242066 – [GTK] Frequent crashes on github.com in WebCore::RenderFileUploadControl::uploadButton

Bug 242066 - [GTK] Frequent crashes on github.com in WebCore::RenderFileUploadControl::uploadButton

Summary: [GTK] Frequent crashes on github.com in WebCore::RenderFileUploadControl::upl...

Status:	RESOLVED DUPLICATE of bug 241954

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-28 10:29 PDT by Michael Catanzaro
Modified:	2022-06-28 13:43 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2022-06-28 10:29:26 PDT

Today I hit four crashes within two minutes when browsing github.com with 2.36.3. It's a null pointer dereference:

(gdb) bt
#0  WebCore::ContainerNode::firstChild() const (this=0x0)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/ContainerNode.h:43
#1  WebCore::RenderFileUploadControl::uploadButton() const (this=<optimized out>)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/RenderFileUploadControl.cpp:246
#2  0x00007f37cc758304 in WebCore::RenderFileUploadControl::updateFromElement() (this=0x7f37401dac80)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/RenderFileUploadControl.cpp:78
#3  0x00007f37cbf50206 in WebCore::HTMLInputElement::didAttachRenderers() (this=0x7f36b825b020)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/html/HTMLInputElement.cpp:875
#4  0x00007f37cc97b947 in WebCore::RenderTreeUpdater::popParent() (this=0x7ffc02234600)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:237
#5  0x00007f37cc97c778 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int)
    (depth=<optimized out>, this=<optimized out>)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:250
#6  WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=0x7ffc02234600, root=<optimized out>)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:158
#7  0x00007f37cc97cf1b in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) (Python Exception <class 'gdb.error'>: Request for member '_M_head_impl' is ambiguous in type 'std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> >'. Candidates are:
  'std::default_delete<WebCore::Style::Update const> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<1, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>)
  '<unnamed type> std::_Head_base<0, WebCore::Style::Update const*, false>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<0, WebCore::Style::Update const*, false>)
this=0x7ffc02234600, styleUpdate=...)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:125
#8  0x00007f37cbccde2c in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) (this=this@entry=Python Exception <class 'gdb.error'>: Request for member '_M_head_impl' is ambiguous in type 'std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> >'. Candidates are:
  'std::default_delete<WebCore::Style::Update const> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<1, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<1, std::default_delete<WebCore::Style::Update const>, true>)
  '<unnamed type> std::_Head_base<0, WebCore::Style::Update const*, false>::_M_head_impl' (std::tuple<WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Tuple_impl<0, WebCore::Style::Update const*, std::default_delete<WebCore::Style::Update const> > -> std::_Head_base<0, WebCore::Style::Update const*, false>)
0x7f37c1eadcb0, styleUpdate=...)
    at /usr/include/c++/11.2.0/bits/unique_ptr.h:172
#9  0x00007f37cbce78cd in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)
    (this=this@entry=0x7f37c1eadcb0, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal)
    at /usr/include/c++/11.2.0/bits/move.h:77
#10 0x00007f37cbce7f1f in WebCore::Document::updateStyleIfNeeded() (this=0x7f37c1eadcb0)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Document.cpp:2182
#11 0x00007f37cbce921e in WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) (this=0x7f37c1eadcb0, element=..., dimensionsCheck=dimensionsCheck@entry=WebCore::HeightDimensionsCheck)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Document.cpp:2287
#12 0x00007f37cbd0b853 in WebCore::Element::offsetHeight() (this=0x7f36785a6d00)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/dom/Element.cpp:1302
#13 0x00007f37cb15c511 in WebCore::jsHTMLElement_offsetHeightGetter
    (thisObject=<optimized out>, lexicalGlobalObject=<optimized out>)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4157
#14 WebCore::IDLAttribute<WebCore::JSHTMLElement>::get<WebCore::jsHTMLElement_offsetHeightGetter, (WebCore::CastedThisErrorBehavior)3> (attributeName=..., thisValue=<optimized out>, lexicalGlobalObject=<optimized out>)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/WebCore/bindings/js/JSDOMAttribute.h:88
#15 WebCore::jsHTMLElement_offsetHeight(JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::PropertyName)
    (lexicalGlobalObject=<optimized out>, thisValue=<optimized out>, attributeName=...)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4162
#16 0x00007f37c919f715 in JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const
    (this=this@entry=0x7ffc02234e10, vm=<optimized out>, propertyName=..., propertyName@entry=...)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/PropertySlot.cpp:47
#17 0x00007f37c8de06f3 in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const
    (propertyName=..., globalObject=0x7f37c1525068, this=0x7ffc02234e10)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/PropertySlot.h:408
#18 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const
    (slot=..., propertyName=..., globalObject=<optimized out>, this=0x7ffc02234dc8)
    at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1021
#19 JSC::LLInt::performLLIntGetByID(JSC::Instruction const*, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)
    (pc=0x7f361820db05, codeBlock=0x7f35c8eac400, globalObject=<optimized out>, baseValue=..., ident=..., metadata=...) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:814
#20 0x00007f37c8de11d9 in JSC::LLInt::llint_slow_path_get_by_id(JSC::CallFrame*, JSC::Instruction const*)
    (callFrame=0x7ffc02235090, pc=0x7f361820db05) at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:888
#21 0x00007f37c82deb4d in llint_op_get_by_id () at /usr/lib/debug/source/sdk/webkit2gtk-4.1.bst/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:102
#22 0x0000000000000000 in  ()

Comment 1 Fujii Hironori 2022-06-28 13:43:48 PDT


*** This bug has been marked as a duplicate of bug 241954 ***