264360 – [WPE] frameDisplayed may be called after View has been deleted

RESOLVED FIXED 264360

[WPE] frameDisplayed may be called after View has been deleted

https://bugs.webkit.org/show_bug.cgi?id=264360

Summary [WPE] frameDisplayed may be called after View has been deleted

Yury Semikhatsky

Reported 2023-11-07 13:09:36 PST

We observe the following crash in Playwright: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fbde1311857 in WKWPE::View::View(wpe_view_backend*, API::PageConfiguration const&)::$_5::__invoke(void*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 [Current thread is 1 (Thread 0x7fbdd9282a00 (LWP 2240445))] (gdb) bt #0 0x00007fbde1311857 in WKWPE::View::View(wpe_view_backend*, API::PageConfiguration const&)::$_5::__invoke(void*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #1 0x00007fbde6ddae31 in wpe_view_backend_dispatch_frame_displayed () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libwpe-1.0.so.1 #2 0x00007fbde6debe8a in ViewBackend::~ViewBackend() () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1 #3 0x00007fbde6deb12e in $_1::__invoke(void*) () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1 #4 0x00007fbde6ddab81 in wpe_view_backend_destroy () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libwpe-1.0.so.1 #5 0x00007fbde6deb012 in wpe_view_backend_exportable_fdo_destroy () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1 #6 0x00005644402cfe97 in WPEToolingBackends::HeadlessViewBackend::~HeadlessViewBackend() () #7 0x00007fbde13179f7 in void WTF::derefGPtr<_WebKitWebViewBackend>(_WebKitWebViewBackend*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #8 0x00007fbde130502d in webkit_web_view_finalize(_GObject*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #9 0x00007fbdda804c79 in g_object_unref () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0 #10 0x00007fbdda823514 in g_value_unset () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0 #11 0x00007fbdda816c4a in g_signal_emit_valist () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0 #12 0x00007fbdda816dee in g_signal_emit () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0 ... It turns out that View::frameDisplayed is called after the View object has been destroyed.

Attachments
Add attachment proposed patch, testcase, etc.

Yury Semikhatsky

Comment 1 2023-11-07 13:17:51 PST

Pull request: https://github.com/WebKit/WebKit/pull/20123

EWS

Comment 2 2023-11-09 17:44:04 PST

Committed 270493@main (7d464f717df9): <https://commits.webkit.org/270493@main> Reviewed commits have been landed. Closing PR #20123 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WPE WebKit

Assignee

Yury Semikhatsky

Reported

2023-11-07 13:09 PST

Modified

2023-11-09 17:44 PST History

CC List

3 users Show

URL

Keywords

Depends on

Blocks