m_height = <optimized out>}}
        allocation = {x = 10, y = 151, width = 0, height = 1153654784}
#2  0x4b6e5b7d in WebCore::Widget::setFrameRect (this=0xb1f00870, rect=...) at Source/WebCore/platform/gtk/WidgetGtk.cpp:110
No locals.
#3  0x4c06c940 in WebCore::RenderWidget::setWidgetGeometry (this=this@entry=0xb1e7c960, frame=...) at Source/WebCore/rendering/RenderWidget.cpp:137
        clipRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 1235, m_height = 1563}}
        oldFrameRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}
        weakThis = {m_ref = {m_ptr = 0xb1eecd58}}
        newFrameRect = {m_location = {m_x = 10, m_y = 151}, m_size = {m_width = 1215, m_height = 0}}
#4  0x4c06d132 in WebCore::RenderWidget::updateWidgetGeometry (this=0xb1e7c960) at Source/WebCore/rendering/RenderWidget.cpp:163
        contentBox = {m_location = {m_x = {m_value = 0}, m_y = {m_value = 0}}, m_size = {m_width = {m_value = 77760}, m_height = {m_value = 0}}}
        absoluteContentBox = {m_location = {m_x = {m_value = 640}, m_y = {m_value = 9664}}, m_size = {m_width = {m_value = 77760}, m_height = {m_value = 0}}}
        this = 0xb1e7c960
#5  0x4c06db21 in WebCore::RenderWidget::setWidget (this=this@entry=0xb1e7c960, widget=...) at Source/WebCore/rendering/RenderWidget.cpp:186
        weakThis = {m_ref = {m_ptr = 0xb1eecd58}}
#6  0x4bd7944f in WebCore::SubframeLoader::loadPlugin (this=this@entry=0xb22c840, pluginElement=..., url=..., mimeType=..., paramNames=..., paramValues=..., useFallback=useFallback@entry=false) at Source/WebCore/loader/SubframeLoader.cpp:458
        renderer = 0xb1e7c960
        contentSize = {m_width = 1215, m_height = 0}
        widget = {m_ptr = 0xb1f00870}
#7  0x4bd796dc in WebCore::SubframeLoader::requestPlugin (this=0xb22c840, ownerElement=..., url=..., mimeType=..., paramNames=..., paramValues=..., useFallback=false) at Source/WebCore/loader/SubframeLoader.cpp:157
        useFallback = false
        paramValues = @0xbfddbfc0: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
        mimeType = @0xbfddbfb0: {m_impl = {m_ptr = 0xb43ecbd0}}
        url = @0xbfddbe9c: {m_string = {m_impl = {m_ptr = 0xb1f0a7c0}}, m_isValid = true, m_protocolIsInHTTPFamily = false, m_schemeEnd = 4, m_userStart = 7, m_userEnd = 7, m_passwordEnd = 7, m_hostEnd = 12, m_portEnd = 12, m_pathAfterLastSlash = 18, m_pathEnd = 41, m_queryEnd = 41, m_fragmentEnd = 41}
        this = 0xb22c840
        paramNames = @0xbfddbfb4: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
        ownerElement = @0xc1a17d0: {<WebCore::HTMLPlugInElement> = {<WebCore::HTMLFrameOwnerElement> = {<WebCore::HTMLElement> = {<WebCore::StyledElement> = {<WebCore::Element> = {<WebCore::ContainerNode> = {<WebCore::Node> = {<WebCore::EventTarget> = {_vptr.EventTarget = 0x4d281dc8 <vtable for WebCore::HTMLObjectElement+8>}, <WebCore::ScriptWrappable> = {m_wrapper = {m_impl = 0x0}}, <WebCore::TreeShared<WebCore::Node>> = {m_refCount = 4}, m_nodeFlags = 1057054, m_parentNode = 0xdae4080, m_treeScope = 0xb1f0e42c, m_previous = 0xbb3fc50, m_next = 0xdc54500, m_data = {m_renderer = 0xb1e7c960, m_rareData = 0xb1e7c960}}, m_firstChild = 0x0, m_lastChild = 0x0}, m_tagName = {m_impl = 0xb43daf60}, m_elementData = {m_ptr = 0xb2a073a8}}, <No data fields>}, <No data fields>}, m_contentFrame = 0x0, m_sandboxFlags = 0}, m_inBeforeLoadEventHandler = false, m_instance = {m_ptr = 0x0}, m_swapRendererTimer = {<WebCore::TimerBase> = {_vptr.TimerBase = 0x4d256220 <vtable for WebCore::Timer<WebCore::HTMLPlugInElement>+8>, m_nextFireTime = 0, m_unalignedNextFireTime = 0, m_repeatInterval = 0, m_heapIndex = -1, m_heapInsertionOrder = 1, m_cachedThreadGlobalTimerHeap = 0x0}, m_function = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 8, static _M_max_align = 4, _M_functor = {_M_unused = {_M_object = 0xd826478, _M_const_object = 0xd826478, _M_function_pointer = 0xd826478, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0xd826478}, _M_pod_data = "xd\202\r\000\000\000"}, _M_manager = 0x4bb5f3d0 <std::_Function_base::_Base_manager<std::_Bind<std::_Mem_fn<void (WebCore::HTMLPlugInElement::*)(WebCore::Timer<WebCore::HTMLPlugInElement>&)> (WebCore::HTMLPlugInElement*, std::reference_wrapper<WebCore::Timer<WebCore::HTMLPlugInElement> >)> >::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x4bb5f470 <std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (WebCore::HTMLPlugInElement::*)(WebCore::Timer<WebCore::HTMLPlugInElement>&)> (WebCore::HTMLPlugInElement*, std::reference_wrapper<WebCore::Timer<WebCore::HTMLPlugInElement> >)> >::_M_invoke(std::_Any_data const&)>}}, m_pluginReplacement = {m_ptr = 0x0}, m_NPObject = 0x0, m_isCapturingMouseEvents = false, m_displayState = WebCore::HTMLPlugInElement::Playing}, m_imageLoader = {m_ptr = 0x0}, m_serviceType = {m_impl = {m_ptr = 0xb43ecbd0}}, m_url = {m_impl = {m_ptr = 0xb443e990}}, m_loadedUrl = {m_string = {m_impl = {m_ptr = 0xb1f0a7c0}}, m_isValid = true, m_protocolIsInHTTPFamily = false, m_schemeEnd = 4, m_userStart = 7, m_userEnd = 7, m_passwordEnd = 7, m_hostEnd = 12, m_portEnd = 12, m_pathAfterLastSlash = 18, m_pathEnd = 41, m_queryEnd = 41, m_fragmentEnd = 41}, m_needsWidgetUpdate = false, m_shouldPreferPlugInsForImages = false, m_needsDocumentActivationCallbacks = true, m_pendingClickEventFromSnapshot = {m_ptr = 0x0}, m_simulatedMouseClickTimer = {<WebCore::TimerBase> = {_vptr.TimerBase = 0x4d256238 <vtable for WebCore::DeferrableOneShotTimer<WebCore::HTMLPlugInImageElement>+8>, m_nextFireTime = 0, m_unalignedNextFireTime = 0, m_repeatInterval = 0, m_heapIndex = -1, m_heapInsertionOrder = 194433464, m_cachedThreadGlobalTimerHeap = 0x0}, m_object = 0xc1a17d0, m_function = (void (WebCore::HTMLPlugInImageElement::*)(WebCore::HTMLPlugInImageElement * const, WebCore::DeferrableOneShotTimer<WebCore::HTMLPlugInImageElement> &)) 0x4bb609d0 <WebCore::HTMLPlugInImageElement::simulatedMouseClickTimerFired(WebCore::DeferrableOneShotTimer<WebCore::HTMLPlugInImageElement>&)>, m_delay = 0.75, m_shouldRestartWhenTimerFires = false}, m_removeSnapshotTimer = {<WebCore::TimerBase> = {_vptr.TimerBase = 0x4d256250 <vtable for WebCore::Timer<WebCore::HTMLPlugInImageElement>+8>, m_nextFireTime = 0, m_unalignedNextFireTime = 0, m_repeatInterval = 0, m_heapIndex = -1, m_heapInsertionOrder = 2147483648, m_cachedThreadGlobalTimerHeap = 0x0}, m_function = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 8, static _M_max_align = 4, _M_functor = {_M_unused = {_M_object = 0xb3383b8, _M_const_object = 0xb3383b8, _M_function_pointer = 0xb3383b8, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0xb3383b8}, _M_pod_data = "\270\203\063\v\000\000\000"}, _M_manager = 0x4bb64640 <std::_Function_base::_Base_manager<std::_Bind<std::_Mem_fn<void (WebCore::HTMLPlugInImageElement::*)(WebCore::Timer<WebCore::HTMLPlugInImageElement>&)> (WebCore::HTMLPlugInImageElement*, std::reference_wrapper<WebCore::Timer<WebCore::HTMLPlugInImageElement> >)> >::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x4bb646e0 <std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (WebCore::HTMLPlugInImageElement::*)(WebCore::Timer<WebCore::HTMLPlugInImageElement>&)> (WebCore::HTMLPlugInImageElement*, std::reference_wrapper<WebCore::Timer<WebCore::HTMLPlugInImageElement> >)> >::_M_invoke(std::_Any_data const&)>}}, m_snapshotImage = {m_ptr = 0x0}, m_createdDuringUserGesture = false, m_isRestartedPlugin = false, m_needsCheckForSizeChange = false, m_plugInWasCreated = true, m_deferredPromotionToPrimaryPlugIn = false, m_sizeWhenSnapshotted = {m_width = 0, m_height = 0}, m_snapshotDecision = WebCore::HTMLPlugInImageElement::NeverSnapshot}
#8  0x4bd7a51a in WebCore::SubframeLoader::requestObject (this=this@entry=0xb22c840, ownerElement=..., url=..., frameName=..., mimeType=..., paramNames=..., paramValues=...) at Source/WebCore/loader/SubframeLoader.cpp:225
        success = <optimized out>
        completedURL = {m_string = {m_impl = {m_ptr = 0xb1f0a7c0}}, m_isValid = true, m_protocolIsInHTTPFamily = false, m_schemeEnd = 4, m_userStart = 7, m_userEnd = 7, m_passwordEnd = 7, m_hostEnd = 12, m_portEnd = 12, m_pathAfterLastSlash = 18, m_pathEnd = 41, m_queryEnd = 41, m_fragmentEnd = 41}
        hasFallbackContent = false
        useFallback = false
#9  0x4bb64490 in WebCore::HTMLPlugInImageElement::requestObject (this=this@entry=0xc1a17d0, url=..., mimeType=..., paramNames=..., paramValues=...) at Source/WebCore/html/HTMLPlugInImageElement.cpp:774
        loader = @0xb22c840: {m_containsPlugins = false, m_frame = @0xb43e0e00}
        paramValues = @0xbfddbfc0: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
        mimeType = @0xbfddbfb0: {m_impl = {m_ptr = 0xb43ecbd0}}
        url = @0xbfddbfac: {m_impl = {m_ptr = 0xb443e990}}
        this = 0xc1a17d0
        paramNames = @0xbfddbfb4: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
#10 0x4bb54448 in WebCore::HTMLObjectElement::updateWidget (this=0xc1a17d0, pluginCreationOption=WebCore::CreateOnlyNonNetscapePlugins) at Source/WebCore/html/HTMLObjectElement.cpp:332
        url = {m_impl = {m_ptr = 0xb443e990}}
        serviceType = {m_impl = {m_ptr = 0xb43ecbd0}}
        paramValues = {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
        protect = {m_ptr = 0xc1a17d0}
        beforeLoadAllowedLoad = <optimized out>
        success = true
        paramNames = {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
#11 0x4bb62146 in WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary (this=0xc1a17d0) at Source/WebCore/html/HTMLPlugInImageElement.cpp:282
        this = 0xc1a17d0
#12 0x4bb6217e in WebCore::HTMLPlugInImageElement::updateWidgetCallback (node=...) at Source/WebCore/html/HTMLPlugInImageElement.cpp:326
No locals.
#13 0x4b909a99 in WebCore::ContainerNode::dispatchPostAttachCallbacks () at Source/WebCore/dom/ContainerNode.cpp:817
        info = <optimized out>
        callback = <optimized out>
        params = {first = {m_ptr = 0xc1a17d0}, second = <optimized out>}
        i = 5
#14 0x4b909bdb in WebCore::ContainerNode::resumePostAttachCallbacks (document=...) at Source/WebCore/dom/ContainerNode.cpp:784
        protect = {m_ptr = 0xb1f12a00}
#15 0x4b922539 in ~PostAttachCallbackDisabler (this=<synthetic pointer>, __in_chrg=<optimized out>) at Source/WebCore/dom/Element.h:826
No locals.
#16 WebCore::Document::recalcStyle (this=this@entry=0xb1f12a00, change=<optimized out>, change@entry=WebCore::Style::NoChange) at Source/WebCore/dom/Document.cpp:1766
        disabler = {m_document = @0xb1f12a00}
        suspendWidgetHierarchyUpdates = {static s_widgetHierarchyUpdateSuspendCount = 0}
        repaintRegionAccumulator = {m_rootView = 0xb2af4960, m_wasAccumulatingRepaintRegion = false}
        cookie = {m_instrumentingAgents = {m_ptr = 0x0}, m_timelineAgentId = 0}
#17 0x4b9235ad in WebCore::Document::updateStyleIfNeeded (this=this@entry=0xb1f12a00) at Source/WebCore/dom/Document.cpp:1802
        animationUpdateBlock = <optimized out>
#18 0x4b92630a in WebCore::Document::finishedParsing (this=0xb1f12a00) at Source/WebCore/dom/Document.cpp:4457
        f = {m_ptr = 0xb449e000}
#19 0x4bb95080 in WebCore::HTMLConstructionSite::finishedParsing (this=this@entry=0xb1f0984c) at Source/WebCore/html/parser/HTMLConstructionSite.cpp:392
No locals.
#20 0x4bbc6a43 in WebCore::HTMLTreeBuilder::finished (this=0xb1f09840) at Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3025
No locals.
#21 0x4bb9c3d4 in WebCore::HTMLDocumentParser::end (this=this@entry=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:439
No locals.
#22 0x4bb9c420 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=this@entry=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:450
No locals.
#23 0x4bb9fba3 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
        protect = {m_ptr = 0xb444f800}
#24 0x4bb9c4a5 in WebCore::HTMLDocumentParser::attemptToEnd (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
        this = 0xb444f800
#25 0x4bb9c597 in WebCore::HTMLDocumentParser::finish (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:490
No locals.
#26 0x4bd2cc35 in WebCore::DocumentWriter::end (this=this@entry=0xb4404054) at Source/WebCore/loader/DocumentWriter.cpp:248
        protect = {m_ptr = 0xb449e000}
#27 0x4bd21afb in WebCore::DocumentLoader::finishedLoading (this=0xb4404000, finishTime=0) at Source/WebCore/loader/DocumentLoader.cpp:440
        protect = {m_ptr = 0xb4404000}
        responseEndTime = 898606.09792700002
#28 0x4bd21cca in WebCore::DocumentLoader::notifyFinished (this=0xb4404000, resource=0xb1f0fa00) at Source/WebCore/loader/DocumentLoader.cpp:374
No locals.
#29 0x4bd098b1 in WebCore::CachedResource::checkNotify (this=0xb1f0fa00) at Source/WebCore/loader/cache/CachedResource.cpp:332
        w = {m_clientSet = @0xb1f0fa04, m_clientVector = {<WTF::VectorBuffer<WebCore::CachedResourceClient*, 0u>> = {<WTF::VectorBufferBase<WebCore::CachedResourceClient*>> = {m_buffer = 0xb1eec8b8, m_capacity = 2, m_size = 1}, <No data fields>}, <No data fields>}, m_index = 1}
#30 0x4bd0878a in WebCore::CachedResource::finishLoading (this=this@entry=0xb1f0fa00) at Source/WebCore/loader/cache/CachedResource.cpp:348
No locals.
#31 0x4bd05cd1 in WebCore::CachedRawResource::finishLoading (this=0xb1f0fa00, data=0xb1f0b100) at Source/WebCore/loader/cache/CachedRawResource.cpp:94
        protect = {<WebCore::CachedResourceHandleBase> = {m_resource = 0xb1f0fa00}, <No data fields>}
        dataBufferingPolicy = WebCore::BufferData
#32 0x4bd7b37a in WebCore::SubresourceLoader::didFinishLoading (this=0xb43e7580, finishTime=0) at Source/WebCore/loader/SubresourceLoader.cpp:309
        protect = {m_ptr = 0xb43e7580}
        protectResource = {<WebCore::CachedResourceHandleBase> = {m_resource = 0xb1f0fa00}, <No data fields>}
#33 0x4bd7019a in WebCore::ResourceLoader::didFinishLoading (this=0xb43e7580, finishTime=0) at Source/WebCore/loader/ResourceLoader.cpp:517
No locals.
#34 0x4c62c328 in WebCore::readCallback (asyncResult=0xd3d3e68, data=0xb1f0b590) at Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1339
        handle = {m_ptr = 0xb1f0b590}
        bytesRead = 0
        d = 0xb1ec9c00
        error = {m_ptr = 0x0}
        currentPosition = <optimized out>
        encodedDataLength = <optimized out>
#35 0x467e29ec in async_ready_callback_wrapper () from /lib/libgio-2.0.so.0
No symbol table info available.
#36 0x4680d202 in g_task_return_now () from /lib/libgio-2.0.so.0
No symbol table info available.
#37 0x4680d23c in complete_in_idle_cb () from /lib/libgio-2.0.so.0
No symbol table info available.
#38 0x46623a11 in g_idle_dispatch () from /lib/libglib-2.0.so.0
No symbol table info available.
#39 0x466271d3 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
No symbol table info available.
#40 0x46627598 in g_main_context_iterate.isra () from /lib/libglib-2.0.so.0
No symbol table info available.
#41 0x46627923 in g_main_loop_run () from /lib/libglib-2.0.so.0
No symbol table info available.
#42 0x49fe552d in ?? ()
No symbol table info available.
#43 0x0b044110 in ?? ()
No symbol table info available.
#44 0x4628be7e in __libc_start_main () from /lib/libc.so.6
No symbol table info available.
#45 0x0804ae69 in _start ()
Comment 1 Milan Crha 2015-03-05 11:03:41 PST
Created attachment 247969 [details]
naive solution

A naive solution, which fixes the crash. I didn't spot any side-effects, the widget seems to be placed to the right place, thus I'd say it's also one possible solution for the crash (not only the naive solution).
Comment 2 WebKit Commit Bot 2015-03-05 11:06:38 PST
Attachment 247969 [details] did not pass style-queue:


Total errors found: 0 in 0 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 3 Carlos Garcia Campos 2015-04-07 06:26:04 PDT
Committed: <http://trac.webkit.org/changeset/182470>