55078 – [GTK] Double free error when double-clicking on webpage

Priit Laes (IRC: plaes)

Reported 2011-02-23 13:20:49 PST

Webkit-gtk-1.1.12 Epiphany-2.91.90 Gtk+-3.0.1 64-bit machine When double-clicking on a web page background or text, epiphany crashes with double free error: [snip] raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 abort () at abort.c:92 __libc_message (do_abort=2, fmt=0x7ffff1f09008 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186 malloc_printerr (action=3, str=0x7ffff1f06231 "invalid fastbin entry (free)", ptr=<value optimized out>) at malloc.c:6283 __libc_free (mem=<value optimized out>) at malloc.c:3738 g_bsearch_array_free (type=<value optimized out>) at ../glib/gbsearcharray.h:298 instance_real_class_remove (type=<value optimized out>) at gtype.c:1803 g_type_create_instance (type=<value optimized out>) at gtype.c:1885 g_object_constructor (type=<value optimized out>, n_construct_properties=0, construct_params=0x0) at gobject.c:1615 g_object_newv (object_type=7976688, n_parameters=0, parameters=0x0) at gobject.c:1398 g_object_new (object_type=7976688, first_property_name=0x0) at gobject.c:1308 WebCore::getStyleContext (widgetType=8577808) at Source/WebCore/platform/gtk/RenderThemeGtk3.cpp:86 WebCore::RenderThemeGtk::platformActiveSelectionBackgroundColor (this=<value optimized out>) at Source/WebCore/platform/gtk/RenderThemeGtk3.cpp:861 WebCore::RenderTheme::activeSelectionBackgroundColor (this=0x7fffe5bc5d98) at Source/WebCore/rendering/RenderTheme.cpp:554 [/snip]

Priit Laes (IRC: plaes)

Comment 1 2011-02-23 13:22:05 PST

Created attachment 83533 [details] traceback.log Webkit-gtk version is 1.3.12 (not 1.1.12)

Martin Robinson

Comment 2 2011-02-23 13:37:52 PST

This crash seem to be happening inside gtk_style_context_new(). Seems to indicate a GTK+ bug.

Martin Robinson

Comment 3 2011-02-23 13:38:23 PST

Carlos wrote this code originally, so perhaps he has some other idea.

Priit Laes (IRC: plaes)

Comment 4 2011-02-24 04:56:11 PST

Also happens with GtkLauncher: [snip] #0 raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 abort () at abort.c:92 #2 __libc_message (do_abort=2, fmt=0x7fffed274008 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186 #3 malloc_printerr (action=3, str=0x7fffed274588 "malloc(): memory corruption (fast)", ptr=<value optimized out>) at malloc.c:6283 #4 _int_malloc (av=0x7fffed4afea0, bytes=18) at malloc.c:4308 #5 __libc_malloc (bytes=18) at malloc.c:3660 #6 g_malloc (n_bytes=18) at gmem.c:164 #7 g_strdup (str=0x640f10 "question_fg_color") at gstrfuncs.c:102 #8 gtk_style_properties_map_color (props=<value optimized out>, name=0x640f10 "question_fg_color", color=<value optimized out>) at gtkstyleproperties.c:572 #9 css_provider_dump_symbolic_colors (provider=0x6392b0, path=0x2463350) at gtkcssprovider.c:1359 #10 gtk_css_provider_get_style (provider=0x6392b0, path=0x2463350) at gtkcssprovider.c:1375 #11 build_properties (context=0x24a90b0) at gtkstylecontext.c:1040 #12 (context=0x24a90b0) at gtkstylecontext.c:1147 #13 gtk_style_context_get_background_color (context=0x24a90b0, state=GTK_STATE_FLAG_SELECTED, color=0x7fffffffb410) at gtkstylecontext.c:3402 #14 WebCore::RenderThemeGtk::platformActiveSelectionBackgroundColor() const () from /home/plaes/code/WebKit/.libs/libwebkitgtk-3.0.so.0 #15 WebCore::RenderTheme::activeSelectionBackgroundColor() const () from /home/plaes/code/WebKit/.libs/libwebkitgtk-3.0.so.0 #16 WebCore::RenderObject::selectionBackgroundColor() const () from /home/plaes/code/WebKit/.libs/libwebkitgtk-3.0.so.0 #17 WebCore::InlineTextBox::paintSelection(WebCore::GraphicsContext*, WebCore::FloatPoint const&, WebCore::RenderStyle*, WebCore::Font const&) () from /home/plaes/code/WebKit/.libs/libwebkitgtk-3.0.so.0 [/snip]

Philippe Normand

Comment 5 2011-02-24 07:12:33 PST

I get this if I double-click on the google background: #0 0x00007ffff15dc165 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff15def70 in abort () at abort.c:92 #2 0x00007ffff161227b in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 #3 0x00007ffff161bad6 in malloc_printerr (action=3, str=0x7ffff16cfad6 "corrupted double-linked list", ptr=<value optimized out>) at malloc.c:6267 #4 0x00007ffff161bf4d in malloc_consolidate (av=<value optimized out>) at malloc.c:5153 #5 0x00007ffff161e254 in _int_malloc (av=0x7ffff1906e40, bytes=26661) at malloc.c:4373 #6 0x00007ffff1620930 in __libc_malloc (bytes=1792) at malloc.c:3661 #7 0x00007ffff62ba49a in WTF::fastMalloc (n=1792) at ../../Source/JavaScriptCore/wtf/FastMalloc.cpp:250 #8 0x00007ffff5a74e0f in WTF::VectorBufferBase<WebCore::GraphicsContextState>::allocateBuffer ( this=0x7fffffffca40, newCapacity=16) at ../../Source/JavaScriptCore/wtf/Vector.h:288 #9 0x00007ffff5a74882 in WTF::Vector<WebCore::GraphicsContextState, 0ul>::reserveCapacity ( this=0x7fffffffca38, newCapacity=16) at ../../Source/JavaScriptCore/wtf/Vector.h:875 #10 0x00007ffff5a73f9b in WTF::Vector<WebCore::GraphicsContextState, 0ul>::expandCapacity ( this=0x7fffffffca38, newMinCapacity=1) at ../../Source/JavaScriptCore/wtf/Vector.h:792 #11 0x00007ffff5a732ec in WTF::Vector<WebCore::GraphicsContextState, 0ul>::expandCapacity ( this=0x7fffffffca38, newMinCapacity=1, ptr=0x7fffffffc9c8) at ../../Source/JavaScriptCore/wtf/Vector.h:799 #12 0x00007ffff5a712a3 in WTF::Vector<WebCore::GraphicsContextState, 0ul>::append<WebCore::GraphicsContextState> (this=0x7fffffffca38, val=...) at ../../Source/JavaScriptCore/wtf/Vector.h:971 #13 0x00007ffff5a6dddb in WebCore::GraphicsContext::save (this=0x7fffffffc9c0) at ../../Source/WebCore/platform/graphics/GraphicsContext.cpp:95 #14 0x00007ffff5ac297d in WebCore::ScrollView::paint (this=0x7476e0, context=0x7fffffffc9c0, rect=...) at ../../Source/WebCore/platform/ScrollView.cpp:922 #15 0x00007ffff534d540 in paintWebView (frame=0x729800, transparent=0, context=..., clipRect=..., rects=...) at ../../Source/WebKit/gtk/webkit/webkitwebview.cpp:683 #16 0x00007ffff534d860 in webkit_web_view_draw (widget=0x6fc0c0, cr=0x7ffff30739e0) at ../../Source/WebKit/gtk/webkit/webkitwebview.cpp:751 #17 0x00007ffff44727c8 in _gtk_marshal_BOOLEAN__BOXED (closure=0x66fde0, return_value=0x7fffffffcd00, n_param_values=<value optimized out>, param_values=0xdae520, invocation_hint=<value optimized out>, marshal_data=0x7ffff534d666) at gtkmarshalers.c:85 #18 0x00007ffff45a16a0 in gtk_widget_draw_marshaller (closure=0x66fde0, return_value=0x7fffffffcd00, n_param_values=2, param_values=0xdae520, invocation_hint=<value optimized out>, marshal_data=<value optimized out>) at gtkwidget.c:782 #19 0x00007ffff245802e in g_closure_invoke (closure=0x66fde0, return_value=0x7fffffffcd00, n_param_values=2, param_values=0xdae520, invocation_hint=0x7fffffffccc0) at gclosure.c:767 #20 0x00007ffff2470d12 in signal_emit_unlocked_R (node=0x66fe90, detail=<value optimized out>, instance=<value optimized out>, emission_return=<value optimized out>, instance_and_params=<value optimized out>) at gsignal.c:3290 #21 0x00007ffff247269c in g_signal_emit_valist (instance=0x6fc0c0, signal_id=<value optimized out>, detail=0, var_args=0x7fffffffceb0) at gsignal.c:2993 #22 0x00007ffff2473083 in g_signal_emit (instance=0x6825, signal_id=26661, detail=6) at gsignal.c:3040 #23 0x00007ffff45971fa in _gtk_widget_draw_internal (widget=0x6fc0c0, cr=0x7ffff30739e0, clip_to_size=1) at gtkwidget.c:5653 #24 0x00007ffff4599525 in gtk_widget_send_expose (widget=0x6fc0c0, event=<value optimized out>) at gtkwidget.c:5900 #25 0x00007ffff446d39a in gtk_main_do_event (event=0x7fffffffd060) at gtkmain.c:1788 #26 0x00007ffff40d3182 in _gdk_window_process_updates_recurse (window=0x632b40, expose_region=0x1175250) at gdkwindow.c:3872 #27 0x00007ffff40d311f in _gdk_window_process_updates_recurse (window=0x632360, expose_region=0x1171180) at gdkwindow.c:3845 #28 0x00007ffff40d3542 in gdk_window_process_updates_internal (window=0x632360) at gdkwindow.c:4028 #29 0x00007ffff40d3828 in gdk_window_process_all_updates () at gdkwindow.c:4159 #30 0x00007ffff40d3899 in gdk_window_update_idle (data=0x6825) at gdkwindow.c:3762 #31 0x00007ffff40be36f in gdk_threads_dispatch (data=0x1089440) at gdk.c:741 #32 0x00007ffff1b6a342 in g_main_dispatch (context=0x638270) at gmain.c:2440 #33 g_main_context_dispatch (context=0x638270) at gmain.c:3013 #34 0x00007ffff1b6ea08 in g_main_context_iterate (context=0x638270, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at gmain.c:3091 #35 0x00007ffff1b6ef15 in g_main_loop_run (loop=0xe62020) at gmain.c:3299 #36 0x00007ffff446d55d in gtk_main () at gtkmain.c:1349

Carlos Garcia Campos

Comment 6 2011-02-25 00:32:00 PST

This might be this GTK+ issue: https://bugzilla.gnome.org/show_bug.cgi?id=643207 already fixed upstream: http://git.gnome.org/browse/gtk+/commit/?id=651410fa2a2c9c1e390ecbe384ea259f9bd319c8 could you upgrade gtk+ and confirm the problem is fixed for you, please?

Philippe Normand

Comment 7 2011-02-25 00:44:28 PST

(In reply to comment #6) > This might be this GTK+ issue: > https://bugzilla.gnome.org/show_bug.cgi?id=643207 > > already fixed upstream: > http://git.gnome.org/browse/gtk+/commit/?id=651410fa2a2c9c1e390ecbe384ea259f9bd319c8 > > could you upgrade gtk+ and confirm the problem is fixed for you, please? Yes that GTK+ patch fixed the issue for me.

Priit Laes (IRC: plaes)

Comment 8 2011-02-25 01:44:11 PST

(In reply to comment #6) > This might be this GTK+ issue: > https://bugzilla.gnome.org/show_bug.cgi?id=643207 > > already fixed upstream: > http://git.gnome.org/browse/gtk+/commit/?id=651410fa2a2c9c1e390ecbe384ea259f9bd319c8 > > could you upgrade gtk+ and confirm the problem is fixed for you, please? Thanks, works for me too now :)

Attachments
traceback.log (16.74 KB, text/plain) 2011-02-23 13:22 PST, Priit Laes (IRC: plaes)	no flags	Details
View All Add attachment proposed patch, testcase, etc.