235586 – UI process crash in WebCore::ScalableImageDecoderFrame::operator=

Bug 235586 - UI process crash in WebCore::ScalableImageDecoderFrame::operator=

Summary: UI process crash in WebCore::ScalableImageDecoderFrame::operator=

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-25 07:40 PST by Michael Catanzaro
Modified:	2022-06-02 01:48 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2022-01-25 07:40:17 PST

Moving from https://gitlab.gnome.org/GNOME/epiphany/-/issues/1684. Reproducer: replace your Epiphany's session_state.xml with:

<?xml version="1.0"?>
<session>
	<window x="0" y="0" width="1024" height="768" is-maximized="1" is-fullscreen="0" active-tab="19">
		<embed url="https://lupyuen.github.io/pinetime-rust-mynewt/articles/wayland" title="Wayland and LVGL on PinePhone with Ubuntu Touch" loading="true" history="AgAAAAAAAAAI"/>
	</window>
</session>

Then Epiphany will crash on startup in ScalableImageDecoder. The backtrace is pretty short, so I'm going to paste it inline instead of attaching it:

#0  WebCore::ScalableImageDecoderFrame::operator=(WebCore::ScalableImageDecoderFrame const&) [clone .isra.0]
    (this=0x7f0884426280, other=...)
    at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ScalableImageDecoderFrame.cpp:46
#1  0x00007f089a2959e3 in WebCore::ICOImageDecoder::decodeAtIndex(unsigned long) (index=0, this=0x7f0884492000)
    at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:216
        dirEntry = 
          @0x7f08844dac00: {m_size = {m_width = 196, m_height = 196}, m_bitCount = 32, m_hotSpot = {m_x = 0, m_y = 0}, m_imageOffset = 70}
        imageType = WebCore::ICOImageDecoder::PNG
#2  WebCore::ICOImageDecoder::decode(unsigned long, bool, bool)
    (this=0x7f0884492000, index=0, onlySize=<optimized out>, allDataReceived=<optimized out>)
    at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:158
#3  0x00007f089a2963f1 in WebCore::ICOImageDecoder::decode(unsigned long, bool, bool)
    (allDataReceived=<optimized out>, onlySize=false, index=0, this=0x7f0884492000)
    at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:70
        buffer = 0x7f0884426280
#4  WebCore::ICOImageDecoder::frameBufferAtIndex(unsigned long) (this=0x7f0884492000, index=0)
    at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:101
        buffer = 0x7f0884426280
#5  0x00007f089a286f75 in WebCore::ScalableImageDecoder::createFrameImageAtIndex(unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&) (this=0x7f0884492000, index=0)
    at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ScalableImageDecoder.cpp:229
        buffer = <optimized out>
#6  0x00007f0899dd3a78 in WebCore::ImageSource::frameAtIndexCacheIfNeeded(unsigned long, WebCore::ImageFrame::Caching, std::optional<WebCore::SubsamplingLevel> const&)
    (this=0x7f08844316c0, index=0, caching=(unknown: 0x5e3331c8), subsamplingLevel=std::optional<WebCore::SubsamplingLevel> = {...}) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/ImageSource.cpp:462
        platformImage = {m_ptr = 0x7f0899dcbf86 <WebCore::ImageSource::growFrames()+294>}
        frame = 
          @0x7f0884469a00: {m_decodingStatus = WebCore::DecodingStatus::Invalid, m_size = {m_width = 0, m_height = 0}, m_nativeImage = {m_ptr = 0x0}, m_subsamplingLevel = WebCore::SubsamplingLevel::First, m_decodingOptions = {m_decodingModeOrSize = {<WTF::__variant_base<WTF::Variant<WebCore::DecodingMode, std::optional<WebCore::IntSize> >, true>> = {<No data fields>}, __storage = {__head = {__val = WebCore::DecodingMode::Auto, __dummy = {<No data fields>}}, __rest = {__val = std::optional<WebCore::IntSize> [no contained value], __dummy = {<No data fields>}}}, __index = 0 '\000'}}, m_orientation = {static EXIFFirst = WebCore::ImageOrientation::OriginTopLeft, static EXIFLast = WebCore::ImageOrientation::OriginLeftBottom, static First = WebCore::ImageOrientation::FromImage, static Last = WebCore::ImageOrientation::OriginLeftBottom, m_orientation = WebCore::ImageOrientation::OriginTopLeft}, m_densityCorrectedSize = std::optional<WebCore::IntSize> [no contained value], m_duration = {m_value = 0}, m_hasAlpha = true}
        subsamplingLevelValue = WebCore::SubsamplingLevel::First
#7  0x00007f089a526735 in WebCore::ImageSource::frameAtIndexCacheIfNeeded(unsigned long, WebCore::ImageFrame::Caching, std::optional<WebCore::SubsamplingLevel> const&)
    (subsamplingLevel=std::optional<WebCore::SubsamplingLevel> = {...}, caching=WebCore::ImageFrame::Caching::MetadataAndImage, index=0, this=<optimized out>)
    at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/ImageSource.cpp:440
#8  WebCore::ImageSource::frameImageAtIndexCacheIfNeeded(unsigned long, WebCore::SubsamplingLevel)
    (subsamplingLevel=WebCore::SubsamplingLevel::First, index=0, this=<optimized out>)
    at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/ImageSource.cpp:718
#9  WebCore::BitmapImage::frameImageAtIndexCacheIfNeeded(unsigned long, WebCore::SubsamplingLevel, WebCore::GraphicsCon--Type <RET> for more, q to quit, c to continue without paging--c
text const*) [clone .constprop.0] (this=<optimized out>, index=0, subsamplingLevel=subsamplingLevel@entry=WebCore::SubsamplingLevel::First, targetContext=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/BitmapImage.cpp:142
#10 0x00007f0898e5bcd4 in WebCore::BitmapImage::nativeImageForCurrentFrame(WebCore::GraphicsContext const*) (targetContext=0x0, this=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/BitmapImage.cpp:152
        image = {m_ptr = 0x7f088441c000}
        nativeImage = {m_ptr = 0x0}
        addResult = {iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >, long, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >*, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >&>> = {<No data fields>}, m_iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >, long, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> > const*, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> > const&>> = {<No data fields>}, m_position = 0x7f08844bc0f8, m_endPosition = <optimized out>}}, isNewEntry = <optimized out>}
        icon = {m_ptr = 0x0}
#11 operator() (__closure=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:585
        image = {m_ptr = 0x7f088441c000}
        nativeImage = {m_ptr = 0x0}
        addResult = {iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >, long, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >*, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >&>> = {<No data fields>}, m_iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >, long, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> > const*, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> > const&>> = {<No data fields>}, m_position = 0x7f08844bc0f8, m_endPosition = <optimized out>}}, isNewEntry = <optimized out>}
        icon = {m_ptr = 0x0}
#12 operator() (__closure=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:595
        icon = {m_ptr = 0x0}
#13 WTF::Detail::CallableWrapper<WebKit::IconDatabase::loadIconForPageURL(const WTF::String&, WebKit::IconDatabase::AllowDatabaseWrite, WTF::CompletionHandler<void(WTF::RefPtr<_cairo_surface>&&)>&&)::<lambda()> mutable::<lambda()>, void>::call(void) (this=0x7f088447a348) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/redhat-linux-build/WTF/Headers/wtf/Function.h:53
#14 0x00007f0898085bfd in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/Function.h:79
        didSuspendFunctions = false
#15 WTF::RunLoop::performWork() (this=0x7f08844f9000) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/RunLoop.cpp:133
        didSuspendFunctions = false
#16 0x00007f08980d4edd in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#17 0x00007f08980cf913 in operator() (__closure=0x0, userData=0x7f08844f9000, callback=0x7f08980d4ed0 <WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*)>, source=0x5562955ccea0) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
        name = 0x556295640de0 "[WebKit] RunLoop work"
        runLoopSource = @0x5562955ccea0: {source = {callback_data = 0x556295684bd0, callback_funcs = 0x7f089bbea3e0 <g_source_callback_funcs>, source_funcs = 0x7f089857e4e0 <WTF::RunLoop::s_runLoopSourceFunctions>, ref_count = 3, context = 0x556295477f80, priority = 100, flags = 35, source_id = 7, poll_fds = 0x0, prev = 0x0, next = 0x0, name = 0x556295640de0 "[WebKit] RunLoop work", priv = 0x55629551d400}, runLoop = 0x7f08844f9000}
        returnValue = <optimized out>
#18 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#19 0x00007f089bb06130 in g_main_dispatch (context=0x556295477f80) at ../glib/gmain.c:3381
        dispatch = 0x7f08980cf8c0 <_FUN(GSource*, GSourceFunc, gpointer)>
        prev_source = 0x0
        begin_time_nsec = 24845183386370
        was_in_call = <optimized out>
        user_data = 0x7f08844f9000
        callback = 0x7f08980d4ed0 <WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*)>
        cb_funcs = 0x7f089bbea3e0 <g_source_callback_funcs>
        cb_data = 0x556295684bd0
        need_destroy = <optimized out>
        source = 0x5562955ccea0
        current = 0x55629547a7e0
        i = 0
#20 g_main_context_dispatch (context=0x556295477f80) at ../glib/gmain.c:4099
#21 0x00007f089bb5b208 in g_main_context_iterate.constprop.0 (context=context@entry=0x556295477f80, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4175
        max_priority = 2147483647
        timeout = 168
        some_ready = 1
        nfds = 5
        allocated_nfds = 5
        fds = <optimized out>
        begin_time_nsec = 24845180922660
#22 0x00007f089bb03933 in g_main_context_iteration (context=context@entry=0x556295477f80, may_block=may_block@entry=1) at ../glib/gmain.c:4240
        retval = <optimized out>
#23 0x00007f089bd273d5 in g_application_run (application=0x5562954706a0, argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2569
        arguments = 0x55629552b9e0
        status = 0
        context = 0x556295477f80
        acquired_context = <optimized out>
        __func__ = "g_application_run"
#24 0x000055629456b08b in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:431
        option_context = <optimized out>
        option_group = <optimized out>
        error = 0x0
        user_time = 24841570
        arbitrary_url = <optimized out>
        ctx = <optimized out>
        mode = <optimized out>
        status = <optimized out>
        flags = <optimized out>
        desktop_info = <optimized out>

Comment 1 Adrian Perez 2022-06-02 01:45:55 PDT

I just ran into this today. One does not even need to use Epiphany,
opening https://lupyuen.github.io/articles/zig?1 with MiniBrowser
results in basically the same backtrace.

Comment 2 Adrian Perez 2022-06-02 01:48:11 PDT

(In reply to Adrian Perez from comment #1)
> I just ran into this today. One does not even need to use Epiphany,
> opening https://lupyuen.github.io/articles/zig?1 with MiniBrowser
> results in basically the same backtrace.

The reference passed as the function argument is invalid:

(gdb) p other.m_decodingStatus
Cannot access memory at address 0x0
(gdb) p &other
$4 = (const WebCore::ScalableImageDecoderFrame *) 0x0