WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
299208
[GTK] gdk_drop_status: assertion 'priv->state != GDK_DROP_STATE_FINISHED' failed
https://bugs.webkit.org/show_bug.cgi?id=299208
Summary
[GTK] gdk_drop_status: assertion 'priv->state != GDK_DROP_STATE_FINISHED' failed
Michael Catanzaro
Reported
2025-09-19 13:55:00 PDT
Created
attachment 476807
[details]
Full stack trace I've encountered a fatal-criticals crash "gdk_drop_status: assertion 'priv->state != GDK_DROP_STATE_FINISHED' failed" during drag and drop using WebKitGTK 2.50.0. Haven't figured out how to reproduce it yet. For now, here's the stack trace: #0 _g_log_abort (breakpoint=<optimized out>) at ../glib/gmessages.c:430 #1 g_logv (log_domain=0x7f5706c237a6 "Gdk", log_level=G_LOG_LEVEL_CRITICAL, format=<optimized out>, args=args@entry=0x7ffd6f1ac450) at ../glib/gmessages.c:1291 #2 0x00007f570730f7e3 in g_log (log_domain=<optimized out>, log_level=<optimized out>, format=<optimized out>) at ../glib/gmessages.c:1333 #3 0x00007f57019421dc in WebKit::WebPageProxy::didPerformDragControllerAction (this=<optimized out>, dragOperation=Python Exception <class 'gdb.error'>: value has been optimized out ..., dragHandlingMethod=<optimized out>, mouseIsOverFileInput=<optimized out>, numberOfItemsToBeAccepted=<optimized out>, insertionRect=..., editableElementRect=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:3835 #4 0x00007f5701985935 in WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0::operator()(std::optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&, std::optional<WebCore::RemoteUserInputEventData>) (this=0x7f56efdc0b88, dragOperation=std::optional [no contained value], dragHandlingMethod=<optimized out>, mouseIsOverFileInput=false, numberOfItemsToBeAccepted=1, insertionRect=..., editableElementRect=..., remoteUserInputEventData=Python Exception <class 'gdb.error'>: value has been optimized out ...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:3795 #5 std::__invoke_impl<void, WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0, std::optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect, std::optional<WebCore::RemoteUserInputEventData> >(std::__invoke_other, WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0&&, std::optional<WebCore::DragOperation>&&, WebCore::DragHandlingMethod&&, bool&&, unsigned int&&, WebCore::IntRect&&, WebCore::IntRect&&, std::optional<WebCore::RemoteUserInputEventData>&&) (__f=..., __args=..., __args=@0x7ffd6f1ac59d: WebCore::DragHandlingMethod::None, __args=@0x7ffd6f1ac59c: false, __args=@0x7ffd6f1ac598: 0, __args=..., __args=..., __args=...) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/bits/invoke.h:63 #6 std::__invoke<WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0, std::optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect, std::optional<WebCore::RemoteUserInputEventData> >(WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0&&, std::optional<WebCore::DragOperation>&&, WebCore::DragHandlingMethod&&, bool&&, unsigned int&&, WebCore::IntRect&&, WebCore::IntRect&&, std::optional<WebCore::RemoteUserInputEventData>&&) (__fn=..., __args=..., __args=@0x7ffd6f1ac59d: WebCore::DragHandlingMethod::None, __args=@0x7ffd6f1ac59c: false, __args=@0x7ffd6f1ac598: 0, __args=..., __args=..., __args=...) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/bits/invoke.h:98 #7 std::__apply_impl<WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0, std::tuple<std::optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect, std::optional<WebCore::RemoteUserInputEventData> >, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul>(WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0&&, std::tuple<std::o--Type <RET> for more, q to quit, c to continue without paging--c ptional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect, std::optional<WebCore::RemoteUserInputEventData> >&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul>) (__f=..., __t=...) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/tuple:2920 #8 apply<(lambda at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:3790:30), std::tuple<std::optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect, std::optional<WebCore::RemoteUserInputEventData> > > (__f=..., __t=...) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/15.2.0/../../../../include/c++/15.2.0/tuple:2935 #9 IPC::Connection::callReply<Messages::WebPage::PerformDragControllerAction, WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0>(IPC::Connection*, IPC::Decoder&, WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0&&) (decoder=..., completionHandler=..., connection=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.h:1034 #10 IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::PerformDragControllerAction, WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0>(WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0&&, WTF::ThreadLikeAssertion)::{lambda(IPC::Connection*, IPC::Decoder*)#1}::operator()(IPC::Connection*, IPC::Decoder*) (decoder=0x7f54e50f05a0, this=<optimized out>, connection=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.h:945 #11 WTF::Detail::CallableWrapper<IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::PerformDragControllerAction, WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0>(WebKit::WebPageProxy::performDragControllerAction(WebKit::DragControllerAction, WebCore::DragData&, std::optional<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long> > const&)::$_0&&, WTF::ThreadLikeAssertion)::{lambda(IPC::Connection*, IPC::Decoder*)#1}, void, IPC::Connection*, IPC::Decoder*>::call(IPC::Connection*, IPC::Decoder*) (this=0x7f56efdc0b80, in=<optimized out>, in=0x7f54e50f05a0) at WTF/Headers/wtf/Function.h:53 #12 0x00007f57018d75bf in WTF::Function<void(IPC::Connection*, IPC::Decoder*)>::operator() (in=0x0, in=0x1, this=<optimized out>) at WTF/Headers/wtf/Function.h:82 #13 WTF::CompletionHandler<void(IPC::Connection*, IPC::Decoder*)>::operator() (this=<optimized out>, in=0x0, in=0x1) at WTF/Headers/wtf/CompletionHandler.h:79 #14 WebKit::AuxiliaryProcessProxy::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::optional<IPC::ConnectionAsyncReplyHandler>, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1::operator()(IPC::Connection*, IPC::Decoder*) (this=<optimized out>, connection=0x0, decoder=0x1) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp:263 #15 WTF::Detail::CallableWrapper<WebKit::AuxiliaryProcessProxy::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::optional<IPC::ConnectionAsyncReplyHandler>, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1, void, IPC::Connection*, IPC::Decoder*>::call (this=<optimized out>, in=0x0, in=0x1) at WTF/Headers/wtf/Function.h:53 #16 0x00007f570188835b in WTF::Function<void(IPC::Connection*, IPC::Decoder*)>::operator() (in=0x7f56efddc4e0, in=0x7f54e50f05a0, this=<optimized out>) at WTF/Headers/wtf/Function.h:82 #17 WTF::CompletionHandler<void(IPC::Connection*, IPC::Decoder*)>::operator() (this=0x7ffd6f1ac608, in=0x7f56efddc4e0, in=0x7f54e50f05a0) at WTF/Headers/wtf/CompletionHandler.h:79 #18 IPC::Connection::dispatchMessage (this=0x7f56efddc4e0, decoder=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1365 #19 0x00007f5701888517 in IPC::Connection::dispatchMessage (this=0x7f56efddc4e0, message=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1433 #20 0x00007f570188899d in IPC::Connection::dispatchIncomingMessages (this=0x7f56efddc4e0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1557 #21 0x00007f57004823a5 in WTF::Function<void()>::operator() (this=0x7ffd6f1ac720) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:82 #22 WTF::RunLoop::performWork (this=0x7f56ef008180) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:148 #23 0x00007f570054187d in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const (userData=0x1, userData@entry=0x7f56ef008180, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #24 WTF::RunLoop::RunLoop()::$_0::__invoke(void*) (userData=0x1) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:79 #25 0x00007f57005409a1 in WTF::RunLoop::$_0::operator() (source=0x55f0de78f900, callback=0x7f5700541870 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7f56ef008180, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #26 WTF::RunLoop::$_0::__invoke (source=0x55f0de78f900, callback=0x7f5700541870 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7f56ef008180) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #27 0x00007f57073027cb in g_main_dispatch (context=context@entry=0x55f0de74cd10) at ../glib/gmain.c:3565 #28 0x00007f5707305c07 in g_main_context_dispatch_unlocked (context=0x55f0de74cd10) at ../glib/gmain.c:4425 #29 g_main_context_iterate_unlocked (context=context@entry=0x55f0de74cd10, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4490 #30 0x00007f5707306453 in g_main_context_iteration (context=context@entry=0x55f0de74cd10, may_block=may_block@entry=1) at ../glib/gmain.c:4556 #31 0x00007f57074fe98d in g_application_run (application=0x55f0de78d570 [EphyShell], argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2741 #32 0x000055f0d147c022 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:454 I'll attach a full stack trace.
Attachments
Full stack trace
(15.60 KB, text/plain)
2025-09-19 13:55 PDT
,
Michael Catanzaro
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Michael Catanzaro
Comment 1
2025-09-19 14:38:31 PDT
So the crash is actually in DropTarget::didPerformAction (in DropTargetGtk4.cpp) which confusingly does not appear in the stack trace, due to optimization I guess. The assertion dates back to
https://gitlab.gnome.org/GNOME/gtk/-/commit/5a726bc6656d543f9a0d02e38b2ae76d60f52390
so it must be a WebKit regression.
Michael Catanzaro
Comment 2
2025-09-24 13:53:29 PDT
Found a reproducer! Drag the URL in the comment above into the comment box below on this bug (if you are logged in). It's probably bisectable. I will investigate. Also works with dragging URLs in Slack conversations into anywhere on Slack.
Michael Catanzaro
Comment 3
2025-10-03 10:44:18 PDT
Unfortunately it only crashes in Epiphany Tech Preview. When building the same WebKitGTK version (2.50.0) myself, no crash. So much for my plan to bisect it. :(
Michael Catanzaro
Comment 4
2025-10-06 12:35:37 PDT
Matthias says: "it happens if you try to read a value from the GdkDrop after declaring the drop finished"
Michael Catanzaro
Comment 5
2025-10-06 15:05:55 PDT
Added some debugging in DropTargetGtk4.cpp. What happens outside of Flatpak is: * DropTarget::enter is called twice. Second time is probably a bug. * DropTarget::didPerformAction gets called a few dozen times. * DropTarget::drop gets called once, completing the drop. It's a bug to call gdk_drop_status() after this point. * DropTarget::leave gets called once. * DropTarget::didPerformAction gets called twice more. and everything works fine. Notably, DropTarget::leave unsets m_drop and will cause DropTarget::didPerformAction to bail without ever calling gdk_drop_status(). So my guess is that under Flatpak, instead of drop -> leave -> didPerformAction, we have drop -> didPerformAction -> leave, which would crash. However, I'm not sure because testing anything under flatpak is a tremendous pain.
Angelo Schirinzi
Comment 6
2025-11-12 12:18:25 PST
***
Bug 302405
has been marked as a duplicate of this bug. ***
Hyland B. (swagtoy)
Comment 7
2025-11-14 20:38:05 PST
Also reproducible if you drag a file/folder from nautilus.
Hyland B. (swagtoy)
Comment 8
2025-11-14 20:39:18 PST
Just throwing a guess, I wonder if it's related to bwrap or anything? You did mention flatpak specifically, after all.
Michael Catanzaro
Comment 9
2025-11-18 13:26:48 PST
Surprisingly, the reproducer in
bug #271957
triggers this crash even outside Flatpak. (In reply to Hyland B. (swagtoy) from
comment #8
)
> Just throwing a guess, I wonder if it's related to bwrap or anything? You > did mention flatpak specifically, after all.
I was thinking it's likely going to be related to how WebKit uses the file transfer portal, but that was before I saw the non-Flatpak reproducer.
Michael Catanzaro
Comment 10
2025-11-19 13:04:33 PST
(In reply to Michael Catanzaro from
comment #9
)
> Surprisingly, the reproducer in
bug #271957
triggers this crash even outside > Flatpak.
OK, this is expected because what I'm doing is dragging a file or folder from nautilus. And you just told me about this a few comments up. That was *extremely* helpful information, which I completely ignored. :P
Hyland B. (swagtoy)
Comment 11
2025-11-19 13:13:03 PST
Pretty much dragging anything will crash it ;-/ I think the logic is just broken entirely.
Michael Catanzaro
Comment 12
2025-11-21 14:46:51 PST
Pull request:
https://github.com/WebKit/WebKit/pull/54348
Michael Catanzaro
Comment 13
2025-11-24 08:17:09 PST
***
Bug 303004
has been marked as a duplicate of this bug. ***
EWS
Comment 14
2025-11-24 09:21:30 PST
Committed
303500@main
(5a5eb476f8e3): <
https://commits.webkit.org/303500@main
> Reviewed commits have been landed. Closing PR #54348 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug