269699 – [GTK] Crash in WebPageProxy::getLoadDecisionForIcon

Bug 269699 - [GTK] Crash in WebPageProxy::getLoadDecisionForIcon

Summary: [GTK] Crash in WebPageProxy::getLoadDecisionForIcon

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Carlos Garcia Campos

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-02-19 04:07 PST by Kdwk
Modified:	2024-03-01 00:30 PST (History)
CC List:	5 users (show)

See Also:

Attachments
gdb (bt full; c).txt (10.81 KB, text/plain) 2024-02-19 04:07 PST, Kdwk	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kdwk 2024-02-19 04:07:42 PST

Created attachment 469957 [details]
gdb (bt full; c).txt

1. Using Gnome Web 46.alpha-8-gfe080d446 (jhbuild), WebKitGTK 2.43.4 (270164@main) (jhbuild), GStreamer 1.22.9
2. Visit reddit.com, wait for a while
3. Crash

Comment 1 Michael Catanzaro 2024-02-19 08:28:07 PST

Notably bytes=0x0

Comment 2 Michael Catanzaro 2024-02-20 06:42:24 PST

(In reply to Kdwk from comment #0)
> WebKitGTK 2.43.4 (270164@main) (jhbuild)

Please double check this. One or the other is not right.

Comment 3 Michael Catanzaro 2024-02-20 06:44:19 PST

OK, I can reproduce. It crashes after just a few seconds when using 274884@main with GStreamer 1.22.8.

Comment 4 Kdwk 2024-02-20 06:45:19 PST

(In reply to Michael Catanzaro from comment #2)
> (In reply to Kdwk from comment #0)
> > WebKitGTK 2.43.4 (270164@main) (jhbuild)
> 
> Please double check this. One or the other is not right.

What’s not right? I copied this from About Web -> Troubleshooting-> Debugging Information

Comment 5 Michael Catanzaro 2024-02-20 08:37:00 PST

270164@main is three months old. WebKitGTK 2.43.4 is recent.

Comment 6 Kdwk 2024-02-27 06:42:46 PST

I believe this is still happening with WebKitGTK 2.43.4 (274974@main)

Comment 7 Philippe Normand 2024-02-28 09:44:42 PST

(In reply to Kdwk from comment #6)
> I believe this is still happening with WebKitGTK 2.43.4 (274974@main)

Oh yes, with current main, GTK MiniBrowser crashes when loading YT...

Comment 8 Philippe Normand 2024-02-28 10:00:48 PST

The iconData m_buffer is non-contiguous, so SharedBufferReference::data() returns null...

(gdb) p iconData                                                                                                                                                                                                   
$1 = (const IPC::SharedBufferReference &) @0x7fff4f063cb0: {m_size = 2783, m_buffer = {static isRefPtr = <optimized out>, m_ptr = 0x7f0a850e1280}, m_memory = {static isRefPtr = <optimized out>, m_ptr = 0x0}}    
(gdb) p iconData.m_buffer                                                                                                                                                                                          
$2 = {static isRefPtr = <optimized out>, m_ptr = 0x7f0a850e1280}                                                                                                                                                   
(gdb) p *$2.m_ptr                                                                                                                                                                                                  
$3 = {<WTF::ThreadSafeRefCounted<WebCore::FragmentedSharedBuffer, (WTF::DestructionThread)0>> = {<WTF::ThreadSafeRefCountedBase> = {m_refCount = std::atomic<unsigned int> = { 1 },                                
      m_deletionHasBegun = std::atomic<bool> = { false },                                                                                                                                                          
      m_isAllocatedMemory = std::atomic<WTF::ThreadSafeRefCountedBase::IsAllocatedMemory> = { WTF::ThreadSafeRefCountedBase::IsAllocatedMemory::Yes }}, <No data fields>},                                         
  m_segments = WTF::Vector of length 2, capacity 16 = {{beginPosition = 0, segment = {static isRef = <optimized out>, m_ptr = 0x7f0a85025cb0}}, {beginPosition = 512, segment = {static isRef = <optimized out>,   
        m_ptr = 0x7f0a85025ce0}}}, m_contiguous = false, m_size = 2783}

Comment 9 Philippe Normand 2024-02-28 10:04:21 PST

I suppose it's not an issue on Apple ports because the don't USE(UNIX_DOMAIN_SOCKETS) so a different code path is taken?

Comment 10 Philippe Normand 2024-02-28 10:18:19 PST

This naïve patch seems to work... http://sprunge.us/bpmStR

Comment 11 Adrian Perez 2024-02-28 12:09:07 PST

(In reply to Philippe Normand from comment #10)
> This naïve patch seems to work... http://sprunge.us/bpmStR

rs=me

Comment 12 Philippe Normand 2024-02-28 12:21:00 PST

Pull request: https://github.com/WebKit/WebKit/pull/25248

Comment 13 Carlos Garcia Campos 2024-02-29 02:54:33 PST

Pull request: https://github.com/WebKit/WebKit/pull/25289

Comment 14 EWS 2024-03-01 00:30:34 PST

Committed 275540@main (6a7b2d62c794): <https://commits.webkit.org/275540@main>

Reviewed commits have been landed. Closing PR #25289 and removing active labels.