199205 – [GTK] UI process crash in DrawingAreaProxyCoordinatedGraphics::waitForAndDispatchDidUpdateBackingStoreState

RESOLVED DUPLICATE of bug 199680 199205

[GTK] UI process crash in DrawingAreaProxyCoordinatedGraphics::waitForAndDispatchDidUpdateBackingStoreState

https://bugs.webkit.org/show_bug.cgi?id=199205

Summary [GTK] UI process crash in DrawingAreaProxyCoordinatedGraphics::waitForAndDisp...

Michael Catanzaro

Reported 2019-06-25 14:39:02 PDT

Created attachment 372864 [details] Backtrace UI process crash with 2.25.2 Program terminated with signal SIGSEGV, Segmentation fault. #0 std::__uniq_ptr_impl<IPC::Decoder, std::default_delete<IPC::Decoder> >::_M_ptr (this=0x30) at /usr/include/c++/8.3.0/bits/unique_ptr.h:356 356 explicit operator bool() const noexcept Truncated backtrace: #0 0x00007f1c6aa72a2c in std::__uniq_ptr_impl<IPC::Decoder, std::default_delete<IPC::Decoder> >::_M_ptr() const (this=0x30) at /usr/include/c++/8.3.0/bits/unique_ptr.h:356 #1 0x00007f1c6aa72a2c in std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >::get() const (this=0x30) at /usr/include/c++/8.3.0/bits/unique_ptr.h:343 #2 0x00007f1c6aa72a2c in std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >::operator bool() const (this=0x30) at /usr/include/c++/8.3.0/bits/unique_ptr.h:357 #3 0x00007f1c6aa72a2c in IPC::Connection::waitForMessage(IPC::StringReference, IPC::StringReference, unsigned long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) (this=this@entry=0x7f1c642cfd00, messageReceiverName=..., messageName=..., destinationID=511, timeout=..., timeout@entry=..., waitForOptions=...) at ../Source/WebKit/Platform/IPC/Connection.cpp:520 #4 0x00007f1c6ac3828e in IPC::Connection::waitForAndDispatchImmediately<Messages::DrawingAreaProxy::DidUpdateBackingStoreState>(unsigned long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) (waitForOptions=..., timeout=..., destinationID=<optimized out>, this=0x7f1c642cfd00) at ../Source/WebKit/Platform/IPC/StringReference.h:53 #5 0x00007f1c6ac3828e in WebKit::DrawingAreaProxyCoordinatedGraphics::waitForAndDispatchDidUpdateBackingStoreState() (this=0x55ba269a7330) at ../Source/WebKit/UIProcess/CoordinatedGraphics/DrawingAreaProxyCoordinatedGraphics.cpp:344 #6 0x00007f1c6ac3828e in WebKit::DrawingAreaProxyCoordinatedGraphics::waitForAndDispatchDidUpdateBackingStoreState() (this=0x55ba269a7330) at ../Source/WebKit/UIProcess/CoordinatedGraphics/DrawingAreaProxyCoordinatedGraphics.cpp:321 #7 0x00007f1c6ac38820 in WebKit::DrawingAreaProxyCoordinatedGraphics::paint(_cairo*, WebCore::IntRect const&, WebCore::Region&) (this=this@entry=0x55ba269a7330, context=context@entry=0x55ba24c39800, rect=..., unpaintedRegion=...) at ../Source/WebKit/UIProcess/CoordinatedGraphics/DrawingAreaProxyCoordinatedGraphics.cpp:91 #8 0x00007f1c6ac2a285 in webkitWebViewBaseDraw(GtkWidget*, cairo_t*) (widget=0x55ba2f03e830 [EphyWebView], cr=0x55ba24c39800) at ../Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:596 #9 0x00007f1c6e15a214 in gtk_widget_draw_internal (clip_to_size=1, cr=0x55ba24c39800, widget=0x55ba2f03e830 [EphyWebView]) at gtkwidget.c:7077 #10 0x00007f1c6e15a214 in gtk_widget_draw_internal (widget=widget@entry=0x55ba2f03e830 [EphyWebView], cr=cr@entry=0x55ba24c39800, clip_to_size=clip_to_size@entry=1) at gtkwidget.c:7015 Full backtrace attached

Attachments
Backtrace (26.68 KB, text/plain) 2019-06-25 14:39 PDT, Michael Catanzaro	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Michael Catanzaro

Comment 1 2019-06-25 16:05:43 PDT

Well m_waitingForMessage is invalid, but not null (this=0x30). But the local variable waitingForMessage looks fine. I *think* we can conclude that the Connection itself is invalid. DrawingAreaProxyCoordinatedGraphics should probably null-check the connection pointer before using it. Naive solution would be: if (Connection* connection = process().connection()) connection->waitForAndDispatchImmediately<Messages::DrawingAreaProxy::DidUpdateBackingStoreState>(m_identifier.toUInt64(), Seconds::fromMilliseconds(500)); And if that's not right, then at least it should ASSERT(connection) before using it.

Michael Catanzaro

Comment 2 2019-06-25 16:11:48 PDT

(In reply to Michael Catanzaro from comment #1) > Well m_waitingForMessage is invalid, but not null (this=0x30). Actually that's wrong, I'm printing it in gdb and it is actually null. It's the decoder that's 0x30. So Connection is valid, but Connection::m_waitingForMessage is null. It shouldn't be possible.

Michael Catanzaro

Comment 3 2019-06-27 07:34:21 PDT

Hm, I hit this UI process crash a second time today. I suspect a recent regression, because I've never noticed this before and UI process crashes are extremely rare nowadays.

Zan Dobersek

Comment 4 2019-07-13 04:47:26 PDT

WPE is not affected.

Carlos Garcia Campos

Comment 5 2019-07-15 06:01:51 PDT

Do you have asserts enabled?

Michael Catanzaro

Comment 6 2019-07-15 07:39:39 PDT

Nope, this is a release build.

Carlos Garcia Campos

Comment 7 2019-07-16 01:06:46 PDT

Looks like a duplicate of #199680. *** This bug has been marked as a duplicate of bug 199680 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 199680

Priority P2

Severity Major

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component WebKitGTK

Assignee

Nobody

Reported

2019-06-25 14:39 PDT

Modified

2019-07-16 01:06 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks