RESOLVED DUPLICATE of bug 283546295679
Crash in AuxiliaryProcessProxy::connection under WebPageProxy::sendWheelEvent 
https://bugs.webkit.org/show_bug.cgi?id=295679
Summary Crash in AuxiliaryProcessProxy::connection under WebPageProxy::sendWheelEvent
Michael Catanzaro
Reported 2025-07-09 17:55:59 PDT
I've been using a laptop instead of a desktop for a few days, and have noticed Epiphany crashes a lot more than I'm used to. It happens when scrolling. (I have no mouse, so there is no mouse wheel; the event must be synthesized somehow.) (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f96a3a811e3 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89 #2 0x00007f96a3a27afe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f96a3a0f6d0 in __GI_abort () at abort.c:73 #4 0x00007f969e62679f in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:931 #5 0x00007f969ec89eb2 in WebKit::AuxiliaryProcessProxy::connection (this=0x7f9682002400) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:137 #6 WebKit::AuxiliaryProcessProxy::protectedConnection (this=0x7f9682002400) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:141 #7 WebKit::WebPageProxy::sendWheelEvent (this=0x7f9682001800, frameID=..., event=..., processingSteps=..., rubberBandableEdges=..., willStartSwipe=std::optional [no contained value], wasHandledForScrolling=<optimized out>) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4148 #8 0x00007f969ec8949c in WebKit::WebPageProxy::continueWheelEventHandling (this=0x213a, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4136 #9 0x00007f969ec88ff2 in WebKit::WebPageProxy::handleWheelEvent (this=0x7f9682001800, wheelEvent=...) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4101 #10 WebKit::WebPageProxy::handleNativeWheelEvent (this=0x7f9682001800, nativeWheelEvent=...) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4067 #11 0x00007f969edbf3b0 in handleScroll (webViewBase=0x55e29b46d4a0, deltaX=0, deltaY=0, isEnd=false, eventController=0x55e29acde470) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:1598 #12 0x00007f96a491dc52 in _g_closure_invoke_va (closure=0x55e29a333db0, return_value=0x0, instance=0x55e29acde470, args=0x7fffb7529ec0, n_params=0, param_types=0x0) at ../gobject/gclosure.c:898 #13 signal_emit_valist_unlocked (instance=instance@entry=0x55e29acde470, signal_id=signal_id@entry=164, detail=detail@entry=0, var_args=var_args@entry=0x7fffb7529ec0) at ../gobject/gsignal.c:3438 #14 0x00007f96a491dd68 in g_signal_emit_valist (instance=0x55e29acde470, signal_id=164, detail=0, var_args=var_args@entry=0x7fffb7529ec0) at ../gobject/gsignal.c:3277 #15 0x00007f96a491de23 in g_signal_emit (instance=instance@entry=0x55e29acde470, signal_id=<optimized out>, detail=detail@entry=0) at ../gobject/gsignal.c:3597 #16 0x00007f96a3c8aa5b in gtk_event_controller_scroll_begin (controller=0x55e29acde470) at ../gtk/gtkeventcontrollerscroll.c:252 #17 gtk_event_controller_scroll_begin (controller=controller@entry=0x55e29acde470) at ../gtk/gtkeventcontrollerscroll.c:245 #18 0x00007f96a3c8ed4a in gtk_event_controller_scroll_handle_hold_event (controller=0x55e29acde470, event=0x55e29b5bd590) at ../gtk/gtkeventcontrollerscroll.c:315 #19 gtk_event_controller_scroll_handle_event (controller=0x55e29acde470, event=0x55e29b5bd590, x=<optimized out>, y=<optimized out>) at ../gtk/gtkeventcontrollerscroll.c:367 #20 0x00007f96a3df87cf in gtk_event_controller_handle_event (controller=0x55e29acde470, event=<optimized out>, target=<optimized out>, x=<optimized out>, y=<optimized out>) at ../gtk/gtkeventcontroller.c:381 #21 gtk_widget_run_controllers (widget=0x55e29b46d4a0, event=0x55e29b5bd590, target=0x55e29b46d4a0, x=1749.87109375, y=<optimized out>, phase=GTK_PHASE_BUBBLE) at ../gtk/gtkwidget.c:4713 #22 0x00007f96a3d06c12 in gtk_propagate_event_internal (widget=widget@entry=0x55e29b46d4a0, event=event@entry=0x55e29b5bd590, topmost=<optimized out>) at ../gtk/gtkmain.c:1982 #23 0x00007f96a3d06e11 in gtk_propagate_event (widget=widget@entry=0x55e29b46d4a0, event=event@entry=0x55e29b5bd590) at ../gtk/gtkmain.c:2032 #24 0x00007f96a3d077b3 in gtk_main_do_event (event=0x55e29b5bd590) at ../gtk/gtkmain.c:1722 #25 0x00007f96a3f9b828 in _gdk_marshal_BOOLEAN__POINTERv (closure=<optimized out>, return_value=0x7fffb752a4f0, instance=<optimized out>, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x55e29a1a1430) at gdk/gdkmarshalers.c:302 #26 0x00007f96a40311ba in gdk_surface_event_marshallerv (closure=0x55e29a4fd6c0, return_value=0x7fffb752a4f0, instance=0x55e29a446140, args=0x7fffb752a5d0, marshal_data=0x0, n_params=1, param_types=0x55e29a1a1430) at ../gdk/gdksurface.c:470 #27 0x00007f96a491dc52 in _g_closure_invoke_va (closure=0x55e29a4fd6c0, return_value=0x7fffb752a4f0, instance=0x55e29a446140, args=0x7fffb752a5d0, n_params=1, param_types=0x55e29a1a1430) at ../gobject/gclosure.c:898 #28 signal_emit_valist_unlocked (instance=instance@entry=0x55e29a446140, signal_id=signal_id@entry=380, detail=detail@entry=0, var_args=var_args@entry=0x7fffb752a5d0) at ../gobject/gsignal.c:3438 #29 0x00007f96a491dd68 in g_signal_emit_valist (instance=0x55e29a446140, signal_id=380, detail=0, var_args=var_args@entry=0x7fffb752a5d0) at ../gobject/gsignal.c:3277 #30 0x00007f96a491de23 in g_signal_emit (instance=instance@entry=0x55e29a446140, signal_id=<optimized out>, detail=detail@entry=0) at ../gobject/gsignal.c:3597 #31 0x00007f96a40332fa in gdk_surface_handle_event.isra.0 (event=event@entry=0x55e29b5bd590) at ../gdk/gdksurface.c:3100 #32 0x00007f96a3fa12bc in _gdk_event_emit (event=0x55e29b5bd590) at ../gdk/gdkevents.c:491 #33 gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at ../gdk/broadway/gdkeventsource.c:377 #34 0x00007f96a47e2880 in g_main_dispatch (context=0x55e299823610) at ../glib/gmain.c:3398 #35 g_main_context_dispatch_unlocked (context=0x55e299823610) at ../glib/gmain.c:4249 #36 0x00007f96a47eb7c8 in g_main_context_iterate_unlocked (context=context@entry=0x55e299823610, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4314 #37 0x00007f96a47eb973 in g_main_context_iteration (context=context@entry=0x55e299823610, may_block=may_block@entry=1) at ../glib/gmain.c:4379 #38 0x00007f96a4a0802d in g_application_run (application=0x55e29983e7a0, argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2715 #39 0x000055e28fa2e322 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:445 We hit the release assert here in AuxiliaryProcessProxy.h: IPC::Connection& connection() const { RELEASE_ASSERT(m_connection); return *m_connection; } This is surely a sequel to bug #282384. The commit 289017@main doesn't look like enough; it added a guard lower in the function, but the crash occurs higher, at the same place as before: legacyMainFrameProcess->protectedConnection()->send(Messages::EventDispatcher::WheelEvent(webPageIDInMainFrameProcess(), event, rubberBandableEdges), 0, { }, Thread::QOS::UserInteractive); Now that I see there is a hasConnection() function, it's easy to just add a check for that and not crash. Probably there are similar problems elsewhere, though. Let's check at least WebPageProxy::handleKeyboardEvent, WebPageProxy::handleMouseEvent, and WebPageProxy::handleTouchEvent. It's weird that events can still happen after the connection is closed. Or maybe it's before the connection is opened, although that's weird too.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2025-09-28 07:44:09 PDT
*** Bug 299687 has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 2 2025-10-21 11:02:09 PDT
I'm now seeing this crash also on my desktop computer.
Michael Catanzaro
Comment 3 2025-10-21 12:21:06 PDT
Here's what we failed to notice the first time we investigated this: > #8 0x00007f969ec8949c in WebKit::WebPageProxy::continueWheelEventHandling (this=0x213a, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) > at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4136 this=0x213a is a dangling pointer. The WebPageProxy is already toast *before* WebPageProxy::sendWheelEvent is ever called, so that can't be the right place to fix the bug. It's even more obvious using the stack trace from bug #299687: > #8 0x00007f9a1c344263 in WebKit::WebPageProxy::continueWheelEventHandling (this=0x2, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:4183
Michael Catanzaro
Comment 4 2025-10-21 12:34:32 PDT
Although the frame above and below both have normal this pointers. From this stack trace: #7 WebKit::WebPageProxy::sendWheelEvent (this=0x7f9682001800, frameID=..., event=..., processingSteps=..., rubberBandableEdges=..., willStartSwipe=std::optional [no contained value], wasHandledForScrolling=<optimized out>) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4148 #8 0x00007f969ec8949c in WebKit::WebPageProxy::continueWheelEventHandling (this=0x213a, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4136 #9 0x00007f969ec88ff2 in WebKit::WebPageProxy::handleWheelEvent (this=0x7f9682001800, wheelEvent=...) at /usr/src/debug/webkitgtk-2.48.3-1.fc42.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp:4101 Both are 0x7f9682001800. Then from the stack trace in bug #299687: #7 WebKit::WebPageProxy::sendWheelEvent (this=0x7f9a0a031400, frameID=..., event=..., processingSteps=..., rubberBandableEdges=..., willStartSwipe=std::optional [no contained value], wasHandledForScrolling=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:4195 process = {static isRef = <optimized out>, m_ptr = 0x7f9a0a1e0c00} #8 0x00007f9a1c344263 in WebKit::WebPageProxy::continueWheelEventHandling (this=0x2, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:4183 rubberBandingBehavior = {m_sides = {_M_elems = {WebCore::RubberBandingBehavior::Always, WebCore::RubberBandingBehavior::Always, WebCore::RubberBandingBehavior::Always, WebCore::RubberBandingBehavior::Always}}} rubberBandableEdges = {m_sides = {_M_elems = {<optimized out>, <optimized out>, <optimized out>, <optimized out>}}} #9 0x00007f9a1c343ed4 in WebKit::WebPageProxy::handleWheelEvent (this=0x7f9a0a031400, wheelEvent=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:4148 Both are 0x7f9a0a031400. Huh.
Michael Catanzaro
Comment 5 2025-10-21 13:43:45 PDT
So, I'm just going to ignore the suspicious this pointer is frame 8. Lacking a connection is actually an expected state. An AuxiliaryProcessProxy *initially* has a connection, but it may be null after process termination (AuxiliaryProcessProxy::State::Terminated). At first I guessed that we should just add a WebPageProxy::hasConnection check here and then move on, but there is actually a different function WebPageProxy::hasRunningProcess that ought to be used instead, which is already used by WebPageProxy::handleKeyboardEvent, WebPageProxy::handleMouseEvent, WebPageProxy::handleTouchEvent, and actually even WebPageProxy::sendWheelEvent itself. But the lambda in WebPageProxy::sendWheelEvent is only checking for WebPageProxy::isClosed, which is probably not enough.
Michael Catanzaro
Comment 6 2025-10-21 13:45:34 PDT
(In reply to Michael Catanzaro from comment #5) > At first I guessed that we > should just add a WebPageProxy::hasConnection check here and then move on, > but there is actually a different function WebPageProxy::hasRunningProcess > that ought to be used instead, which is already used by > WebPageProxy::handleKeyboardEvent, WebPageProxy::handleMouseEvent, > WebPageProxy::handleTouchEvent, and actually even > WebPageProxy::sendWheelEvent itself. Er wait, I added that check to WebPageProxy::sendWheelEvent myself. Oops. There is a preexisting check in WebPageProxy::handleWheelEvent, though.
Michael Catanzaro
Comment 7 2025-10-21 14:27:53 PDT
Pull request: https://github.com/WebKit/WebKit/pull/52764
EWS
Comment 8 2025-10-23 07:40:13 PDT
Committed 302030@main (7c79d4d8b355): <https://commits.webkit.org/302030@main> Reviewed commits have been landed. Closing PR #52764 and removing active labels.
Michael Catanzaro
Comment 9 2025-11-06 15:24:59 PST
Reopening. Unfortunately I just hit the crash again with WebKitGTK 2.51.1. Stack trace isn't even any different, just the line numbers have changed: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007fd2f189d5e3 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89 #2 0x00007fd2f18433be in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007fd2f182a8ed in __GI_abort () at abort.c:77 #4 0x00007fd2ec30c08f in WTFCrashWithInfo () at ./_builddir/WTF/Headers/wtf/Assertions.h:980 #5 0x00007fd2ec97a936 in WebKit::AuxiliaryProcessProxy::connection (this=0x7fd2da020c00) at ./Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:139 #6 WebKit::AuxiliaryProcessProxy::protectedConnection (this=0x7fd2da020c00) at ./Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:143 #7 WebKit::WebPageProxy::sendWheelEvent (this=0x7fd2da029600, frameID=..., event=..., processingSteps=..., rubberBandableEdges=..., willStartSwipe=std::optional [no contained value], wasHandledForScrolling=<optimized out>) at ./Source/WebKit/UIProcess/WebPageProxy.cpp:4245 #8 0x00007fd2ec97a063 in WebKit::WebPageProxy::continueWheelEventHandling (this=0x2, wheelEvent=..., result=..., willStartSwipe=std::optional [no contained value]) at ./Source/WebKit/UIProcess/WebPageProxy.cpp:4230 #9 0x00007fd2ec979cdc in WebKit::WebPageProxy::handleWheelEvent (this=0x7fd2da029600, wheelEvent=...) at ./Source/WebKit/UIProcess/WebPageProxy.cpp:4195 #10 WebKit::WebPageProxy::handleNativeWheelEvent (this=0x7fd2da029600, nativeWheelEvent=<optimized out>) at ./Source/WebKit/UIProcess/WebPageProxy.cpp:4161 #11 0x00007fd2ecaa881d in handleScroll (webViewBase=0x559fed0fea30 [EphyWebView], deltaX=0, deltaY=-1, isEnd=false, eventController=0x559fece0f2c0 [GtkEventControllerScroll]) at ./_builddir/./Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:1609 #16 0x00007fd2f2a8d173 in <emit signal 'scroll' on instance 0x559fece0f2c0 [GtkEventControllerScroll]> (instance=instance@entry=0x559fece0f2c0, signal_id=<optimized out>, detail=detail@entry=0) at ../gobject/gsignal.c:3598
Michael Catanzaro
Comment 10 2025-11-06 15:28:04 PST
*** This bug has been marked as a duplicate of bug 283546 ***
Note You need to log in before you can comment on or make changes to this bug.