[Webkit-unassigned] [Bug 144262] New: [GTK] Crash in WebProcess when loading large content with custom URI schemes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 27 10:02:19 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=144262

            Bug ID: 144262
           Summary: [GTK] Crash in WebProcess when loading large content
                    with custom URI schemes
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: Gtk
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mario at webkit.org
                CC: cgarcia at igalia.com, mrobinson at webkit.org

Created attachment 251750
  --> https://bugs.webkit.org/attachment.cgi?id=251750&action=review
Test case (C example code)

In the past weeks, we've been seeing crashes in one WebKitGTK+ based app when the user navigates web content "too quickly", loaded via custom URI schemes (this bit is important), by clicking very fast in links rendered inside large HTML documents, which causes the current load to be cancelled and start a new load, inside the same web view.

This is not a "happens all the time" thing, but depending on the load, the size of the original document containing the links, how fast the user is clicking and other factors alike, it's certainly likely to hit this crash over and over again, so it would be nice to have it fixed upstream, where I could reproduce it without any trouble using a debug build (although we initially detected using webkitgtk 2.4.6 and 2.6.2).

Last, this is possibly related to these two bugs recently reported in RedHat's bugzilla:
  * https://bugzilla.redhat.com/show_bug.cgi?id=1196677
  * https://bugzilla.redhat.com/show_bug.cgi?id=1209130

I'm attaching a minimal example in C code that causes the web process to crash when trying to load a 'crashy.html' file (to be attached later) twice in the same web view, causing the following crash:

$ ./webkitcrash
ASSERTION FAILED: task.get()
../../Source/WebKit2/Shared/Network/CustomProtocols/soup/CustomProtocolManagerImpl.cpp(120) : void WebKit::CustomProtocolManagerImpl::didFailWithError(uint64_t, const WebCore::ResourceError&)
1   0x7f41d220d0e9 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f41d220d0e9]
2   0x7f41d76da965 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit25CustomProtocolManagerImpl16didFailWithErrorEmRKN7WebCore13ResourceErrorE+0xa7) [0x7f41d76da965]
3   0x7f41d76de1b0 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit21CustomProtocolManager16didFailWithErrorEmRKN7WebCore13ResourceErrorE+0x3a) [0x7f41d76de1b0]
4   0x7f41d77d9fb1 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC22callMemberFunctionImplIN6WebKit21CustomProtocolManagerEMS2_FvmRKN7WebCore13ResourceErrorEESt5tupleIImS4_EEILm0ELm1EEEEvPT_T0_OT1_St14index_sequenceIIXspT2_EEE+0x9c) [0x7f41d77d9fb1]
5   0x7f41d77d9c5e /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC18callMemberFunctionIN6WebKit21CustomProtocolManagerEMS2_FvmRKN7WebCore13ResourceErrorEESt5tupleIImS4_EESt19make_index_sequenceILm2EEEEvOT1_PT_T0_+0x41) [0x7f41d77d9c5e]
6   0x7f41d77d9625 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC13handleMessageIN8Messages21CustomProtocolManager16DidFailWithErrorEN6WebKit21CustomProtocolManagerEMS5_FvmRKN7WebCore13ResourceErrorEEEEvRNS_14MessageDecoderEPT0_T1_+0xa3) [0x7f41d77d9625]
7   0x7f41d77d91e4 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit21CustomProtocolManager17didReceiveMessageERN3IPC10ConnectionERNS1_14MessageDecoderE+0xb2) [0x7f41d77d91e4]
8   0x7f41d734eb09 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC10Connection39dispatchWorkQueueMessageReceiverMessageERNS0_24WorkQueueMessageReceiverERNS_14MessageDecoderE+0x47) [0x7f41d734eb09]
9   0x7f41d7350552 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x41d8552) [0x7f41d7350552]
10  0x7f41d7352ce3 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x41dace3) [0x7f41d7352ce3]
11  0x7f41d733ac50 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x32) [0x7f41d733ac50]
12  0x7f41d2256029 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF15GMainLoopSource12voidCallbackEv+0x6d) [0x7f41d2256029]
13  0x7f41d225672d /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF15GMainLoopSource18voidSourceCallbackEPS0_+0x23) [0x7f41d225672d]
14  0x7f41cdbc658d /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x13d) [0x7f41cdbc658d]
15  0x7f41cdbc6928 /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(+0x48928) [0x7f41cdbc6928]
16  0x7f41cdbc6c42 /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(g_main_loop_run+0xc2) [0x7f41cdbc6c42]
17  0x7f41d9289cfc /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x6111cfc) [0x7f41d9289cfc]
18  0x7f41d928a94b /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x611294b) [0x7f41d928a94b]
19  0x7f41d733ac50 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x32) [0x7f41d733ac50]
20  0x7f41d2220176 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x14b5176) [0x7f41d2220176]
21  0x7f41d224c8a7 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x14e18a7) [0x7f41d224c8a7]
22  0x7f41d054052a /lib64/libpthread.so.0(+0x752a) [0x7f41d054052a]
23  0x7f41c809a22d /lib64/libc.so.6(clone+0x6d) [0x7f41c809a22d]


Now see below the backtrace as taken from gdb, while connecting to the crashing process:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffcd880700 (LWP 31538)]
0x00007fffed1ab0ee in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007fffed1ab0ee in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff2678965 in WebKit::CustomProtocolManagerImpl::didFailWithError (this=0x682fc0, customProtocolID=1, error=...) at ../../Source/WebKit2/Shared/Network/CustomProtocols/soup/CustomProtocolManagerImpl.cpp:120
#2  0x00007ffff267c1b0 in WebKit::CustomProtocolManager::didFailWithError (this=0x7fffc5ff3000, customProtocolID=1, error=...) at ../../Source/WebKit2/Shared/Network/CustomProtocols/soup/CustomProtocolManagerSoup.cpp:91
#3  0x00007ffff2777fb1 in IPC::callMemberFunctionImpl<WebKit::CustomProtocolManager, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&), std::tuple<unsigned long, WebCore::ResourceError>, 0ul, 1ul>(WebKit::CustomProtocolManager*, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&), std::tuple<unsigned long, WebCore::ResourceError>&&, std::index_sequence<0ul, 1ul>) (object=0x7fffc5ff3000, function=
    (void (WebKit::CustomProtocolManager::*)(WebKit::CustomProtocolManager * const, unsigned long, const WebCore::ResourceError &)) 0x7ffff267c176 <WebKit::CustomProtocolManager::didFailWithError(unsigned long, WebCore::ResourceError const&)>, args=<unknown type in /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0xbfa7cb1, DIE 0xbfd4e45>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:16
#4  0x00007ffff2777c5e in IPC::callMemberFunction<WebKit::CustomProtocolManager, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&), std::tuple<unsigned long, WebCore::ResourceError>, std::make_index_sequence<2ul> >(std::tuple<unsigned long, WebCore::ResourceError>&&, WebKit::CustomProtocolManager*, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&)) (
    args=<unknown type in /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0xbfa7cb1, DIE 0xbfd4082>, object=0x7fffc5ff3000, function=
    (void (WebKit::CustomProtocolManager::*)(WebKit::CustomProtocolManager * const, unsigned long, const WebCore::ResourceError &)) 0x7ffff267c176 <WebKit::CustomProtocolManager::didFailWithError(unsigned long, WebCore::ResourceError const&)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:22
#5  0x00007ffff2777625 in IPC::handleMessage<Messages::CustomProtocolManager::DidFailWithError, WebKit::CustomProtocolManager, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&)> (decoder=..., 
    object=0x7fffc5ff3000, function=
    (void (WebKit::CustomProtocolManager::*)(WebKit::CustomProtocolManager * const, unsigned long, const WebCore::ResourceError &)) 0x7ffff267c176 <WebKit::CustomProtocolManager::didFailWithError(unsigned long, WebCore::ResourceError const&)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:92
#6  0x00007ffff27771e4 in WebKit::CustomProtocolManager::didReceiveMessage (this=0x7fffc5ff3000, connection=..., decoder=...) at DerivedSources/WebKit2/CustomProtocolManagerMessageReceiver.cpp:44
#7  0x00007ffff22ecb09 in IPC::Connection::dispatchWorkQueueMessageReceiverMessage (this=0x7fffc57fb000, workQueueMessageReceiver=..., decoder=...) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:306
#8  0x00007ffff22ee552 in IPC::Connection::<lambda()>::operator()(void) const (__closure=0x7fff68001f10) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:678
#9  0x00007ffff22f0ce3 in std::_Function_handler<void(), IPC::Connection::processIncomingMessage(std::unique_ptr<IPC::MessageDecoder>)::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...)
    at /usr/include/c++/4.9.2/functional:2039
#10 0x00007ffff22d8c50 in std::function<void ()>::operator()() const (this=0x7fffcd87f908) at /usr/include/c++/4.9.2/functional:2439
#11 0x00007fffed1f4029 in WTF::GMainLoopSource::voidCallback (this=0x7fffc5fecdc0) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:365
#12 0x00007fffed1f472d in WTF::GMainLoopSource::voidSourceCallback (source=0x7fffc5fecdc0) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:456
#13 0x00007fffe8b6458d in g_main_dispatch (context=0x716470) at gmain.c:3064
#14 g_main_context_dispatch (context=context at entry=0x716470) at gmain.c:3663
#15 0x00007fffe8b64928 in g_main_context_iterate (context=0x716470, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at gmain.c:3734
#16 0x00007fffe8b64c42 in g_main_loop_run (loop=0x5cacf0) at gmain.c:3928
#17 0x00007ffff4227cfc in WTF::WorkQueue::<lambda()>::operator()(void) const (__closure=0x8e93e0) at ../../Source/WTF/wtf/gtk/WorkQueueGtk.cpp:59
#18 0x00007ffff422894b in std::_Function_handler<void(), WTF::WorkQueue::platformInitialize(char const*, WTF::WorkQueue::Type, WTF::WorkQueue::QOS)::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...)
    at /usr/include/c++/4.9.2/functional:2039
#19 0x00007ffff22d8c50 in std::function<void ()>::operator()() const (this=0x7fffcd87fb50) at /usr/include/c++/4.9.2/functional:2439
#20 0x00007fffed1be176 in WTF::threadEntryPoint (contextData=0x7fffc5ff50a0) at ../../Source/WTF/wtf/Threading.cpp:58
#21 0x00007fffed1ea8a7 in WTF::wtfThreadEntryPoint (param=0x7fffc5ffb050) at ../../Source/WTF/wtf/ThreadingPthreads.cpp:170
#22 0x00007fffeb4de52a in start_thread (arg=0x7fffcd880700) at pthread_create.c:310
#23 0x00007fffe303822d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150427/2878705c/attachment-0001.html>

More information about the webkit-unassigned mailing list