Moving this from a downstream bug report: https://gitlab.gnome.org/GNOME/evolution/-/issues/1526 In Evolution, when a user drags a mail account node above the composer window, WebKitGTK crashes the application. The preview panel doesn't do that. When I try the "drag above" with the MiniBrowser, then it crashes regardless whether it's being in the editor mode or not. This is with evolution 3.40.1-1 (from Debian experimental), webkit 2.32.1-1 and GNOME 3.38 on Debian bullseye. (I see that with Fedora 34 and the same evo/WebKitGTK versions as well). The downstream bug report contains a whole backtrace, with all threads, but it's too long. See it attached at the end of the description there, if needed. #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 set = {__val = {0, 42, 834, 5, 94402006640432, 94402006649584, 139949534068928, 94401995203384, 4, 94402006649584, 4, 139949533776257, 140735894193728, 94402029678352, 94401996349664, 140735894194048}} pid = <optimized out> tid = <optimized out> #1 0x00007f488f12b537 in __GI_abort () at abort.c:79 save_stage = 1 act = {__sigaction_handler = {sa_handler = 0x55dbae126840, sa_sigaction = 0x55dbae126840}, sa_mask = {__val = {139949533666252, 0, 0, 94401995203384, 3584923175664, 139948495672560, 94401995201360, 94402029678352, 9272222391884015360, 94401995203344, 94402006649584, 94401995203344, 94402006649584, 94402029678352, 139949533644401, 24395876352}}, sa_flags = -1700043008, sa_restorer = 0x55dbae128af0} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007f48899487a8 in WTF::fromUTF8Impl<false>(unsigned char const*, unsigned long) () at ../Source/WTF/wtf/text/WTFString.cpp:845 #3 0x00007f4889947e2e in WTF::String::fromUTF8(unsigned char const*, unsigned long) () at ../Source/WTF/wtf/text/WTFString.cpp:872 #4 0x00007f488c398df2 in WebKit::DropTarget::dataReceived(WebCore::IntPoint&&, _GtkSelectionData*, unsigned int, unsigned int) () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:185 #5 0x00007f488c398fe4 in operator() () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:85 #6 _FUN() () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:85 #7 0x00007f488fd65344 in _gtk_marshal_VOID__OBJECT_INT_INT_BOXED_UINT_UINTv (closure=closure@entry=0x55dbadf4e300, return_value=return_value@entry=0x0, instance=instance@entry=0x55dbaf21f3b0, args=args@entry=0x7fffa0fb13f8, marshal_data=marshal_data@entry=0x0, n_params=n_params@entry=6, param_types=0x55dbacdeafb0) at gtkmarshalers.c:5998 data1 = 0x55dbaf21f3b0 data2 = <optimized out> callback = 0x7f488c398f90 <_FUN()> arg0 = 0x55dbace0f010 arg1 = 0 arg2 = -1894507295 arg3 = 0x7fffa0fb1980 arg4 = 2700805552 arg5 = 2700805552 args_copy = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffa0fb1540, reg_save_area = 0x7fffa0fb1440}} #8 0x00007f488f6e0889 in _g_closure_invoke_va (closure=closure@entry=0x55dbadf4e300, return_value=return_value@entry=0x0, instance=instance@entry=0x55dbaf21f3b0, args=args@entry=0x7fffa0fb13f8, n_params=6, param_types=0x55dbacdeafb0) at ../../../gobject/gclosure.c:873 marshal = 0x7f488fd651f0 <_gtk_marshal_VOID__OBJECT_INT_INT_BOXED_UINT_UINTv> marshal_data = 0x0 in_marshal = 0 real_closure = 0x55dbadf4e2e0 __func__ = "_g_closure_invoke_va" #9 0x00007f488f6f8fe8 in g_signal_emit_valist (instance=instance@entry=0x55dbaf21f3b0, signal_id=signal_id@entry=114, detail=detail@entry=0, var_args=var_args@entry=0x7fffa0fb13f8) at ../../../gobject/gsignal.c:3406 return_accu = <optimized out> accu = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} accumulator = 0x0 emission = {next = 0x7fffa0fb16f0, instance = 0x55dbaf21f3b0, ihint = {signal_id = 114, detail = 0, run_type = (G_SIGNAL_RUN_LAST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 0x55dbae857d60 [EWebKitEditor/WebKitWebView/WebKitWebViewBase/GtkContainer/GtkWidget/GInitiallyUnowned]} signal_id = 114 instance_type = <optimized out> emission_return = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} rtype = 0x4 [void] static_scope = 0 fastpath_handler = <optimized out> closure = <optimized out> run_type = <optimized out> hlist = <optimized out> l = <optimized out> fastpath = 1 instance_and_params = <optimized out> signal_return_type = <optimized out> param_values = <optimized out> node = <optimized out> i = <optimized out> n_params = <optimized out> __func__ = "g_signal_emit_valist" #10 0x00007f488f6f93ff in g_signal_emit_by_name (instance=instance@entry=0x55dbaf21f3b0, detailed_signal=detailed_signal@entry=0x7f488fd6e6f8 "drag-data-received") at ../../../gobject/gsignal.c:3593 var_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffa0fb1530, reg_save_area = 0x7fffa0fb1440}} detail = 0 signal_id = 114 itype = 0x55dbae857d60 [EWebKitEditor/WebKitWebView/WebKitWebViewBase/GtkContainer/GtkWidget/GInitiallyUnowned] __func__ = "g_signal_emit_by_name" #11 0x00007f488fd35d1d in gtk_drag_selection_received (widget=0x55dbadc93a30 [GtkWindow], selection_data=0x7fffa0fb1980, time=501869454, data=0x55dbaf21f3b0) at ../../../../gtk/gtkdnd.c:1189 site = <optimized out> context = 0x55dbace0f010 [GdkWaylandDragContext] info = 0x7f2fa06bf410 drop_widget = 0x55dbaf21f3b0 [EWebKitEditor] target = 0x51 #12 0x00007f488fd62b7c in _gtk_marshal_VOID__BOXED_UINTv (closure=closure@entry=0x55dbaf775e50, return_value=return_value@entry=0x0, instance=instance@entry=0x55dbadc93a30, args=args@entry=0x7fffa0fb17f8, marshal_data=marshal_data@entry=0x0, n_params=n_params@entry=2, param_types=0x55dbace09580) at gtkmarshalers.c:3607 data1 = 0x55dbadc93a30 data2 = <optimized out> callback = 0x7f488fd35be0 <gtk_drag_selection_received> arg0 = 0x7fffa0fb1980 arg1 = 0 args_copy = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffa0fb1930, reg_save_area = 0x7fffa0fb1840}} #13 0x00007f488f6e0889 in _g_closure_invoke_va (closure=closure@entry=0x55dbaf775e50, return_value=return_value@entry=0x0, instance=instance@entry=0x55dbadc93a30, args=args@entry=0x7fffa0fb17f8, n_params=2, param_types=0x55dbace09580) at ../../../gobject/gclosure.c:873 marshal = 0x7f488fd62ad0 <_gtk_marshal_VOID__BOXED_UINTv> marshal_data = 0x0 in_marshal = 0 real_closure = 0x55dbaf775e30 __func__ = "_g_closure_invoke_va" #14 0x00007f488f6f8fe8 in g_signal_emit_valist (instance=instance@entry=0x55dbadc93a30, signal_id=signal_id@entry=102, detail=detail@entry=0, var_args=var_args@entry=0x7fffa0fb17f8) at ../../../gobject/gsignal.c:3406 return_accu = <optimized out> accu = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} accumulator = 0x0 emission = {next = 0x7fffa0fb1c60, instance = 0x55dbadc93a30, ihint = {signal_id = 102, detail = 0, run_type = (G_SIGNAL_RUN_FIRST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 0x55dbacdf0a70 [GtkWindow/GtkBin/GtkContainer/GtkWidget/GInitiallyUnowned]} signal_id = 102 instance_type = <optimized out> emission_return = {g_type = 0x0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} rtype = 0x4 [void] static_scope = 0 fastpath_handler = <optimized out> closure = <optimized out> run_type = <optimized out> hlist = <optimized out> l = <optimized out> fastpath = 1 instance_and_params = <optimized out> signal_return_type = <optimized out> param_values = <optimized out> node = <optimized out> i = <optimized out> n_params = <optimized out> __func__ = "g_signal_emit_valist" #15 0x00007f488f6f93ff in g_signal_emit_by_name (instance=0x55dbadc93a30, detailed_signal=detailed_signal@entry=0x7f488fdcb20f "selection-received") at ../../../gobject/gsignal.c:3593 var_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffa0fb1930, reg_save_area = 0x7fffa0fb1840}} detail = 0 signal_id = 102 itype = 0x55dbacdf0a70 [GtkWindow/GtkBin/GtkContainer/GtkWidget/GInitiallyUnowned] __func__ = "g_signal_emit_by_name" #16 0x00007f488fc47b64 in gtk_selection_retrieval_report (time=501869454, length=<optimized out>, buffer=<optimized out>, format=<optimized out>, type=<optimized out>, info=0x55dbad975840) at ../../../../gtk/gtkselection.c:3079 data = {selection = 0x46, target = 0x51, type = 0x0, format = 0, data = 0x0, length = -1, display = 0x55dbacda0130 [GdkWaylandDisplay]} owner_widget = <optimized out> owner_widget_ptr = 0x55dbadc93790 selection_data = {selection = 0x46, target = 0x51, type = 0x0, format = 0, data = 0x0, length = -1, display = 0x55dbacda0130 [GdkWaylandDisplay]} info = 0x55dbad975840 tmp_list = <optimized out> owner_window = <optimized out> display = 0x55dbacda0130 [GdkWaylandDisplay] id = <optimized out> __func__ = "gtk_selection_convert" #17 gtk_selection_convert (widget=0x55dbadc93a30 [GtkWindow], selection=0x46, target=0x51, time_=501869454) at ../../../../gtk/gtkselection.c:1172 owner_widget = <optimized out> owner_widget_ptr = 0x55dbadc93790 selection_data = {selection = 0x46, target = 0x51, type = 0x0, format = 0, data = 0x0, length = -1, display = 0x55dbacda0130 [GdkWaylandDisplay]} info = 0x55dbad975840 tmp_list = <optimized out> owner_window = <optimized out> display = 0x55dbacda0130 [GdkWaylandDisplay] id = <optimized out> __func__ = "gtk_selection_convert" #18 0x00007f488c399837 in WebKit::DropTarget::accept(_GdkDragContext*, WTF::Optional<WebCore::IntPoint>, unsigned int) () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:140 #19 0x00007f488c399a6a in operator() () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:59 #20 _FUN() () at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:59 #25 0x00007f488f6f93ff in <emit signal 0x7f488fd9e4ad "drag-motion" on instance 0x55dbaf21f3b0 [EWebKitEditor]> (instance=instance@entry=0x55dbaf21f3b0, detailed_signal=detailed_signal@entry=0x7f488fd9e4ad "drag-motion") at ../../../gobject/gsignal.c:3593 var_args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffa0fb2010, reg_save_area = 0x7fffa0fb1f20}} detail = 0 signal_id = 111 itype = 0x55dbae857d60 [EWebKitEditor/WebKitWebView/WebKitWebViewBase/GtkContainer/GtkWidget/GInitiallyUnowned] __func__ = "g_signal_emit_by_name" #21 0x00007f488fd5eaa7 in _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT (closure=closure@entry=0x55dbad923170, return_value=return_value@entry=0x7fffa0fb1c90, n_param_values=n_param_values@entry=5, param_values=param_values@entry=0x7fffa0fb1cf0, invocation_hint=invocation_hint@entry=0x7fffa0fb1c70, marshal_data=marshal_data@entry=0x0) at gtkmarshalers.c:826 cc = 0x55dbad923170 data1 = 0x55dbaf21f3b0 data2 = <optimized out> callback = 0x7f488c399a30 <_FUN()> v_return = <optimized out> __func__ = "_gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT" #22 0x00007f488f6e065f in g_closure_invoke (closure=0x55dbad923170, return_value=return_value@entry=0x7fffa0fb1c90, n_param_values=5, param_values=param_values@entry=0x7fffa0fb1cf0, invocation_hint=invocation_hint@entry=0x7fffa0fb1c70) at ../../../gobject/gclosure.c:810 marshal = 0x7f488fd5ea30 <_gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT> marshal_data = 0x0 in_marshal = 0 real_closure = 0x55dbad923150 __func__ = "g_closure_invoke" #23 0x00007f488f6f2ba2 in signal_emit_unlocked_R (node=<optimized out>, detail=detail@entry=0, instance=instance@entry=0x55dbaf21f3b0, emission_return=emission_return@entry=0x7fffa0fb1e20, instance_and_params=instance_and_params@entry=0x7fffa0fb1cf0) at ../../../gobject/gsignal.c:3812 tmp = <optimized out> handler = 0x55dbaf9b2e00 accumulator = 0x55dbace0a470 emission = {next = 0x0, instance = 0x55dbaf21f3b0, ihint = {signal_id = 111, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 0x4 [void]} class_closure = 0x55dbacd687e0 hlist = <optimized out> handler_list = <optimized out> return_accu = 0x7fffa0fb1c90 accu = {g_type = 0x14 [gboolean], data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} signal_id = 111 max_sequential_handler_number = 2726343 return_value_altered = <optimized out> #24 0x00007f488f6f87f9 in g_signal_emit_valist (instance=instance@entry=0x55dbaf21f3b0, signal_id=signal_id@entry=111, detail=detail@entry=0, var_args=var_args@entry=0x7fffa0fb1ed8) at ../../../gobject/gsignal.c:3507 return_value = {g_type = 0x14 [gboolean], data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} error = 0x0 rtype = 0x14 [gboolean] static_scope = 0 instance_and_params = 0x7fffa0fb1cf0 signal_return_type = <optimized out> param_values = 0x7fffa0fb1d08 node = <optimized out> i = <optimized out> n_params = <optimized out> __func__ = "g_signal_emit_valist" #26 0x00007f488fd36bea in gtk_drag_dest_motion (widget=widget@entry=0x55dbaf21f3b0 [EWebKitEditor], context=context@entry=0x55dbace0f010 [GdkWaylandDragContext], x=206, y=3, time=time@entry=501869454) at ../../../../gtk/gtkdnd.c:1572 site = 0x55dbafc1a2a0 action = <optimized out> retval = -1881198131 __func__ = "gtk_drag_dest_motion" #27 0x00007f488fd37159 in gtk_drag_find_widget (callback=0x7f488fd36a90 <gtk_drag_dest_motion>, time=501869454, y=<optimized out>, x=<optimized out>, info=0x7f2fa06bf410, context=0x55dbace0f010 [GdkWaylandDragContext], widget=0x55dbaf21f3b0 [EWebKitEditor]) at ../../../../gtk/gtkdnd.c:1270 parent = 0x0 hierarchy = 0x55dbae94c660 = {0x55dbaf828780, 0x55dbaf7fe470, 0x55dbad83baa0, 0x55dbaf7fe9f0, 0x55dbaf243f10, 0x55dbaf21f3b0} found = 0 window = <optimized out> tx = 0 ty = 0 found = <optimized out> info = 0x7f2fa06bf410 context = 0x55dbace0f010 [GdkWaylandDragContext] __func__ = "_gtk_drag_dest_handle_event" #28 _gtk_drag_dest_handle_event (toplevel=toplevel@entry=0x55dbaf828780 [EMsgComposer], event=event@entry=0x55dbb19cc5c0) at ../../../../gtk/gtkdnd.c:1091 window = <optimized out> tx = 0 ty = 0 found = <optimized out> info = 0x7f2fa06bf410 context = 0x55dbace0f010 [GdkWaylandDragContext] __func__ = "_gtk_drag_dest_handle_event" #29 0x00007f488fbbc91b in gtk_main_do_event (event=0x55dbb19cc5c0) at ../../../../gtk/gtkmain.c:1938 grab_widget = <optimized out> window_group = 0x55dbb0708aa0 [GtkWindowGroup] rewritten_event = <optimized out> device = 0x55dbace0f0c0 [GdkWaylandDevice] tmp_list = <optimized out> event_widget = 0x55dbaf828780 [EMsgComposer] topmost_widget = <optimized out> __func__ = "gtk_main_do_event" __func__ = "gtk_main_do_event" #30 gtk_main_do_event (event=<optimized out>) at ../../../../gtk/gtkmain.c:1690 __func__ = "gtk_main_do_event" #31 0x00007f488f039785 in _gdk_event_emit (event=event@entry=0x55dbb19cc5c0) at ../../../../gdk/gdkevents.c:73 #32 0x00007f488f0993a2 in gdk_event_source_dispatch (base=<optimized out>, callback=<optimized out>, data=<optimized out>) at ../../../../../gdk/wayland/gdkeventsource.c:124 source = <optimized out> display = <optimized out> event = 0x55dbb19cc5c0 #33 0x00007f488f5ec85b in g_main_dispatch (context=0x55dbacdb1860) at ../../../glib/gmain.c:3337 dispatch = 0x7f488f099380 <gdk_event_source_dispatch> prev_source = 0x0 begin_time_nsec = 0 was_in_call = 0 user_data = 0x0 callback = 0x0 cb_funcs = <optimized out> cb_data = <optimized out> need_destroy = <optimized out> source = 0x55dbacdc4020 current = 0x55dbacd7f640 i = 0 __func__ = "g_main_dispatch" #34 g_main_context_dispatch (context=0x55dbacdb1860) at ../../../glib/gmain.c:4055 #35 0x00007f488f5ecb08 in g_main_context_iterate (context=0x55dbacdb1860, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4131 max_priority = 2147483647 timeout = 47 some_ready = 1 nfds = <optimized out> allocated_nfds = <optimized out> fds = 0x55dbb16911b0 #36 0x00007f488f5ecdfb in g_main_loop_run (loop=loop@entry=0x55dbad53cc80) at ../../../glib/gmain.c:4329 __func__ = "g_main_loop_run" #37 0x00007f488fbbba55 in gtk_main () at ../../../../gtk/gtkmain.c:1328 loop = 0x55dbad53cc80 #38 0x000055dbab65fec2 in main (argc=<optimized out>, argv=<optimized out>) at ./src/shell/main.c:681 shell = 0x55dbad1b71d0 [EShell] settings = <optimized out> success = 1 error = 0x0
(In reply to Milan Crha from comment #0) > Moving this from a downstream bug report: > https://gitlab.gnome.org/GNOME/evolution/-/issues/1526 > > In Evolution, when a user drags a mail account node above the composer > window, WebKitGTK crashes the application. The preview panel doesn't do > that. Er... where is this mail account node above the composer window? I see a combo box to select the mail account to use to send the mail, but I don't see anything dragable. > When I try the "drag above" with the MiniBrowser, then it crashes > regardless whether it's being in the editor mode or not. How exactly were you able to reproduce with MiniBrowser?
Run: $ evolution -c mail there is a side bar on the left with accounts and folders. Drag the account name, like the "On This Computer", and move the mouse above the MiniBrowser content area.
I'm unable to reproduce. I wonder if it is X11-specific. Are you using X11?
I am using Wayland, haven't tried the MiniBrowser though.
I just tried it with the `MiniBrowser --editor-mode` and `MiniBrowser` and I don't get the crash.
I still do get the crash with the evolution composer window though.
(In reply to Michael Catanzaro from comment #3) > I'm unable to reproduce. I wonder if it is X11-specific. Are you using X11? Right, I'm on X11 when trying with the MiniBrowser. I can partly confirm Paul comments. When on Wayland, MiniBrowser doesn't crash, but for me only when it's in the --editor-mode, where I made it crash. Its console says: $ /usr/libexec/webkit2gtk-4.0/MiniBrowser --editor-mode (MiniBrowser:2130): Gdk-WARNING **: 04:36:24.066: gdkselection-wayland.c:280: error reading selection buffer: Operation was cancelled Aborted (core dumped)
(In reply to Paul Wise from comment #6) > I still do get the crash with the evolution composer window though. OK, I see the crash when dragging "On This Computer" into the composer window.
*** Bug 220059 has been marked as a duplicate of this bug. ***
Created attachment 431114 [details] Patch
Problem is data with zero size is indicated by -1 in the GTK 3 implementation, but the code wasn't prepared for negative size. (The GTK 4 implementation uses unsigned integers to indicate size, and so doesn't have this problem.)
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See https://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
Committed r278761 (238721@main): <https://commits.webkit.org/238721@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 431114 [details].