[Webkit-unassigned] [Bug 142343] New: [GTK] [WebKit1] Crash under WebCore::ScrollView::contentsToWindow()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 5 07:12:33 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=142343
Bug ID: 142343
Summary: [GTK] [WebKit1] Crash under
WebCore::ScrollView::contentsToWindow()
Classification: Unclassified
Product: WebKit
Version: 420+
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Critical
Priority: P2
Component: WebKit Gtk
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcrha at redhat.com
Created attachment 247951
--> https://bugs.webkit.org/attachment.cgi?id=247951&action=review
reproducer (wk-crash.c)
Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1198758
A user of Evolution experienced a crash with below backtrace when selecting certain message. I do not know how much interesting this might be for you, because the crash is related to GtkWidget plugin (a response to "create-plugin-widget" signal of the WebKitWebView). When a widget is returned, WebKitGtk crashes. If not, or the signal handler is not used, then it doesn't crash.
The attached is a minimal reproducer, just run it and it'll crash. The first line contains a comment with a command line to compile and run the reproducer. Valgrind claims an invalid read of size 1.
This is with webkitgtk3-2.4.8-1.fc21.
Core was generated by `evolution'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 WebCore::ScrollView::contentsToWindow (this=0x0, contentsPoint=...) at Source/WebCore/platform/ScrollView.cpp:824
824 if (delegatesScrolling())
Thread 1 (Thread 0xb772f900 (LWP 25845)):
#0 WebCore::ScrollView::contentsToWindow (this=0x0, contentsPoint=...) at Source/WebCore/platform/ScrollView.cpp:824
viewPoint = {m_x = 0, m_y = 0}
#1 0x4c7cb3aa in WebCore::GtkPluginWidget::frameRectsChanged (this=0xb1f00870) at Source/WebCore/platform/gtk/GtkPluginWidget.cpp:66
rect = {m_location = {m_x = 10, m_y = 151}, m_size = {m_width = <optimized out>, m_height = <optimized out>}}
allocation = {x = 10, y = 151, width = 0, height = 1153654784}
#2 0x4b6e5b7d in WebCore::Widget::setFrameRect (this=0xb1f00870, rect=...) at Source/WebCore/platform/gtk/WidgetGtk.cpp:110
No locals.
#3 0x4c06c940 in WebCore::RenderWidget::setWidgetGeometry (this=this at entry=0xb1e7c960, frame=...) at Source/WebCore/rendering/RenderWidget.cpp:137
clipRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 1235, m_height = 1563}}
oldFrameRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}
weakThis = {m_ref = {m_ptr = 0xb1eecd58}}
newFrameRect = {m_location = {m_x = 10, m_y = 151}, m_size = {m_width = 1215, m_height = 0}}
#4 0x4c06d132 in WebCore::RenderWidget::updateWidgetGeometry (this=0xb1e7c960) at Source/WebCore/rendering/RenderWidget.cpp:163
contentBox = {m_location = {m_x = {m_value = 0}, m_y = {m_value = 0}}, m_size = {m_width = {m_value = 77760}, m_height = {m_value = 0}}}
absoluteContentBox = {m_location = {m_x = {m_value = 640}, m_y = {m_value = 9664}}, m_size = {m_width = {m_value = 77760}, m_height = {m_value = 0}}}
this = 0xb1e7c960
#5 0x4c06db21 in WebCore::RenderWidget::setWidget (this=this at entry=0xb1e7c960, widget=...) at Source/WebCore/rendering/RenderWidget.cpp:186
weakThis = {m_ref = {m_ptr = 0xb1eecd58}}
#6 0x4bd7944f in WebCore::SubframeLoader::loadPlugin (this=this at entry=0xb22c840, pluginElement=..., url=..., mimeType=..., paramNames=..., paramValues=..., useFallback=useFallback at entry=false) at Source/WebCore/loader/SubframeLoader.cpp:458
renderer = 0xb1e7c960
contentSize = {m_width = 1215, m_height = 0}
widget = {m_ptr = 0xb1f00870}
#7 0x4bd796dc in WebCore::SubframeLoader::requestPlugin (this=0xb22c840, ownerElement=..., url=..., mimeType=..., paramNames=..., paramValues=..., useFallback=false) at Source/WebCore/loader/SubframeLoader.cpp:157
useFallback = false
paramValues = @0xbfddbfc0: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
mimeType = @0xbfddbfb0: {m_impl = {m_ptr = 0xb43ecbd0}}
url = @0xbfddbe9c: {m_string = {m_impl = {m_ptr = 0xb1f0a7c0}}, m_isValid = true, m_protocolIsInHTTPFamily = false, m_schemeEnd = 4, m_userStart = 7, m_userEnd = 7, m_passwordEnd = 7, m_hostEnd = 12, m_portEnd = 12, m_pathAfterLastSlash = 18, m_pathEnd = 41, m_queryEnd = 41, m_fragmentEnd = 41}
this = 0xb22c840
paramNames = @0xbfddbfb4: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
ownerElement = @0xc1a17d0: {<WebCore::HTMLPlugInElement> = {<WebCore::HTMLFrameOwnerElement> = {<WebCore::HTMLElement> = {<WebCore::StyledElement> = {<WebCore::Element> = {<WebCore::ContainerNode> = {<WebCore::Node> = {<WebCore::EventTarget> = {_vptr.EventTarget = 0x4d281dc8 <vtable for WebCore::HTMLObjectElement+8>}, <WebCore::ScriptWrappable> = {m_wrapper = {m_impl = 0x0}}, <WebCore::TreeShared<WebCore::Node>> = {m_refCount = 4}, m_nodeFlags = 1057054, m_parentNode = 0xdae4080, m_treeScope = 0xb1f0e42c, m_previous = 0xbb3fc50, m_next = 0xdc54500, m_data = {m_renderer = 0xb1e7c960, m_rareData = 0xb1e7c960}}, m_firstChild = 0x0, m_lastChild = 0x0}, m_tagName = {m_impl = 0xb43daf60}, m_elementData = {m_ptr = 0xb2a073a8}}, <No data fields>}, <No data fields>}, m_contentFrame = 0x0, m_sandboxFlags = 0}, m_inBeforeLoadEventHandler = false, m_instance = {m_ptr = 0x0}, m_swapRendererTimer = {<WebCore::TimerBase> = {_vptr.TimerBase = 0x4d256220 <vtable for WebCore::Timer<WebCore::HT
#8 0x4bd7a51a in WebCore::SubframeLoader::requestObject (this=this at entry=0xb22c840, ownerElement=..., url=..., frameName=..., mimeType=..., paramNames=..., paramValues=...) at Source/WebCore/loader/SubframeLoader.cpp:225
success = <optimized out>
completedURL = {m_string = {m_impl = {m_ptr = 0xb1f0a7c0}}, m_isValid = true, m_protocolIsInHTTPFamily = false, m_schemeEnd = 4, m_userStart = 7, m_userEnd = 7, m_passwordEnd = 7, m_hostEnd = 12, m_portEnd = 12, m_pathAfterLastSlash = 18, m_pathEnd = 41, m_queryEnd = 41, m_fragmentEnd = 41}
hasFallbackContent = false
useFallback = false
#9 0x4bb64490 in WebCore::HTMLPlugInImageElement::requestObject (this=this at entry=0xc1a17d0, url=..., mimeType=..., paramNames=..., paramValues=...) at Source/WebCore/html/HTMLPlugInImageElement.cpp:774
loader = @0xb22c840: {m_containsPlugins = false, m_frame = @0xb43e0e00}
paramValues = @0xbfddbfc0: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
mimeType = @0xbfddbfb0: {m_impl = {m_ptr = 0xb43ecbd0}}
url = @0xbfddbfac: {m_impl = {m_ptr = 0xb443e990}}
this = 0xc1a17d0
paramNames = @0xbfddbfb4: {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
#10 0x4bb54448 in WebCore::HTMLObjectElement::updateWidget (this=0xc1a17d0, pluginCreationOption=WebCore::CreateOnlyNonNetscapePlugins) at Source/WebCore/html/HTMLObjectElement.cpp:332
url = {m_impl = {m_ptr = 0xb443e990}}
serviceType = {m_impl = {m_ptr = 0xb43ecbd0}}
paramValues = {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e600, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
protect = {m_ptr = 0xc1a17d0}
beforeLoadAllowedLoad = <optimized out>
success = true
paramNames = {<WTF::VectorBuffer<WTF::String, 0u>> = {<WTF::VectorBufferBase<WTF::String>> = {m_buffer = 0xb1f2e700, m_capacity = 16, m_size = 6}, <No data fields>}, <No data fields>}
#11 0x4bb62146 in WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary (this=0xc1a17d0) at Source/WebCore/html/HTMLPlugInImageElement.cpp:282
this = 0xc1a17d0
#12 0x4bb6217e in WebCore::HTMLPlugInImageElement::updateWidgetCallback (node=...) at Source/WebCore/html/HTMLPlugInImageElement.cpp:326
No locals.
#13 0x4b909a99 in WebCore::ContainerNode::dispatchPostAttachCallbacks () at Source/WebCore/dom/ContainerNode.cpp:817
info = <optimized out>
callback = <optimized out>
params = {first = {m_ptr = 0xc1a17d0}, second = <optimized out>}
i = 5
#14 0x4b909bdb in WebCore::ContainerNode::resumePostAttachCallbacks (document=...) at Source/WebCore/dom/ContainerNode.cpp:784
protect = {m_ptr = 0xb1f12a00}
#15 0x4b922539 in ~PostAttachCallbackDisabler (this=<synthetic pointer>, __in_chrg=<optimized out>) at Source/WebCore/dom/Element.h:826
No locals.
#16 WebCore::Document::recalcStyle (this=this at entry=0xb1f12a00, change=<optimized out>, change at entry=WebCore::Style::NoChange) at Source/WebCore/dom/Document.cpp:1766
disabler = {m_document = @0xb1f12a00}
suspendWidgetHierarchyUpdates = {static s_widgetHierarchyUpdateSuspendCount = 0}
repaintRegionAccumulator = {m_rootView = 0xb2af4960, m_wasAccumulatingRepaintRegion = false}
cookie = {m_instrumentingAgents = {m_ptr = 0x0}, m_timelineAgentId = 0}
#17 0x4b9235ad in WebCore::Document::updateStyleIfNeeded (this=this at entry=0xb1f12a00) at Source/WebCore/dom/Document.cpp:1802
animationUpdateBlock = <optimized out>
#18 0x4b92630a in WebCore::Document::finishedParsing (this=0xb1f12a00) at Source/WebCore/dom/Document.cpp:4457
f = {m_ptr = 0xb449e000}
#19 0x4bb95080 in WebCore::HTMLConstructionSite::finishedParsing (this=this at entry=0xb1f0984c) at Source/WebCore/html/parser/HTMLConstructionSite.cpp:392
No locals.
#20 0x4bbc6a43 in WebCore::HTMLTreeBuilder::finished (this=0xb1f09840) at Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3025
No locals.
#21 0x4bb9c3d4 in WebCore::HTMLDocumentParser::end (this=this at entry=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:439
No locals.
#22 0x4bb9c420 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=this at entry=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:450
No locals.
#23 0x4bb9fba3 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
protect = {m_ptr = 0xb444f800}
#24 0x4bb9c4a5 in WebCore::HTMLDocumentParser::attemptToEnd (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
this = 0xb444f800
#25 0x4bb9c597 in WebCore::HTMLDocumentParser::finish (this=0xb444f800) at Source/WebCore/html/parser/HTMLDocumentParser.cpp:490
No locals.
#26 0x4bd2cc35 in WebCore::DocumentWriter::end (this=this at entry=0xb4404054) at Source/WebCore/loader/DocumentWriter.cpp:248
protect = {m_ptr = 0xb449e000}
#27 0x4bd21afb in WebCore::DocumentLoader::finishedLoading (this=0xb4404000, finishTime=0) at Source/WebCore/loader/DocumentLoader.cpp:440
protect = {m_ptr = 0xb4404000}
responseEndTime = 898606.09792700002
#28 0x4bd21cca in WebCore::DocumentLoader::notifyFinished (this=0xb4404000, resource=0xb1f0fa00) at Source/WebCore/loader/DocumentLoader.cpp:374
No locals.
#29 0x4bd098b1 in WebCore::CachedResource::checkNotify (this=0xb1f0fa00) at Source/WebCore/loader/cache/CachedResource.cpp:332
w = {m_clientSet = @0xb1f0fa04, m_clientVector = {<WTF::VectorBuffer<WebCore::CachedResourceClient*, 0u>> = {<WTF::VectorBufferBase<WebCore::CachedResourceClient*>> = {m_buffer = 0xb1eec8b8, m_capacity = 2, m_size = 1}, <No data fields>}, <No data fields>}, m_index = 1}
#30 0x4bd0878a in WebCore::CachedResource::finishLoading (this=this at entry=0xb1f0fa00) at Source/WebCore/loader/cache/CachedResource.cpp:348
No locals.
#31 0x4bd05cd1 in WebCore::CachedRawResource::finishLoading (this=0xb1f0fa00, data=0xb1f0b100) at Source/WebCore/loader/cache/CachedRawResource.cpp:94
protect = {<WebCore::CachedResourceHandleBase> = {m_resource = 0xb1f0fa00}, <No data fields>}
dataBufferingPolicy = WebCore::BufferData
#32 0x4bd7b37a in WebCore::SubresourceLoader::didFinishLoading (this=0xb43e7580, finishTime=0) at Source/WebCore/loader/SubresourceLoader.cpp:309
protect = {m_ptr = 0xb43e7580}
protectResource = {<WebCore::CachedResourceHandleBase> = {m_resource = 0xb1f0fa00}, <No data fields>}
#33 0x4bd7019a in WebCore::ResourceLoader::didFinishLoading (this=0xb43e7580, finishTime=0) at Source/WebCore/loader/ResourceLoader.cpp:517
No locals.
#34 0x4c62c328 in WebCore::readCallback (asyncResult=0xd3d3e68, data=0xb1f0b590) at Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1339
handle = {m_ptr = 0xb1f0b590}
bytesRead = 0
d = 0xb1ec9c00
error = {m_ptr = 0x0}
currentPosition = <optimized out>
encodedDataLength = <optimized out>
#35 0x467e29ec in async_ready_callback_wrapper () from /lib/libgio-2.0.so.0
No symbol table info available.
#36 0x4680d202 in g_task_return_now () from /lib/libgio-2.0.so.0
No symbol table info available.
#37 0x4680d23c in complete_in_idle_cb () from /lib/libgio-2.0.so.0
No symbol table info available.
#38 0x46623a11 in g_idle_dispatch () from /lib/libglib-2.0.so.0
No symbol table info available.
#39 0x466271d3 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
No symbol table info available.
#40 0x46627598 in g_main_context_iterate.isra () from /lib/libglib-2.0.so.0
No symbol table info available.
#41 0x46627923 in g_main_loop_run () from /lib/libglib-2.0.so.0
No symbol table info available.
#42 0x49fe552d in ?? ()
No symbol table info available.
#43 0x0b044110 in ?? ()
No symbol table info available.
#44 0x4628be7e in __libc_start_main () from /lib/libc.so.6
No symbol table info available.
#45 0x0804ae69 in _start ()
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150305/103aae84/attachment-0002.html>
More information about the webkit-unassigned
mailing list