RESOLVED FIXED 82896
Segmentation fault in JS drop-down menus in facebook.com 
https://bugs.webkit.org/show_bug.cgi?id=82896
Summary Segmentation fault in JS drop-down menus in facebook.com
Mario Sanchez Prada
Reported 2012-04-02 07:09:34 PDT
This issue has been observed with upstream webkit + Epiphany browser and does not happen with latest stable release of webkitgtk (1.8). Still, it's not clear to me whether this happens in other ports, since the backtrace seems to suggest that the problem is somewhere in the crossplatform code. It would be wonderful if someone could try it (CCing Chris because of that). STEPS TO REPRODUCE IT: 1. Log in facebook.com 2. Open any of the html menus in facebook (e.g. the one for 'privacy' in one of your posts, or the one that shows up when hovering over a 'Friends' button, to select a list) 3. Let the drop-down menu dissapear (e.g. just hover out of the menu for 'Friends' drop-down menu) EXPECTED OUTCOME: Nothing unexpected happens :P ACTUAL OUTCOME: WebKit crashes with SIGSEGV, spitting the following backtrace in gdb: Program received signal SIGSEGV, Segmentation fault. 0x0000000000000000 in ?? () Missing separate debuginfos, use: debuginfo-install gnome-shell-3.2.2.1-1.fc16.x86_64 google-talkplugin-2.8.5.0-1.x86_64 icedtea-web-1.2-1.fc16.x86_64 nss-myhostname-0.3-1.fc16.x86_64 (gdb) back #0 0x0000000000000000 in ?? () #1 0x00007ffff643c9b5 in WebCore::AccessibilityRenderObject::renderBoxModelObject() const () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #2 0x00007ffff643ca28 in WebCore::AccessibilityRenderObject::isAttachment() const () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #3 0x00007ffff64311dd in WebCore::AccessibilityObject::clearChildren() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #4 0x00007ffff6435e59 in WebCore::AccessibilityRenderObject::clearChildren() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #5 0x00007ffff643675d in WebCore::AccessibilityRenderObject::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #6 0x00007ffff644919f in WebCore::AXObjectCache::remove(unsigned int) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #7 0x00007ffff64494e0 in WebCore::AXObjectCache::remove(WebCore::RenderObject*) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #8 0x00007ffff6b5a0b4 in WebCore::RenderObject::willBeDestroyed() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #9 0x00007ffff6ae1020 in WebCore::RenderBox::willBeDestroyed() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #10 0x00007ffff6aa79c5 in WebCore::RenderBlock::willBeDestroyed() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #11 0x00007ffff6b5928d in WebCore::RenderObject::destroy() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #12 0x00007ffff6621e68 in WebCore::Node::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #13 0x00007ffff660cf3b in WebCore::Element::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #14 0x00007ffff65ce984 in WebCore::ContainerNode::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #15 0x00007ffff660cf3b in WebCore::Element::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #16 0x00007ffff65ce984 in WebCore::ContainerNode::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #17 0x00007ffff660cf3b in WebCore::Element::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #18 0x00007ffff65ce984 in WebCore::ContainerNode::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #19 0x00007ffff660cf3b in WebCore::Element::detach() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #20 0x00007ffff660d89d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #21 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #22 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #23 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #24 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #25 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #26 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #27 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #28 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #29 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #30 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #31 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #32 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #33 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #34 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #35 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #36 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #37 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #38 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #39 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #40 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #41 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #42 0x00007ffff660d474 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #43 0x00007ffff65efe03 in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #44 0x00007ffff65f02e3 in WebCore::Document::updateStyleIfNeeded() () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #45 0x00007ffff66a3a3f in WebCore::FrameSelection::notifyRendererOfSelectionChange(WebCore::EUserTriggered) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #46 0x00007ffff6958de8 in WebCore::EventHandler::handleMouseReleaseEvent(WebCore::MouseEventWithHitTestResults const&) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #47 0x00007ffff695c656 in WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #48 0x00007ffff6338a70 in webkit_web_view_button_release_event(_GtkWidget*, _GdkEventButton*) () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 #49 0x00007ffff2590c18 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x6f6980, return_value=0x7fffffffcf00, instance=0x10680c0, args=0x7fffffffd098, marshal_data=0x7ffff6338a00, n_params=1, param_types=0x6f69b0) at gtkmarshalers.c:130 #50 0x00007ffff049985c in g_type_class_meta_marshalv (closure=0x6f6980, return_value=0x7fffffffcf00, instance=0x10680c0, args=0x7fffffffd098, marshal_data=0x188, n_params=1, param_types=0x6f69b0) at gclosure.c:997 #51 0x00007ffff0499408 in _g_closure_invoke_va (closure=0x6f6980, return_value=0x7fffffffcf00, instance=0x10680c0, args=0x7fffffffd098, n_params=1, param_types=0x6f69b0) at gclosure.c:840 #52 0x00007ffff04b3d11 in g_signal_emit_valist (instance=0x10680c0, signal_id=29, detail=0, var_args=0x7fffffffd098) at gsignal.c:3207 #53 0x00007ffff04b4ebd in g_signal_emit (instance=0x10680c0, signal_id=29, detail=0) at gsignal.c:3352 #54 0x00007ffff273b690 in gtk_widget_event_internal (widget=0x10680c0, event=0x11b2410) at gtkwidget.c:6380 #55 0x00007ffff273ace0 in gtk_widget_event (widget=0x10680c0, event=0x11b2410) at gtkwidget.c:6037 #56 0x00007ffff2590569 in propagate_event_up (widget=0x10680c0, event=0x11b2410, topmost=0x0) at gtkmain.c:2390 #57 0x00007ffff25908cb in propagate_event (widget=0x10680c0, event=0x11b2410, captured=0, topmost=0x0) at gtkmain.c:2490 #58 0x00007ffff2590999 in gtk_propagate_event (widget=0x10680c0, event=0x11b2410) at gtkmain.c:2525 #59 0x00007ffff258f468 in gtk_main_do_event (event=0x11b2410) at gtkmain.c:1713 #60 0x00007ffff212b5f6 in _gdk_event_emit (event=0x11b2410) at gdkevents.c:69 #61 0x00007ffff2163d64 in gdk_event_source_dispatch (source=0x7283c0, callback=0, user_data=0x0) at gdkeventsource.c:358 #62 0x00007fffefd8e0ab in g_main_dispatch (context=0x72abe0) at gmain.c:2515 #63 0x00007fffefd8ed6c in g_main_context_dispatch (context=0x72abe0) at gmain.c:3052 #64 0x00007fffefd8ef4f in g_main_context_iterate (context=0x72abe0, block=1, dispatch=1, self=0x835300) at gmain.c:3123 #65 0x00007fffefd8f013 in g_main_context_iteration (context=0x72abe0, may_block=1) at gmain.c:3184 #66 0x00007ffff0c706d5 in g_application_run (application=0x858020, argc=1, argv=0x7fffffffd748) at gapplication.c:1496 #67 0x000000000042fe44 in main (argc=1, argv=0x7fffffffd748) at ephy-main.c:481
Attachments
Patch proposal (6.58 KB, patch)
2012-04-10 10:08 PDT, Mario Sanchez Prada 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
chris fleizach
Comment 1 2012-04-02 09:49:36 PDT
It's not happening for me with safari, but all i have is a fake Facebook account for testing so maybe i'm missing something. the backtrace would indicate that m_rendender is 0 while in #1 0x00007ffff643c9b5 in WebCore::AccessibilityRenderObject::renderBoxModelObject() const () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 but there are checks for m_renderer in that method. if (!m_renderer || !m_renderer->isBoxModelObject()) return 0; maybe those checks fixed the problem. it would be interesting to attach to the process in gdb and while that menu disappeared observe that this same backtrace still occurs and that it does not crash
Claudio Saavedra
Comment 2 2012-04-02 23:07:45 PDT
The checkout of webkit that I have locally has those checks and is crashing with the same stacktrace, so I don't think these checks are fixing anything. Unfortunately, I don't have a dbg build, though.
Mario Sanchez Prada
Comment 3 2012-04-03 00:00:29 PDT
(In reply to comment #1) > It's not happening for me with safari, but all i have is a fake Facebook account for testing so maybe i'm missing something. In theory, if you seen a JavaScript drop-down menu showing up and then going away without problems, I'd say the problem is not happening there. Thanks for trying. > the backtrace would indicate that m_rendender is 0 while in > > #1 0x00007ffff643c9b5 in WebCore::AccessibilityRenderObject::renderBoxModelObject() const () from /opt/gnome-3.0/lib64/libwebkitgtk-3.0.so.0 > > but there are checks for m_renderer in that method. > > if (!m_renderer || !m_renderer->isBoxModelObject()) > return 0; > > maybe those checks fixed the problem. As Claudio said, those checks are already in place. Actually I did the following change in the code: - if (!m_renderer || !m_renderer->isBoxModelObject()) + if (!m_renderer) return 0; + + if (!m_renderer->isBoxModelObject()) + return 0; + And it's still crashing in m_renderer->isBoxModelObject(), where m_renderer is not null. Perhaps it points to corrupt memory? It's very weird because if I call from gdb to methods of RenderObject over that m_renderer, they work with no problem... I will keep investigating.
Mario Sanchez Prada
Comment 4 2012-04-03 00:11:23 PDT
(In reply to comment #3) > (In reply to comment #1) > > It's not happening for me with safari, but all i have is a fake Facebook > > account for testing so maybe i'm missing something. > > In theory, if you seen a JavaScript drop-down menu showing up and then going > away without problems, I'd say the problem is not happening there. Thanks for > trying. Hmm.. I just realized that opening a drop-down menu and letting it go away is not enough for reproducing the bug. Let's be more specific: STEPS TO REPRODUCE IT: 1. Log in facebook.com 2. Click in a friend else's profile to open it 3. Move the mouse over the 'gear' button in the top-east corner of the profile (under the blue top bar, normally besides a 'Message' button). 4. When the drop-down menu shows up, move the mouse over some of the options there (e.g. 'Poke', 'Report/Block'). 5. Mouse click out of the area of the drop-down menu to let it disappear. If you now see the drop-down menu disappear and your browser does not crash, then your WebKit port is safe, otherwise you're as doomed as the GTK port is :)
chris fleizach
Comment 5 2012-04-03 09:31:21 PDT
I followed those steps listed and even broke on the crashing method. I saw m_renderer = 0 and everything worked ok Breakpoint 2, WebCore::AccessibilityRenderObject::isAttachment (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:535 535 RenderBoxModelObject* renderer = renderBoxModelObject(); (gdb) x/ca m_renderer 0x0: Cannot access memory at address 0x0 (gdb) s WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:133 133 if (!m_renderer || !m_renderer->isBoxModelObject()) (gdb) n 134 return 0; (gdb) bt #0 WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:134
chris fleizach
Comment 6 2012-04-03 09:33:27 PDT
(In reply to comment #5) > I followed those steps listed and even broke on the crashing method. I saw m_renderer = 0 and everything worked ok > > Breakpoint 2, WebCore::AccessibilityRenderObject::isAttachment (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:535 > 535 RenderBoxModelObject* renderer = renderBoxModelObject(); > (gdb) x/ca m_renderer > 0x0: Cannot access memory at address 0x0 > (gdb) s > WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:133 > 133 if (!m_renderer || !m_renderer->isBoxModelObject()) > (gdb) n > 134 return 0; > (gdb) bt > #0 WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:134 I think this ones up to you figure out.
Mario Sanchez Prada
Comment 7 2012-04-04 06:53:41 PDT
(In reply to comment #6) > (In reply to comment #5) > > I followed those steps listed and even broke on the crashing method. I saw m_renderer = 0 and everything worked ok > > > > Breakpoint 2, WebCore::AccessibilityRenderObject::isAttachment (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:535 > > 535 RenderBoxModelObject* renderer = renderBoxModelObject(); > > (gdb) x/ca m_renderer > > 0x0: Cannot access memory at address 0x0 > > (gdb) s > > WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:133 > > 133 if (!m_renderer || !m_renderer->isBoxModelObject()) > > (gdb) n > > 134 return 0; > > (gdb) bt > > #0 WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:134 > > I think this ones up to you figure out. Thanks Chris for helping me debug this thing. It turns out I did dare to git bisect and, after 11 full builds I finally found the commit where this started failing reliably: http://trac.webkit.org/changeset/110819 I see you're the author of that commit, so I leave this here in the hope you might perhaps have a clue of why this is happening. Now I need to run. Again, thanks!
chris fleizach
Comment 8 2012-04-04 08:56:25 PDT
(In reply to comment #7) > (In reply to comment #6) > > (In reply to comment #5) > > > I followed those steps listed and even broke on the crashing method. I saw m_renderer = 0 and everything worked ok > > > > > > Breakpoint 2, WebCore::AccessibilityRenderObject::isAttachment (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:535 > > > 535 RenderBoxModelObject* renderer = renderBoxModelObject(); > > > (gdb) x/ca m_renderer > > > 0x0: Cannot access memory at address 0x0 > > > (gdb) s > > > WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:133 > > > 133 if (!m_renderer || !m_renderer->isBoxModelObject()) > > > (gdb) n > > > 134 return 0; > > > (gdb) bt > > > #0 WebCore::AccessibilityRenderObject::renderBoxModelObject (this=0x7fcda238c1e0) at AccessibilityRenderObject.cpp:134 > > > > I think this ones up to you figure out. > > Thanks Chris for helping me debug this thing. It turns out I did dare to git bisect and, after 11 full builds I finally found the commit where this started failing reliably: > > http://trac.webkit.org/changeset/110819 > > I see you're the author of that commit, so I leave this here in the hope you might perhaps have a clue of why this is happening. > > Now I need to run. > > Again, thanks! I think it indicates that a render object was destroyed but the ax object was not updated at the same time. That should not happen, since in RenderObject::willBeDestroyed(), AXObjectCache::remove is called. A way i can see this happening is if AXObjectCache::remove was not called for this child, or if it was it failed for some reason.
Mario Sanchez Prada
Comment 9 2012-04-10 10:08:12 PDT
Created attachment 136478 [details] Patch proposal (In reply to comment #8) > [...] > I think it indicates that a render object was destroyed but the ax object was not updated at the same time. That should not happen, since in RenderObject::willBeDestroyed(), AXObjectCache::remove is called. > > A way i can see this happening is if AXObjectCache::remove was not called for this child, or if it was it failed for some reason. I think that a possible reason for this to happen is that in GTK we are treating attachments in a different way than in the Mac, as we're systematically not ignoring them ever: From gtk/AccessibilityObjectAtk.cpp: bool AccessibilityObject::accessibilityIgnoreAttachment() const { return false; } I think a possible solution for this would be to make changes on your patch for r110819 would be to make sure they apply to Mac only. At least that way we would be having the -not segfaulting- behaviour we previously had. Attaching a patch proposal, just in case you already agree with it :)
chris fleizach
Comment 10 2012-04-10 11:03:41 PDT
Comment on attachment 136478 [details] Patch proposal i think this is ok as a stopgap. i'd still like to know why it's actually crashing... i.e.) what happened to that object
Mario Sanchez Prada
Comment 11 2012-04-10 12:24:05 PDT
Comment on attachment 136478 [details] Patch proposal (In reply to comment #10) > (From update of attachment 136478 [details]) > i think this is ok as a stopgap. i'd still like to know why it's actually crashing... i.e.) what happened to that object Thanks. I'll report here if I ever find the reason behind that problem.
WebKit Review Bot
Comment 12 2012-04-10 15:24:31 PDT
Comment on attachment 136478 [details] Patch proposal Clearing flags on attachment: 136478 Committed r113778: <http://trac.webkit.org/changeset/113778>
WebKit Review Bot
Comment 13 2012-04-10 15:24:35 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.