213885 – REGRESSION(r262680): [GTK] Crash in WebKit::DropTarget::didPerformAction

Bug 213885 - REGRESSION(r262680): [GTK] Crash in WebKit::DropTarget::didPerformAction

Summary: REGRESSION(r262680): [GTK] Crash in WebKit::DropTarget::didPerformAction

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-07-02 08:22 PDT by Michael Catanzaro
Modified:	2020-07-07 06:57 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (1.96 KB, patch) 2020-07-07 06:30 PDT, Carlos Garcia Campos	mcatanzaro: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2020-07-02 08:22:36 PDT

I habitually click and drag text. This has long sometimes caused WebKit to crash (bug #190787, which I've never been able to figure out), but now we have a new crash as well:

(gdb) bt full
#0  0x00007fb3fab2ba15 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = 
            {__val = {0, 140410885067625, 93841847900496, 93842098070624, 0, 16, 140732286382400, 140410986429520, 140732286382616, 140732286382592, 0, 93842095324864, 140732286382464, 140410928956517, 93841852346096, 1}}
        pid = <optimized out>
        tid = <optimized out>
#1  0x00007fb3fab14855 in __GI_abort () at abort.c:79
        save_stage = 1
        act = 
          {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {140404907110656, 140732286382816, 140732286382656, 1, 140410926886456, 0, 0, 0, 0, 4294967296, 93841848715248, 93841848715424, 93842096080304, 1, 140410986544751, 0}}, sa_flags = -1119520440, sa_restorer = 0x0}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007fb3f75b9305 in WTF::Optional<WebCore::DragOperation>::operator*() & (this=<synthetic pointer>)
    at DerivedSources/ForwardingHeaders/wtf/Optional.h:534
        page = <optimized out>
        operation = <optimized out>
#3  0x00007fb3f75b9305 in WebKit::DropTarget::didPerformAction() (this=0x7fb2bd457948)
    at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:220
        page = <optimized out>
        operation = <optimized out>
#4  0x00007fb3f76b70a8 in IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&), std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect>, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&), std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>)
    (args=..., function=
    (void (WebKit::WebPageProxy::*)(class WebKit::WebPageProxy * const, class WTF::Optional<WebCore::DragOperation>, enum WebCore::DragHandlingMethod, bool, unsigned int, const class WebCore::IntRect &, const class WebCore::IntRect &)) 0x7fb3f7972e90 <WebKit::WebPageProxy::didPerformDragControllerAction(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)>, object=0x7fb3e8051b00)
    at DerivedSources/ForwardingHeaders/wtf/Optional.h:386
        arguments = 
                    {<WTF::constexpr_Optional_base<std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect> >> = {init_ = true, storage_ = {dummy_ = 0 '\000', value_ = std::tuple containing = {[1] = {<WTF::constexpr_Optional_base<WebCore::DragOperation>> = {init_ = false, storage_ = {dummy_ = 1 '\001', value_ = WebCore::DragOperation::Copy}}, <No data fields>}, [2] = WebCore::DragHandlingMethod::EditPlainText, [3] = false, [4] = 0, [5] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}, [6] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}}}}, <No data fields>}
#5  0x00007fb3f76b70a8 in IPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&), std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect>, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul> >(std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect>&&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)) (function=
    (void (WebKit::WebPageProxy::*)(class WebKit::WebPageProxy * const, class WTF::Optional<WebCore::DragOperation>, enum WebCore::DragHandlingMethod, bool, unsigned int, const class WebCore::IntRect &, const class WebCore::IntRect &)) 0x7fb3f7972e90 <WebKit::WebPageProxy::didPerformDragControllerAction(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)>, object=0x7fb3e8051b00, args=...) at ../Source/WebKit/Platform/IPC/HandleMessage.h:47
        arguments = 
                    {<WTF::constexpr_Optional_base<std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect> >> = {init_ = true, storage_ = {dummy_ = 0 '\000', value_ = std::tuple containing = {[1] = {<WTF::constexpr_Optional_base<WebCore::DragOperation>> = {init_ = false, storage_ = {dummy_ = 1 '\001', value_ = WebCore::DragOperation::Copy}}, <No data fields>}, [2] = WebCore::DragHandlingMethod::EditPlainText, [3] = false, [4] = 0, [5] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}, [6] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}}}}, <No data fields>}
#6  0x00007fb3f76b70a8 in IPC::handleMessage<Messages::WebPageProxy::DidPerformDragControllerAction, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)>(IPC::Decoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)) (decoder=..., object=object@entry=0x7fb3e8051b00, function=(void (WebKit::WebPageProxy::*)(class WebKit::WebPageProxy * const, class WTF::Optional<WebCore::DragOperation>, enum WebCore::DragHandlingMethod, bool, unsigned int, const class WebCore::IntRect &, const class WebCore::IntRect &)) 0x7fb3f7972e90 <WebKit::WebPageProxy::didPerformDragControllerAction(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)>) at ../Source/WebKit/Platform/IPC/HandleMessage.h:114
        arguments = {<WTF::constexpr_Optional_base<std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect> >> = {init_ = true, storage_ = {dummy_ = 0 '\000', value_ = std::tuple containing = {[1] = {<WTF::constexpr_Optional_base<WebCore::DragOperation>> = {init_ = false, storage_ = {dummy_ = 1 '\001', value_ = WebCore::DragOperation::Copy}}, <No data fields>}, [2] = WebCore::DragHandlingMethod::EditPlainText, [3] = false, [4] = 0, [5] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}, [6] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}}}}, <No data fields>}
#7  0x00007fb3f7698a2c in WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x7fb3e8051b00, connection=..., decoder=...) at DerivedSources/WebKit/WebPageProxyMessageReceiver.cpp:1553
        protectedThis = {static isRef = <optimized out>, m_ptr = 0x7fb3e8051b00}
#8  0x00007fb3f78b13a9 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x7fb3e825c370, connection=..., decoder=...) at ../Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:123
        messageReceiver = <optimized out>
#9  0x00007fb3f7939add in WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x7fb3e825c340, connection=..., decoder=...) at ../Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp:209
#10 0x00007fb3f79836c7 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x7fb3e825c340, connection=..., decoder=...) at ../Source/WebKit/UIProcess/WebProcessProxy.cpp:772
#11 0x00007fb3f78ab98d in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7fb2bd473300, message=std::unique_ptr<class IPC::Decoder> = {...}) at /usr/include/c++/10.1.0/bits/unique_ptr.h:420
        isDispatchingMessageWhileWaitingForSyncReply = <optimized out>
        oldDidReceiveInvalidMessage = false
#12 0x00007fb3f78ac189 in IPC::Connection::dispatchIncomingMessages() (this=0x7fb2bd473300) at /usr/include/c++/10.1.0/bits/unique_ptr.h:171
        message = std::unique_ptr<class IPC::Decoder> = {get() = 0x0}
        messagesToProcess = 0
        __func__ = "dispatchIncomingMessages"
#13 0x00007fb3f6bb78e9 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Vector.h:341
        function = {m_callableWrapper = std::unique_ptr<class WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7fb29072d330}}
        functionsHandled = 0
        functionsToHandle = 1
        didSuspendFunctions = false
#14 0x00007fb3f6bb78e9 in WTF::RunLoop::performWork() (this=0x7fb3f01f9000) at ../Source/WTF/wtf/RunLoop.cpp:140
        function = {m_callableWrapper = std::unique_ptr<class WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7fb29072d330}}
        functionsHandled = 0
        functionsToHandle = 1
        didSuspendFunctions = false
#15 0x00007fb3f6c0558d in operator() (userData=<optimized out>, __closure=0x0) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#16 0x00007fb3f6c0558d in _FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#17 0x00007fb3fae87e6f in g_main_dispatch (context=0x555941fdac20) at ../glib/gmain.c:3322
        dispatch = 0x7fb3f6c055a0 <_FUN(GSource*, GSourceFunc, gpointer)>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x7fb3f01f9000
        callback = 0x7fb3f6c05580 <_FUN(gpointer)>
        cb_funcs = <optimized out>
        cb_data = 0x5559420f5180
        need_destroy = <optimized out>
        source = 0x5559420a7f50
        current = 0x555941fe3950
        i = 0
        __func__ = "g_main_dispatch"
#18 0x00007fb3fae87e6f in g_main_context_dispatch (context=0x555941fdac20) at ../glib/gmain.c:3987
#19 0x00007fb3fae88218 in g_main_context_iterate (context=context@entry=0x555941fdac20, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4060
        max_priority = 2147483647
        timeout = 39
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0x555950d6b3b0
#20 0x00007fb3fae882e3 in g_main_context_iteration (context=context@entry=0x555941fdac20, may_block=may_block@entry=1) at ../glib/gmain.c:4121
        retval = <optimized out>
#21 0x00007fb3fb0ab7cd in g_application_run (application=0x555942290230 [EphyShell], argc=-907004380, argv=<optimized out>) at ../gio/gapplication.c:2559
        arguments = 0x5559420e92a0
        status = 0
        context = 0x555941fdac20
        acquired_context = <optimized out>
        __func__ = "g_application_run"
#22 0x0000555940ea10b3 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:432
        option_context = <optimized out>
        option_group = <optimized out>
        error = 0x0
        user_time = 202242
        arbitrary_url = <optimized out>
        ctx = <optimized out>
        mode = <optimized out>
        status = <optimized out>
        flags = <optimized out>
        desktop_info = <optimized out>

Comment 1 Michael Catanzaro 2020-07-02 10:36:52 PDT

The problem is that m_operation is not engaged (i.e. is not set), that causes the Optional to RELEASE_ASSERT() when it is dereferenced.

I haven't looked at this long enough to know if it's correct, but:

    if ((!operation && !m_operation) || *operation == *m_operation)

The crash would surely not occur if this was an || check:

    if (!operation || !m_operation || *operation == *m_operation)

That said, it looks like m_operation is not needed at all in the GTK 3 case. It can probably just be removed?

Comment 2 Michael Catanzaro 2020-07-03 08:15:40 PDT

OK I found a reproducer. Drag any file from nautilus into the web view. Crash.

Comment 3 Carlos Garcia Campos 2020-07-07 06:30:19 PDT

Created attachment 403681 [details]
Patch

Comment 4 Carlos Garcia Campos 2020-07-07 06:57:47 PDT

Committed r264016: <https://trac.webkit.org/changeset/264016>