Bug 69512 - [WK2] plugins/destroy-during-npp-new.html segfaults WebKitWebProcess
Summary: [WK2] plugins/destroy-during-npp-new.html segfaults WebKitWebProcess
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Linux
: P2 Normal
Assignee: Sergio Villar Senin
URL:
Keywords:
Depends on:
Blocks: 69523
  Show dependency treegraph
 
Reported: 2011-10-06 03:43 PDT by Alejandro G. Castro
Modified: 2015-05-07 18:10 PDT (History)
6 users (show)

See Also:


Attachments
Patch (3.96 KB, patch)
2011-10-25 09:47 PDT, Sergio Villar Senin
andersca: review-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alejandro G. Castro 2011-10-06 03:43:39 PDT
This is the backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007f888920a027 in WebCore::RenderPart::setWidget (this=0x1ed17f8, widget=...) at ../../../Source/WebCore/rendering/RenderPart.cpp:59
59	    viewCleared();
(gdb) bt
#0  0x00007f888920a027 in WebCore::RenderPart::setWidget (this=0x1ed17f8, widget=...) at ../../../Source/WebCore/rendering/RenderPart.cpp:59
#1  0x00007f8888f25db5 in WebCore::SubframeLoader::loadPlugin (this=0x1eb2b08, pluginElement=0x1f988f0, url=..., mimeType="application/x-webkit-test-netscape", paramNames=WTF::Vector of length 5, capacity 16 = {...}, 
    paramValues=WTF::Vector of length 5, capacity 16 = {...}, useFallback=false) at ../../../Source/WebCore/loader/SubframeLoader.cpp:370
#2  0x00007f8888f24c12 in WebCore::SubframeLoader::requestPlugin (this=0x1eb2b08, ownerElement=0x1f988f0, url=..., mimeType="application/x-webkit-test-netscape", paramNames=WTF::Vector of length 5, capacity 16 = {...}, 
    paramValues=WTF::Vector of length 5, capacity 16 = {...}, useFallback=false) at ../../../Source/WebCore/loader/SubframeLoader.cpp:122
#3  0x00007f8888f24de6 in WebCore::SubframeLoader::requestObject (this=0x1eb2b08, ownerElement=0x1f988f0, url="(null)", frameName="(null)", mimeType="application/x-webkit-test-netscape", paramNames=WTF::Vector of length 5, capacity 16 = {...}, 
    paramValues=WTF::Vector of length 5, capacity 16 = {...}) at ../../../Source/WebCore/loader/SubframeLoader.cpp:142
#4  0x00007f8888d3a94a in WebCore::HTMLEmbedElement::updateWidget (this=0x1f988f0, pluginCreationOption=WebCore::CreateOnlyNonNetscapePlugins) at ../../../Source/WebCore/html/HTMLEmbedElement.cpp:184
#5  0x00007f8888d7297b in WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary (this=0x1f988f0) at ../../../Source/WebCore/html/HTMLPlugInImageElement.cpp:170
#6  0x00007f8888d72a5d in WebCore::HTMLPlugInImageElement::updateWidgetCallback (n=0x1f988f0) at ../../../Source/WebCore/html/HTMLPlugInImageElement.cpp:193
#7  0x00007f8888b69fcb in WebCore::ContainerNode::dispatchPostAttachCallbacks () at ../../../Source/WebCore/dom/ContainerNode.cpp:746
#8  0x00007f8888b69e26 in WebCore::ContainerNode::resumePostAttachCallbacks (this=0x1f12bb0) at ../../../Source/WebCore/dom/ContainerNode.cpp:713
#9  0x00007f8888b7fdb6 in WebCore::Document::recalcStyle (this=0x1f12bb0, change=WebCore::Node::NoChange) at ../../../Source/WebCore/dom/Document.cpp:1605
#10 0x00007f8888b7ff5a in WebCore::Document::updateStyleIfNeeded (this=0x1f12bb0) at ../../../Source/WebCore/dom/Document.cpp:1627
#11 0x00007f8888f9d636 in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive (this=0x1f12260) at ../../../Source/WebCore/page/FrameView.cpp:2809
#12 0x00007f88888f0604 in WebKit::WebPage::layoutIfNeeded (this=0x1ea4fd0) at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:659
#13 0x00007f88888dddea in WebKit::DrawingAreaImpl::display (this=0x1eb5140, updateInfo=...) at ../../../Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp:619
#14 0x00007f88888dda5d in WebKit::DrawingAreaImpl::display (this=0x1eb5140) at ../../../Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp:566
#15 0x00007f88888dd8f4 in WebKit::DrawingAreaImpl::displayTimerFired (this=0x1eb5140) at ../../../Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp:545
#16 0x00007f88888df0b2 in Timer<WebKit::DrawingAreaImpl>::fired (this=0x1eb51d0) at ../../../Source/WebKit2/Platform/RunLoop.h:127
#17 0x00007f8888757339 in RunLoop::TimerBase::timerFiredCallback (timer=0x1eb51d0) at ../../../Source/WebKit2/Platform/gtk/RunLoopGtk.cpp:106
#18 0x00007f8883d4ac09 in g_timeout_dispatch (source=0x1ee59d0, callback=0x7f88887572ee <RunLoop::TimerBase::timerFiredCallback(RunLoop::TimerBase*)>, user_data=0x1eb51d0) at gmain.c:3904
#19 0x00007f8883d4760c in g_main_dispatch (context=0x1e600f0) at gmain.c:2439
#20 0x00007f8883d48b52 in g_main_context_dispatch (context=0x1e600f0) at gmain.c:3008
#21 0x00007f8883d49008 in g_main_context_iterate (context=0x1e600f0, block=1, dispatch=1, self=0x1e238b0) at gmain.c:3086
#22 0x00007f8883d49766 in g_main_loop_run (loop=0x1e603a0) at gmain.c:3294
#23 0x00007f888875710d in RunLoop::run () at ../../../Source/WebKit2/Platform/gtk/RunLoopGtk.cpp:56
#24 0x00007f888885e5b1 in WebKit::WebProcessMainGtk (argc=2, argv=0x7fffe1226e58) at ../../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:64
#25 0x0000000000400984 in main (argc=2, argv=0x7fffe1226e58) at ../../../Source/WebKit2/gtk/MainGtk.cpp:31
Comment 1 Sergio Villar Senin 2011-10-24 07:45:59 PDT
Working on this...
Comment 2 Sergio Villar Senin 2011-10-25 09:47:29 PDT
Created attachment 112347 [details]
Patch
Comment 3 Martin Robinson 2011-10-25 09:55:57 PDT
Removing the GTK tag since this bug is platform-independent.
Comment 4 Sergio Villar Senin 2011-10-25 10:01:08 PDT
So this is the story of the bug as far as I understood it. This test loads a plugin that auto-removes itself from the document during plugin initialization. Thing is that the RenderWidget was autodestroying itself during that process because the plugin was triggering a ::destroy call over the RenderWidget when it was still running its setWidget() code needed to load the plugin.

What I did in the patch above was to use RenderWidget's ref counting system to prevent the render from being destroyed while executing its own code. (maybe the other option is to use WebCore::RenderWidget::suspendWidgetHierarchyUpdates but not sure if we want to do that in this specific case)

I don't have a clear explanation about why this was failing only in WebKit2 but maybe it's because they're just following different execution paths.

I was tempted also to remove this test from the Skipped file for other ports but I'm still not sure how to proceed in this case. Should I first ask somebody else to try it before landing? (assuming the patch is correct of course).

PS: adding to the Cc some people that looks familiar to this code
Comment 5 Anders Carlsson 2011-11-21 08:22:09 PST
Comment on attachment 112347 [details]
Patch

I don't think this is the right fix - if this only happens in WebKit2 then we should try to fix it there.
Comment 6 Alexey Proskuryakov 2013-12-19 16:17:09 PST
Is this still the case on any platforms? I just ran the test on Mac locally, and it passed.
Comment 7 Martin Robinson 2015-05-07 18:10:51 PDT
Seems to be marked as flaky on Mac, works on GTK+, and skipped on Windows since 2009. I'm just going to close this bug.