194698 – [GTK] Crash while filling selection data during drag and drop

Tomas Popela

Reported 2019-02-15 01:55:31 PST

We get these two reports in Fedora - one from Epiphany and the other on from yelp. The this@entry=0x8 seems suspicious. Core was generated by `epiphany --application-mode --profile=/home/kusma/.config/epiphany/app-epiphany'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fd765b0398c in WTF::String::tryGetUtf8 (this=this@entry=0x8, mode=mode@entry=WTF::LenientConversion) at /usr/src/debug/webkit2gtk3-2.22.5-1.fc29.x86_64/Source/WTF/wtf/text/WTFString.cpp:843 [Current thread is 1 (Thread 0x7fd7609f7cc0 (LWP 18017))] Thread 1 (Thread 0x7fd7609f7cc0 (LWP 18017)): #0 0x00007fd765b0398c in WTF::String::tryGetUtf8 (this=this@entry=0x8, mode=mode@entry=WTF::LenientConversion) at /usr/src/debug/webkit2gtk3-2.22.5-1.fc29.x86_64/Source/WTF/wtf/text/WTFString.cpp:843 No locals. #1 0x00007fd765b03a64 in WTF::String::utf8 (this=this@entry=0x8, mode=mode@entry=WTF::LenientConversion) at /usr/src/debug/webkit2gtk3-2.22.5-1.fc29.x86_64/Source/WTF/wtf/text/WTFString.cpp:854 expectedString = {<std::experimental::fundamentals_v3::__expected_detail::base<WTF::CString, WTF::UTF8ConversionError>> = {s = {dummy = 0 '\000', val = {m_buffer = {static isRefPtr = <optimized out>, m_ptr = 0x0}}, err = WTF::UTF8ConversionError::None}, has = false}, <No data fields>} #2 0x00007fd765b03b03 in WTF::String::utf8 (this=this@entry=0x8) at /usr/src/debug/webkit2gtk3-2.22.5-1.fc29.x86_64/Source/WTF/wtf/text/WTFString.cpp:861 No locals. #3 0x00007fd767cff996 in WebCore::PasteboardHelper::fillSelectionData (this=<optimized out>, selection=..., info=<optimized out>, selectionData=0x7ffe54cdec30) at /usr/src/debug/webkit2gtk3-2.22.5-1.fc29.x86_64/Source/WebCore/platform/gtk/SelectionData.h:38 No locals. #4 0x00007fd7692403dd in g_closure_invoke (closure=0x55b536b1be50, return_value=0x0, n_param_values=5, param_values=0x7ffe54cde2b0, invocation_hint=0x7ffe54cde230) at gclosure.c:810 marshal = 0x7fd76923e8c0 <g_type_class_meta_marshal> marshal_data = 0x268 in_marshal = 0 real_closure = 0x55b536b1be30 __func__ = "g_closure_invoke" #5 0x00007fd7692531b4 in signal_emit_unlocked_R (node=node@entry=0x55b536b1e360, detail=detail@entry=0, instance=instance@entry=0x55b53747f810, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffe54cde2b0) at gsignal.c:3673 accumulator = 0x0 emission = {next = 0x7ffe54cde7c0, instance = 0x55b53747f810, ihint = {signal_id = 110, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 94236795894320} class_closure = 0x55b536b1be50 hlist = <optimized out> handler_list = <optimized out> return_accu = 0x0 accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} signal_id = 110 max_sequential_handler_number = 68308 return_value_altered = 0 #6 0x00007fd76925caaa in g_signal_emit_valist (instance=instance@entry=0x55b53747f810, signal_id=signal_id@entry=110, detail=detail@entry=0, var_args=var_args@entry=0x7ffe54cde518) at gsignal.c:3391 instance_and_params = 0x7ffe54cde2b0 signal_return_type = <optimized out> param_values = 0x7ffe54cde2c8 node = <optimized out> i = <optimized out> n_params = <optimized out> __func__ = "g_signal_emit_valist" #7 0x00007fd76925d584 in g_signal_emit_by_name (instance=0x55b53747f810, detailed_signal=detailed_signal@entry=0x7fd7698234d6 "drag-data-get") at gsignal.c:3487 var_args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7ffe54cde650, reg_save_area = 0x7ffe54cde560}} detail = 0 signal_id = 110 itype = 94236795894320 __func__ = "g_signal_emit_by_name" #8 0x00007fd7697ec355 in gtk_drag_selection_get (widget=<optimized out>, selection_data=0x7ffe54cdec30, sel_info=<optimized out>, time=90823832, data=0x55b5389732d0) at gtkdnd.c:2725 info = 0x55b5389732d0 null_atom = 0x86 target_info = 1 #9 0x00007fd7692403dd in g_closure_invoke (closure=0x55b538a1c120, return_value=0x0, n_param_values=4, param_values=0x7ffe54cde850, invocation_hint=0x7ffe54cde7d0) at gclosure.c:810 marshal = 0x7fd769817300 <_gtk_marshal_VOID__BOXED_UINT_UINT> marshal_data = 0x0 in_marshal = 0 real_closure = 0x55b538a1c100 __func__ = "g_closure_invoke" #10 0x00007fd769253983 in signal_emit_unlocked_R (node=node@entry=0x55b536b1dee0, detail=detail@entry=0, instance=instance@entry=0x55b536ae4d20, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffe54cde850) at gsignal.c:3635 tmp = <optimized out> handler = 0x55b5379ecc40 accumulator = 0x0 emission = {next = 0x7ffe54cdef80, instance = 0x55b536ae4d20, ihint = {signal_id = 100, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4} class_closure = 0x55b536adff20 hlist = <optimized out> handler_list = 0x55b5379ecc40 return_accu = 0x0 accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} signal_id = 100 max_sequential_handler_number = 68308 return_value_altered = 0 #11 0x00007fd76925caaa in g_signal_emit_valist (instance=instance@entry=0x55b536ae4d20, signal_id=signal_id@entry=100, detail=detail@entry=0, var_args=var_args@entry=0x7ffe54cdeaa8) at gsignal.c:3391 instance_and_params = 0x7ffe54cde850 signal_return_type = <optimized out> param_values = 0x7ffe54cde868 node = <optimized out> i = <optimized out> n_params = <optimized out> __func__ = "g_signal_emit_valist" #12 0x00007fd76925d584 in g_signal_emit_by_name (instance=instance@entry=0x55b536ae4d20, detailed_signal=detailed_signal@entry=0x7fd76987de15 "selection-get") at gsignal.c:3487 var_args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7ffe54cdebe0, reg_save_area = 0x7ffe54cdeaf0}} detail = 0 signal_id = 100 itype = 94236795183872 __func__ = "g_signal_emit_by_name" #13 0x00007fd769704beb in gtk_selection_invoke_handler (widget=0x55b536ae4d20, data=0x7ffe54cdec30, time=90823832) at gtkselection.c:3085 target_list = <optimized out> info = 1 __func__ = "gtk_selection_invoke_handler" _g_boolean_var_ = <optimized out> #14 0x00007fd769704e65 in gtk_selection_convert (widget=0x55b536ae5500, selection=0x46, target=0x4f, time_=90823832) at gtkselection.c:1157 owner_widget = <optimized out> owner_widget_ptr = 0x55b536ae4d20 selection_data = {selection = 0x46, target = 0x4f, type = 0x0, format = 0, data = 0x0, length = -1, display = 0x55b536ab5010} info = 0x7fd6c8001d20 tmp_list = <optimized out> owner_window = <optimized out> display = 0x55b536ab5010 id = <optimized out> __func__ = "gtk_selection_convert" #15 0x00007fd766695059 in WebKit::DragAndDropHandler::dragDataSelection (this=this@entry=0x55b536f8f1e0, context=<optimized out>, context@entry=0x55b536ab88b0, position=..., time=time@entry=90823832) at /usr/include/c++/8/bits/unique_ptr.h:342 droppingContext = @0x7fd750e25c48: {_M_t = {_M_t = {<std::_Tuple_impl<0, WebKit::DragAndDropHandler::DroppingContext*, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >> = {<std::_Tuple_impl<1, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >> = {<std::_Head_base<1, std::default_delete<WebKit::DragAndDropHandler::DroppingContext>, true>> = {<std::default_delete<WebKit::DragAndDropHandler::DroppingContext>> = {<No data fields>}, <No data fields>}, <No data fields>}, <std::_Head_base<0, WebKit::DragAndDropHandler::DroppingContext*, false>> = {_M_head_impl = 0x55b5389857d0}, <No data fields>}, <No data fields>}}} #16 0x00007fd766695243 in WebKit::DragAndDropHandler::dragMotion (this=0x55b536f8f1e0, context=context@entry=0x55b536ab88b0, position=..., time=time@entry=90823832) at /usr/src/debug/webkit2gtk3-2.22.5-1.fc29.x86_64/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:241 selection = <optimized out> dragData = {m_clientPosition = {m_x = 0, m_y = 0}, m_globalPosition = {m_x = -2101622272, m_y = 474827403}, m_platformDragData = 0x55b5374a46a8, m_draggingSourceOperationMask = WebCore::DragOperationNone, m_applicationFlags = WebCore::DragApplicationNone, m_fileNames = {<WTF::VectorBuffer<WTF::String, 0>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0x7ffe54cdee90, m_capacity = 2193345024, m_size = 474827403}, <No data fields>}, <No data fields>}, m_dragDestinationAction = 1756547392} operation = <optimized out> #17 0x00007fd766626b80 in webkitWebViewBaseDragMotion (widget=widget@entry=0x55b53747f810, context=0x55b536ab88b0, x=419, y=623, time=90823832) at /usr/src/debug/webkit2gtk3-2.22.5-1.fc29.x86_64/Source/WebCore/platform/graphics/IntPoint.h:72 No locals. #18 0x00007fd769813496 in _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT (closure=0x55b536b1c070, return_value=0x7ffe54cdefb0, n_param_values=<optimized out>, param_values=0x7ffe54cdf010, invocation_hint=<optimized out>, marshal_data=<optimized out>) at gtkmarshalers.c:713 cc = 0x55b536b1c070 data1 = 0x55b53747f810 data2 = <optimized out> callback = 0x7fd766626b20 <webkitWebViewBaseDragMotion(GtkWidget*, GdkDragContext*, gint, gint, guint)> v_return = <optimized out> __func__ = "_gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT" #19 0x00007fd7692403dd in g_closure_invoke (closure=0x55b536b1c070, return_value=0x7ffe54cdefb0, n_param_values=5, param_values=0x7ffe54cdf010, invocation_hint=0x7ffe54cdef90) at gclosure.c:810 marshal = 0x7fd76923e8c0 <g_type_class_meta_marshal> marshal_data = 0x280 in_marshal = 0 real_closure = 0x55b536b1c050 __func__ = "g_closure_invoke" #20 0x00007fd7692531b4 in signal_emit_unlocked_R (node=node@entry=0x55b536b1e120, detail=detail@entry=0, instance=instance@entry=0x55b53747f810, emission_return=emission_return@entry=0x7ffe54cdf180, instance_and_params=instance_and_params@entry=0x7ffe54cdf010) at gsignal.c:3673 accumulator = 0x55b536b1e190 emission = {next = 0x0, instance = 0x55b53747f810, ihint = {signal_id = 108, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 94236795894320} class_closure = 0x55b536b1c070 hlist = <optimized out> handler_list = <optimized out> return_accu = 0x7ffe54cdefb0 accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} signal_id = 108 max_sequential_handler_number = 68307 return_value_altered = 0 #21 0x00007fd76925c123 in g_signal_emit_valist (instance=instance@entry=0x55b53747f810, signal_id=signal_id@entry=108, detail=detail@entry=0, var_args=var_args@entry=0x7ffe54cdf278) at gsignal.c:3401 return_value = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} error = 0x0 rtype = 20 static_scope = 0 instance_and_params = 0x7ffe54cdf010 signal_return_type = <optimized out> param_values = 0x7ffe54cdf028 node = <optimized out> i = <optimized out> n_params = <optimized out> __func__ = "g_signal_emit_valist" #22 0x00007fd76925d584 in g_signal_emit_by_name (instance=instance@entry=0x55b53747f810, detailed_signal=detailed_signal@entry=0x7fd769851e10 "drag-motion") at gsignal.c:3487 var_args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7ffe54cdf3b0, reg_save_area = 0x7ffe54cdf2c0}} detail = 0 signal_id = 108 itype = 94236795894320 __func__ = "g_signal_emit_by_name" #23 0x00007fd7697ed58e in gtk_drag_dest_motion (widget=0x55b53747f810, context=0x55b536ab88b0, x=419, y=623, time=90823832) at gtkdnd.c:1572 site = 0x55b536ffc380 action = <optimized out> retval = 1770673408 __func__ = "gtk_drag_dest_motion" #24 0x00007fd7697edaf8 in gtk_drag_find_widget (callback=0x7fd7697ed450 <gtk_drag_dest_motion>, time=90823832, y=<optimized out>, x=<optimized out>, info=0x7fd6b80018d0, context=0x55b536ab88b0, widget=0x55b53747f810) at gtkdnd.c:1270 parent = 0x0 hierarchy = 0x55b53786ae20 found = 0 #25 _gtk_drag_dest_handle_event (toplevel=toplevel@entry=0x55b536ede460, event=event@entry=0x7fd744007b60) at gtkdnd.c:1091 window = <optimized out> tx = 0 ty = 0 found = <optimized out> info = 0x7fd6b80018d0 context = 0x55b536ab88b0 __func__ = "_gtk_drag_dest_handle_event" #26 0x00007fd76967da8b in gtk_main_do_event (event=<optimized out>) at gtkmain.c:1933 grab_widget = <optimized out> window_group = 0x55b536edbca0 rewritten_event = <optimized out> device = 0x55b536ab8960 tmp_list = <optimized out> event_widget = 0x55b536ede460 topmost_widget = <optimized out> grab_widget = <optimized out> rewritten_event = <optimized out> tmp_list = <optimized out> __inst = <optimized out> window = <optimized out> __inst = <optimized out> __inst = <optimized out> window = <optimized out> __inst = <optimized out> event_widget = <optimized out> __t = <optimized out> __t = <optimized out> __t = <optimized out> __t = <optimized out> window_group = <optimized out> device = <optimized out> event = 0x7fd744007b60 __func__ = "gtk_main_do_event" topmost_widget = <optimized out> __r = <optimized out> __r = <optimized out> __r = <optimized out> mnemonics_visible = <optimized out> __r = <optimized out> event_widget = <optimized out> window_group = <optimized out> device = <optimized out> tmp_list = <optimized out> __func__ = "gtk_main_do_event" __inst = <optimized out> __t = <optimized out> __r = <optimized out> window = <optimized out> __inst = <optimized out> __t = <optimized out> __r = <optimized out> __inst = <optimized out> __t = <optimized out> __r = <optimized out> mnemonics_visible = <optimized out> window = <optimized out> __inst = <optimized out> __t = <optimized out> __r = <optimized out> #27 0x00007fd768bf0a39 in _gdk_event_emit (event=event@entry=0x7fd744007b60) at gdkevents.c:73 No locals. #28 0x00007fd768c4d286 in gdk_event_source_dispatch (base=<optimized out>, callback=<optimized out>, data=<optimized out>) at gdkeventsource.c:124 source = <optimized out> display = <optimized out> event = 0x7fd744007b60 #29 0x00007fd76915e06d in g_main_dispatch (context=0x55b536ac9980) at gmain.c:3182 dispatch = 0x7fd768c4d260 <gdk_event_source_dispatch> prev_source = 0x0 was_in_call = 0 user_data = 0x0 callback = 0x0 cb_funcs = 0x0 cb_data = 0x0 need_destroy = <optimized out> source = 0x55b536ade290 current = 0x55b536a8ba30 i = 0 current = <optimized out> i = <optimized out> __func__ = "g_main_dispatch" source = <optimized out> _g_boolean_var_ = <optimized out> was_in_call = <optimized out> user_data = <optimized out> callback = <optimized out> cb_funcs = <optimized out> cb_data = <optimized out> need_destroy = <optimized out> dispatch = <optimized out> prev_source = <optimized out> _g_boolean_var_ = <optimized out> #30 g_main_context_dispatch (context=context@entry=0x55b536ac9980) at gmain.c:3847 No locals. #31 0x00007fd76915e438 in g_main_context_iterate (context=context@entry=0x55b536ac9980, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3920 max_priority = 0 timeout = 0 some_ready = 1 nfds = <optimized out> allocated_nfds = 6 fds = 0x55b536cc0ca0 #32 0x00007fd76915e4d0 in g_main_context_iteration (context=context@entry=0x55b536ac9980, may_block=may_block@entry=1) at gmain.c:3981 retval = <optimized out> #33 0x00007fd76932ed25 in g_application_run (application=0x55b536d921a0, argc=<optimized out>, argv=0x7ffe54cdf7f8) at gapplication.c:2470 arguments = 0x55b536c458c0 status = 0 context = 0x55b536ac9980 acquired_context = <optimized out> __func__ = "g_application_run" #34 0x000055b53553cf5e in ?? () No symbol table info available. #35 0x00007ffe54cdf7f8 in ?? () No symbol table info available. #36 0x0000000168d6b5fd in ?? () No symbol table info available. #37 0x00007fd7646007c2 in _g_module_symbol (symbol_name=0x7ffe54cdf7f8 "^\020\316T\376\177", handle=0x7ffe54cdf7f0) at gmodule-dl.c:163 p = <optimized out> msg = <optimized out> p = <optimized out> msg = <optimized out> #38 g_module_symbol (module=<optimized out>, symbol_name=0x7ffe54cdf7f8 "^\020\316T\376\177", symbol=0x1) at gmodule.c:800 module_error = <optimized out> __func__ = "g_module_symbol" #39 0x000055b53553dac0 in ?? () No symbol table info available. #40 0x000055b53553d200 in ?? () No symbol table info available. #41 0x00007ffe54cdf7f0 in ?? () No symbol table info available. #42 0x00007fd768df7413 in __libc_start_main (main=0x55b53553c9b0, argc=4, argv=0x7ffe54cdf7f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe54cdf7e8) at ../csu/libc-start.c:308 self = <optimized out> result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 3686795047983546301, 94236772127232, 140730321205232, 0, 0, 7475099810769043389, 7489094244564762557}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7ffe54cdf820, 0x7fd769ce4150}, data = {prev = 0x0, cleanup = 0x0, canceltype = 1422784544}}} not_first_call = <optimized out> #43 0x000055b53553d22e in ?? () No symbol table info available. #44 0x00007ffe54cdf7e8 in ?? () No symbol table info available. #45 0x00007fd769ce3fa0 in ?? () from /lib64/ld-linux-x86-64.so.2 No symbol table info available. #46 0x0000000000000004 in ?? () No symbol table info available. #47 0x00007ffe54ce105e in ?? () No symbol table info available. #48 0x0000000000000000 in ?? () No symbol table info available.

Carlos Garcia Campos

Comment 1 2019-02-15 04:16:47 PST

I can't reproduce this, but it seems that m_draggingSelectionData is nullptr in fillDragData(). That can happen when startDrag cancels a previous dnd operation, because the new m_draggingSelectionData is set before the current dnd operation si cancelled, which sets it to nullptr.

Carlos Garcia Campos

Comment 2 2019-02-15 04:19:01 PST

Created attachment 362110 [details] Patch

Michael Catanzaro

Comment 3 2019-02-15 08:23:02 PST

Comment on attachment 362110 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=362110&action=review > Source/WebKit/ChangeLog:9 > + I can't reproduce this, but it seems that m_draggingSelectionData is nullptr in fillDragData(). That can happen > + when startDrag cancels a previous DND operation, because the new m_draggingSelectionData is set before the Ughhh. We have another bug here -- somewhere -- that's probably fixed by this. It's a frequent UI process crasher, and has been for years. I was always stumped because I didn't realize it was legal for GTK to call startDrag twice in a row like this. Reminds me to finish work on the similar load events problem we have right now.

Carlos Garcia Campos

Comment 4 2019-02-18 01:12:55 PST

Committed r241659: <https://trac.webkit.org/changeset/241659>

Michael Catanzaro

Comment 5 2019-02-18 15:15:43 PST

(In reply to Michael Catanzaro from comment #3) > We have another bug here -- somewhere -- that's probably fixed by this. It's > a frequent UI process crasher, and has been for years. I was always stumped > because I didn't realize it was legal for GTK to call startDrag twice in a > row like this. Just stumbled onto it: https://bugs.webkit.org/show_bug.cgi?id=168516#c7. Not clear to me if you solved it here or not.

Attachments
Patch (2.74 KB, patch) 2019-02-15 04:19 PST, Carlos Garcia Campos	mcatanzaro: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.