RESOLVED FIXED 225279
[GTK] segmentation fault in WebKit::IconDatabase::loadIconForPageURL 
https://bugs.webkit.org/show_bug.cgi?id=225279
Summary [GTK] segmentation fault in WebKit::IconDatabase::loadIconForPageURL
Jim Mason
Reported 2021-05-02 08:17:38 PDT
gtk3: 3.24.11 gdk-pixbuf: 2.40.0 cairo: 1.16.0 glib2: 2.66.8 I am encountering a segmentation fault in IconDatabase::loadIconForPageURL due to dereference of a null pointer returned by NativeImage::nativeImageForCurrentFrame. This happens for certain (broken? unsupported?) icons, but not all. One such icon is the favicon for this URL: https://thomas-guettler.de/htmx-swap-err-webkit/page.html For me, entering the above URL in epiphany 40.0 elicits the seg fault. I've attached a patch which clears the issue. The patch also applies a similar null pointer check in the method setIconForPageURL. The fix assumes `nativeImageForCurrentFrame` can return null. If that method is supposed to return non-null in all cases, then there is another problem.
Attachments
Patch (2.31 KB, patch)
2021-05-02 08:19 PDT, Jim Mason 		no flags
DetailsFormatted DiffDiff
Patch (2.28 KB, patch)
2021-05-02 08:23 PDT, Jim Mason 		no flags
DetailsFormatted DiffDiff
Patch (2.35 KB, patch)
2021-05-02 09:43 PDT, Jim Mason 		no flags
DetailsFormatted DiffDiff
Patch (2.54 KB, patch)
2021-05-04 03:36 PDT, Jim Mason 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Jim Mason
Comment 1 2021-05-02 08:19:01 PDT
Created attachment 427525 [details] Patch
EWS Watchlist
Comment 2 2021-05-02 08:20:05 PDT
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See https://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
Jim Mason
Comment 3 2021-05-02 08:23:29 PDT
Created attachment 427526 [details] Patch
Jim Mason
Comment 4 2021-05-02 09:43:28 PDT
Created attachment 427529 [details] Patch
Carlos Garcia Campos
Comment 5 2021-05-04 00:20:44 PDT
Comment on attachment 427529 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427529&action=review > Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:586 > + if (nativeImage != nullptr) Do not compare to nullptr. We normally prefer the early return first and avoid the else, so this would be: if (!nativeImage) { completionHandler(nullptr); return; } addResult.iterator->value.first = nativeImage->platformImage(); > Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:626 > + auto nativeImage = image->nativeImageForCurrentFrame(); > + if (nativeImage != nullptr) And here this could be if (auto nativeImage = image->nativeImageForCurrentFrame())
Carlos Garcia Campos
Comment 6 2021-05-04 02:26:07 PDT
*** Bug 225313 has been marked as a duplicate of this bug. ***
Jim Mason
Comment 7 2021-05-04 03:11:32 PDT
Thanks for the feedback. In setIconForPageURL, I am tempted to simplify this: auto image = BitmapImage::create(); if (image->setData(SharedBuffer::create(iconData, iconDataSize), true) < EncodedDataStatus::SizeAvailable) result = false; else if (auto nativeImage = image->nativeImageForCurrentFrame()) addResult.iterator->value.first = nativeImage->platformImage(); else result = false; to something like this: RefPtr<NativeImage> nativeImage; auto image = BitmapImage::create(); if (image->setData(SharedBuffer::create(iconData, iconDataSize), true) >= EncodedDataStatus::SizeAvailable && (nativeImage = image->nativeImageForCurrentFrame())) addResult.iterator->value.first = nativeImage->platformImage(); else result = false; However, this means using RefPtr<NativeImage> instead of auto; I have doubts whether this frowned upon. Advice?
Adrian Perez
Comment 8 2021-05-04 03:14:04 PDT
(In reply to Jim Mason from comment #7) > Thanks for the feedback. > > In setIconForPageURL, I am tempted to simplify this: > > auto image = BitmapImage::create(); > if (image->setData(SharedBuffer::create(iconData, iconDataSize), true) < > EncodedDataStatus::SizeAvailable) > result = false; > else if (auto nativeImage = image->nativeImageForCurrentFrame()) > addResult.iterator->value.first = nativeImage->platformImage(); > else > result = false; > > to something like this: > > RefPtr<NativeImage> nativeImage; > auto image = BitmapImage::create(); > if (image->setData(SharedBuffer::create(iconData, iconDataSize), true) > >= EncodedDataStatus::SizeAvailable && > (nativeImage = image->nativeImageForCurrentFrame())) > addResult.iterator->value.first = nativeImage->platformImage(); > else > result = false; > > However, this means using RefPtr<NativeImage> instead of auto; I have doubts > whether this frowned upon. Advice? There are similar bits of code all around WebKit, this is fine 👌️
Jim Mason
Comment 9 2021-05-04 03:36:10 PDT
Created attachment 427648 [details] Patch
EWS
Comment 10 2021-05-04 05:38:28 PDT
Committed r276954 (237287@main): <https://commits.webkit.org/237287@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 427648 [details].
Jim Mason
Comment 11 2021-05-04 09:32:31 PDT
Fix verified in r276954.
Adrian Perez
Comment 12 2021-05-05 06:17:42 PDT
*** Bug 225348 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.