WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
235586
UI process crash in WebCore::ScalableImageDecoderFrame::operator=
https://bugs.webkit.org/show_bug.cgi?id=235586
Summary
UI process crash in WebCore::ScalableImageDecoderFrame::operator=
Michael Catanzaro
Reported
2022-01-25 07:40:17 PST
Moving from
https://gitlab.gnome.org/GNOME/epiphany/-/issues/1684
. Reproducer: replace your Epiphany's session_state.xml with: <?xml version="1.0"?> <session> <window x="0" y="0" width="1024" height="768" is-maximized="1" is-fullscreen="0" active-tab="19"> <embed url="
https://lupyuen.github.io/pinetime-rust-mynewt/articles/wayland
" title="Wayland and LVGL on PinePhone with Ubuntu Touch" loading="true" history="AgAAAAAAAAAI"/> </window> </session> Then Epiphany will crash on startup in ScalableImageDecoder. The backtrace is pretty short, so I'm going to paste it inline instead of attaching it: #0 WebCore::ScalableImageDecoderFrame::operator=(WebCore::ScalableImageDecoderFrame const&) [clone .isra.0] (this=0x7f0884426280, other=...) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ScalableImageDecoderFrame.cpp:46 #1 0x00007f089a2959e3 in WebCore::ICOImageDecoder::decodeAtIndex(unsigned long) (index=0, this=0x7f0884492000) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:216 dirEntry = @0x7f08844dac00: {m_size = {m_width = 196, m_height = 196}, m_bitCount = 32, m_hotSpot = {m_x = 0, m_y = 0}, m_imageOffset = 70} imageType = WebCore::ICOImageDecoder::PNG #2 WebCore::ICOImageDecoder::decode(unsigned long, bool, bool) (this=0x7f0884492000, index=0, onlySize=<optimized out>, allDataReceived=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:158 #3 0x00007f089a2963f1 in WebCore::ICOImageDecoder::decode(unsigned long, bool, bool) (allDataReceived=<optimized out>, onlySize=false, index=0, this=0x7f0884492000) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ScalableImageDecoder.h:70 buffer = 0x7f0884426280 #4 WebCore::ICOImageDecoder::frameBufferAtIndex(unsigned long) (this=0x7f0884492000, index=0) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp:101 buffer = 0x7f0884426280 #5 0x00007f089a286f75 in WebCore::ScalableImageDecoder::createFrameImageAtIndex(unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&) (this=0x7f0884492000, index=0) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/image-decoders/ScalableImageDecoder.cpp:229 buffer = <optimized out> #6 0x00007f0899dd3a78 in WebCore::ImageSource::frameAtIndexCacheIfNeeded(unsigned long, WebCore::ImageFrame::Caching, std::optional<WebCore::SubsamplingLevel> const&) (this=0x7f08844316c0, index=0, caching=(unknown: 0x5e3331c8), subsamplingLevel=std::optional<WebCore::SubsamplingLevel> = {...}) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/ImageSource.cpp:462 platformImage = {m_ptr = 0x7f0899dcbf86 <WebCore::ImageSource::growFrames()+294>} frame = @0x7f0884469a00: {m_decodingStatus = WebCore::DecodingStatus::Invalid, m_size = {m_width = 0, m_height = 0}, m_nativeImage = {m_ptr = 0x0}, m_subsamplingLevel = WebCore::SubsamplingLevel::First, m_decodingOptions = {m_decodingModeOrSize = {<WTF::__variant_base<WTF::Variant<WebCore::DecodingMode, std::optional<WebCore::IntSize> >, true>> = {<No data fields>}, __storage = {__head = {__val = WebCore::DecodingMode::Auto, __dummy = {<No data fields>}}, __rest = {__val = std::optional<WebCore::IntSize> [no contained value], __dummy = {<No data fields>}}}, __index = 0 '\000'}}, m_orientation = {static EXIFFirst = WebCore::ImageOrientation::OriginTopLeft, static EXIFLast = WebCore::ImageOrientation::OriginLeftBottom, static First = WebCore::ImageOrientation::FromImage, static Last = WebCore::ImageOrientation::OriginLeftBottom, m_orientation = WebCore::ImageOrientation::OriginTopLeft}, m_densityCorrectedSize = std::optional<WebCore::IntSize> [no contained value], m_duration = {m_value = 0}, m_hasAlpha = true} subsamplingLevelValue = WebCore::SubsamplingLevel::First #7 0x00007f089a526735 in WebCore::ImageSource::frameAtIndexCacheIfNeeded(unsigned long, WebCore::ImageFrame::Caching, std::optional<WebCore::SubsamplingLevel> const&) (subsamplingLevel=std::optional<WebCore::SubsamplingLevel> = {...}, caching=WebCore::ImageFrame::Caching::MetadataAndImage, index=0, this=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/ImageSource.cpp:440 #8 WebCore::ImageSource::frameImageAtIndexCacheIfNeeded(unsigned long, WebCore::SubsamplingLevel) (subsamplingLevel=WebCore::SubsamplingLevel::First, index=0, this=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/ImageSource.cpp:718 #9 WebCore::BitmapImage::frameImageAtIndexCacheIfNeeded(unsigned long, WebCore::SubsamplingLevel, WebCore::GraphicsCon--Type <RET> for more, q to quit, c to continue without paging--c text const*) [clone .constprop.0] (this=<optimized out>, index=0, subsamplingLevel=subsamplingLevel@entry=WebCore::SubsamplingLevel::First, targetContext=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/BitmapImage.cpp:142 #10 0x00007f0898e5bcd4 in WebCore::BitmapImage::nativeImageForCurrentFrame(WebCore::GraphicsContext const*) (targetContext=0x0, this=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebCore/platform/graphics/BitmapImage.cpp:152 image = {m_ptr = 0x7f088441c000} nativeImage = {m_ptr = 0x0} addResult = {iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >, long, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >*, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >&>> = {<No data fields>}, m_iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >, long, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> > const*, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> > const&>> = {<No data fields>}, m_position = 0x7f08844bc0f8, m_endPosition = <optimized out>}}, isNewEntry = <optimized out>} icon = {m_ptr = 0x0} #11 operator() (__closure=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:585 image = {m_ptr = 0x7f088441c000} nativeImage = {m_ptr = 0x0} addResult = {iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >, long, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >*, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >&>> = {<No data fields>}, m_iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> >, long, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> > const*, WTF::KeyValuePair<WTF::String, std::pair<WTF::RefPtr<_cairo_surface, WTF::RawPtrTraits<_cairo_surface>, WTF::DefaultRefDerefTraits<_cairo_surface> >, WTF::MonotonicTime> > const&>> = {<No data fields>}, m_position = 0x7f08844bc0f8, m_endPosition = <optimized out>}}, isNewEntry = <optimized out>} icon = {m_ptr = 0x0} #12 operator() (__closure=<optimized out>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:595 icon = {m_ptr = 0x0} #13 WTF::Detail::CallableWrapper<WebKit::IconDatabase::loadIconForPageURL(const WTF::String&, WebKit::IconDatabase::AllowDatabaseWrite, WTF::CompletionHandler<void(WTF::RefPtr<_cairo_surface>&&)>&&)::<lambda()> mutable::<lambda()>, void>::call(void) (this=0x7f088447a348) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/redhat-linux-build/WTF/Headers/wtf/Function.h:53 #14 0x00007f0898085bfd in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/Function.h:79 didSuspendFunctions = false #15 WTF::RunLoop::performWork() (this=0x7f08844f9000) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/RunLoop.cpp:133 didSuspendFunctions = false #16 0x00007f08980d4edd in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #17 0x00007f08980cf913 in operator() (__closure=0x0, userData=0x7f08844f9000, callback=0x7f08980d4ed0 <WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*)>, source=0x5562955ccea0) at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 name = 0x556295640de0 "[WebKit] RunLoop work" runLoopSource = @0x5562955ccea0: {source = {callback_data = 0x556295684bd0, callback_funcs = 0x7f089bbea3e0 <g_source_callback_funcs>, source_funcs = 0x7f089857e4e0 <WTF::RunLoop::s_runLoopSourceFunctions>, ref_count = 3, context = 0x556295477f80, priority = 100, flags = 35, source_id = 7, poll_fds = 0x0, prev = 0x0, next = 0x0, name = 0x556295640de0 "[WebKit] RunLoop work", priv = 0x55629551d400}, runLoop = 0x7f08844f9000} returnValue = <optimized out> #18 _FUN(GSource*, GSourceFunc, gpointer) () at /usr/src/debug/webkit2gtk3-2.34.1-2.fc35.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #19 0x00007f089bb06130 in g_main_dispatch (context=0x556295477f80) at ../glib/gmain.c:3381 dispatch = 0x7f08980cf8c0 <_FUN(GSource*, GSourceFunc, gpointer)> prev_source = 0x0 begin_time_nsec = 24845183386370 was_in_call = <optimized out> user_data = 0x7f08844f9000 callback = 0x7f08980d4ed0 <WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*)> cb_funcs = 0x7f089bbea3e0 <g_source_callback_funcs> cb_data = 0x556295684bd0 need_destroy = <optimized out> source = 0x5562955ccea0 current = 0x55629547a7e0 i = 0 #20 g_main_context_dispatch (context=0x556295477f80) at ../glib/gmain.c:4099 #21 0x00007f089bb5b208 in g_main_context_iterate.constprop.0 (context=context@entry=0x556295477f80, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4175 max_priority = 2147483647 timeout = 168 some_ready = 1 nfds = 5 allocated_nfds = 5 fds = <optimized out> begin_time_nsec = 24845180922660 #22 0x00007f089bb03933 in g_main_context_iteration (context=context@entry=0x556295477f80, may_block=may_block@entry=1) at ../glib/gmain.c:4240 retval = <optimized out> #23 0x00007f089bd273d5 in g_application_run (application=0x5562954706a0, argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2569 arguments = 0x55629552b9e0 status = 0 context = 0x556295477f80 acquired_context = <optimized out> __func__ = "g_application_run" #24 0x000055629456b08b in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:431 option_context = <optimized out> option_group = <optimized out> error = 0x0 user_time = 24841570 arbitrary_url = <optimized out> ctx = <optimized out> mode = <optimized out> status = <optimized out> flags = <optimized out> desktop_info = <optimized out>
Attachments
Add attachment
proposed patch, testcase, etc.
Adrian Perez
Comment 1
2022-06-02 01:45:55 PDT
I just ran into this today. One does not even need to use Epiphany, opening
https://lupyuen.github.io/articles/zig?1
with MiniBrowser results in basically the same backtrace.
Adrian Perez
Comment 2
2022-06-02 01:48:11 PDT
(In reply to Adrian Perez from
comment #1
)
> I just ran into this today. One does not even need to use Epiphany, > opening
https://lupyuen.github.io/articles/zig?1
with MiniBrowser > results in basically the same backtrace.
The reference passed as the function argument is invalid: (gdb) p other.m_decodingStatus Cannot access memory at address 0x0 (gdb) p &other $4 = (const WebCore::ScalableImageDecoderFrame *) 0x0
Michael Catanzaro
Comment 3
2024-12-22 07:15:06 PST
***
Bug 285077
has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 4
2024-12-22 07:15:54 PST
Bug #285077
reports this is also happening on DuckDuckGo search results, although I don't see it.
Michael Catanzaro
Comment 5
2024-12-23 08:06:41 PST
(In reply to Michael Catanzaro from
comment #4
)
>
Bug #285077
reports this is also happening on DuckDuckGo search results, > although I don't see it.
Ah, it happens on the particular search results link:
https://duckduckgo.com/?q=big+short+screenplay&t=epiphany
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug