RESOLVED DUPLICATE of bug 238429 Bug 241954
[GTK] Segfault in firstChild when clicking on a pull request on GitHub while logged in 
https://bugs.webkit.org/show_bug.cgi?id=241954
Summary [GTK] Segfault in firstChild when clicking on a pull request on GitHub while ...
antoyo
Reported 2022-06-23 20:55:20 PDT
Hi. Reproduction steps: * Login to GitHub in Epiphany * Navigate to https://github.com/GNOME/gtk/pulls?q=is:pr+is:closed * Click on a PR link. * The page crash with the message: "Something went wrong while displaying this page. Please reload or visit a different page to continue." It reproduces 100% of the time (assuming you are logged in; when logged out, the problem doesn't happen). Here's the stacktrace: Core was generated by `/usr/lib/webkit2gtk-4.0/WebKitWebProcess 16 32'. Program terminated with signal SIGSEGV, Segmentation fault. #0 WebCore::ContainerNode::firstChild() const () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/ContainerNode.h:43 #1 WebCore::RenderFileUploadControl::uploadButton() const () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/RenderFileUploadControl.cpp:246 #2 WebCore::RenderFileUploadControl::updateFromElement() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/RenderFileUploadControl.cpp:78 #3 0x00007f0137fbfe36 in WebCore::HTMLFormControlElement::didAttachRenderers() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/html/HTMLFormControlElement.cpp:215 #4 WebCore::HTMLInputElement::didAttachRenderers() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/html/HTMLInputElement.cpp:875 #5 0x00007f01386a48b6 in WebCore::RenderTreeUpdater::updateAfterDescendants(WebCore::Element&, WebCore::Style::ElementUpdates const*) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:272 #6 WebCore::RenderTreeUpdater::popParent() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:237 #7 0x00007f01386a4cb8 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:250 #8 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:158 #9 0x00007f0137e0206b in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:125 #10 WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:113 #11 WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:1983 #12 0x00007f0137e02b0b in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2087 #13 0x00007f0137e03545 in WebCore::Document::updateStyleIfNeeded() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2182 #14 0x00007f0137e03729 in WebCore::Document::updateLayout() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2203 #15 0x00007f0138b301b5 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) [clone .constprop.0] () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2229 #16 0x00007f0137e254b2 in WebCore::Element::offsetParent() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Element.cpp:1322 #17 WebCore::Element::offsetParentForBindings() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Element.cpp:1312 #18 0x00007f0137599361 in jsHTMLElement_offsetParentGetter () at /usr/src/debug/build/WebCore/DerivedSources/JSHTMLElement.cpp:4105 #19 get<WebCore::jsHTMLElement_offsetParentGetter, (WebCore::CastedThisErrorBehavior)3> () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/bindings/js/JSDOMAttribute.h:88 #20 jsHTMLElement_offsetParent() () at /usr/src/debug/build/WebCore/DerivedSources/JSHTMLElement.cpp:4110 #21 0x00007f0135531c58 in JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/PropertySlot.cpp:47 #22 0x00007f013528b64e in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/PropertySlot.h:408 #23 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1021 #24 performLLIntGetByID() () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:814 #25 0x00007f013528c443 in llint_slow_path_get_by_id() () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:888 #26 0x00007f01349569a8 in llint_op_get_by_id () at /usr/lib/libjavascriptcoregtk-4.0.so.18 #27 0xfffe000000000002 in () #28 0x00007f00d7fff1d8 in () #29 0x00007fff2da790b0 in () #30 0x00007f01349697a9 in op_call_slow_return_location () at /usr/lib/libjavascriptcoregtk-4.0.so.18 #31 0x0000000000000000 in () Thanks to fix this issue.
Attachments
Add attachment proposed patch, testcase, etc.
antoyo
Comment 1 2022-06-23 21:01:17 PDT
Epiphany version: Web 42.2 Webkit2gtk version: webkit2gtk-4.1 2.36.3-1
Leonardo Taccari
Comment 2 2022-06-24 06:48:22 PDT
I'm seeing that too with WebKitGTK 2.36.3 on NetBSD (not 100% reproducible but happens very often). Possible interesting data point: this started only recently (less than 24 hours ago, i.e. probably since today (2022-06-24)) so I think that some github.com change started triggering that.
Fujii Hironori
Comment 3 2022-06-28 13:43:48 PDT
*** Bug 242066 has been marked as a duplicate of this bug. ***
Sergio Villar Senin
Comment 4 2022-08-01 13:15:08 PDT
I hit this constantly as well, seems weird that only GTK is affected.
Adrian Perez
Comment 5 2022-08-04 05:36:12 PDT
I've done a bisection to find the commit which fixed this issue, because it is not a problem anymore in ToT. After some churning, the patch from bug #238429 seems to fix this in my limited testing. I am doing now a release build with the patch applied on top of the 2.36 branch to use it for a few hours to be completely certain before closing this bug :)
Leonardo Taccari
Comment 6 2022-08-04 06:48:26 PDT
Wow, great catch! Thank you Adrian!
Xi Ruoyao
Comment 7 2022-08-04 07:35:05 PDT
Can we merge the patch for 2.36.6 then?
Adrian Perez
Comment 8 2022-08-05 02:51:44 PDT
(In reply to Xi Ruoyao from comment #7) > Can we merge the patch for 2.36.6 then? I have been testing a build with the patch applied (and additionally a related patch on top) and in half a day of continuous usage I have not hit any crashes in GitHub anymore. I have pushed both to the 2.36 release branch, so version 2.36.6 will have this resolved =) *** This bug has been marked as a duplicate of bug 238429 ***
Leonardo Taccari
Comment 9 2022-08-05 03:12:37 PDT
(In reply to Adrian Perez from comment #8) > (In reply to Xi Ruoyao from comment #7) > > Can we merge the patch for 2.36.6 then? > > I have been testing a build with the patch applied (and additionally > a related patch on top) and in half a day of continuous usage I have > not hit any crashes in GitHub anymore. I have pushed both to the 2.36 > release branch, so version 2.36.6 will have this resolved =) > > *** This bug has been marked as a duplicate of bug 238429 *** That's great! Thank you very much again Adrian for bisecting and backporting it!
Adrian Perez
Comment 10 2022-08-07 03:44:36 PDT
(In reply to Leonardo Taccari from comment #9) > (In reply to Adrian Perez from comment #8) > > (In reply to Xi Ruoyao from comment #7) > > > Can we merge the patch for 2.36.6 then? > > > > I have been testing a build with the patch applied (and additionally > > a related patch on top) and in half a day of continuous usage I have > > not hit any crashes in GitHub anymore. I have pushed both to the 2.36 > > release branch, so version 2.36.6 will have this resolved =) > > > > *** This bug has been marked as a duplicate of bug 238429 *** > > That's great! > > Thank you very much again Adrian for bisecting and backporting it! You're welcome! The new release that includes the fix has been published: https://webkitgtk.org/2022/08/07/webkitgtk2.36.6-released.html
Note You need to log in before you can comment on or make changes to this bug.