[Webkit-unassigned] [Bug 177577] New: Crash/regression 2.18 on webkitgtk disposal

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 27 15:51:04 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=177577

            Bug ID: 177577
           Summary: Crash/regression 2.18 on webkitgtk disposal
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: leonidas at redhat.com

Hello WebkitGtk developers, 

I'm having a hard time figuring out why webkit crashes as of 2.18 with us, I was wondering if the below stack trace looks familiar to anyone?

Context:
- We use WebkiGtk for Eclipse's/SWT's Browser functionality on Linux. (Java native Interface to Webkitgtk)
- We have a custom container for widget layout.
- We tend to dispose widgets from parent down to child.

In 2.16, all was fine. As of 2.18.0, when we exit Eclipse, Webkit now crashes with the following backtrace:

(Stack trace(s) was shortened/reduced for clarity)

1    /lib64/libjavascriptcoregtk-4.0.so.18 WTFCrash
2    /lib64/libwebkit2gtk-4.0.so.37
..6    /lib64/libgobject-2.0.so.0(g_object_unref..)
..9    /lib64/libc.so.6(__libc_start_main..)
..10   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.fc26.x86_64/bin/java

If I download/install debug information and attach with gdb, I get a stacktrace like:
(gdb) bt
#0  WTFCrash() () at Source/WTF/wtf/Assertions.cpp:278
#1  WebKit::CallbackMap::invalidate(WebKit::CallbackBase::Error) 
          (error=WebKit::CallbackBase::Error::OwnerWasInvalidated) /WebKit/UIProcess/GenericCallback.h:225
#2  WebKit::WebCookieManagerProxy::processPoolDestroyed() /WebKit/UIProcess/WebCookieManagerProxy.cpp:76
#3  WebKit::WebProcessPool::~WebProcessPool()  __in_chrg=.. /Source/WebKit/UIProcess/WebProcessPool.cpp:298
#4  WebKit::WebProcessPool::~WebProcessPool()  WebKit/UIProcess/WebProcessPool.cpp:317
#5  WTF::ThreadSafeRefCounted<API::Object>::deref() const .. WTF/wtf/ThreadSafeRefCounted.h:71
#6  WTF::derefIfNotNull<WebKit::WebProcessPool>(WebKit::WebProcessPool*)(ptr=../WTF/wtf/RefPtr.h:45
#7  WTF::RefPtr<WebKit::WebProcessPool>::~RefPtr() __in_chrg=.. /WTF/wtf/RefPtr.h:69
#8  _WebKitWebContextPrivate::~_WebKitWebContextPrivate()  __in_chrg=. /WebKit/UIProcess/API/glib/WebKitWebContext.cpp:163
#9  webkit_web_context_finalize(GObject*) (object=... /WebKit/UIProcess/API/glib/WebKitWebContext.cpp:245
#10 g_object_unref (_object=0x7fde296e7110) at gobject.c:3185
#11 __run_exit_handlers (status=0, listp=0x7.... <__exit_funcs>, run_list_atexit=run_list_atexit at entry=true, run_dtors=run_dtors at entry=true) at exit.c:83
#12 __GI_exit (status=<optimized out>) at exit.c:105
#13 __libc_start_main (main=0x151b63e670 <main>, argc=5, argv=0x7ffc1db781f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc1db781e8)
    at ../csu/libc-start.c:329
#14in _start ()
...

^ Observe "g_object_unref()" on #10. It seems gblib tries to run an exit handler, which tries to run a g_object_unref() on webview, which leads to crash?

The crash occurs in Webkit/Javascript core after Java/Jvm code has finished, in java native code.

I noticed that if I do an g_object_ref(webview) somewhere near disposal, then the crash doesn't occur. 

Does the above ring a bell with anyone?

Was there a mechanism added to webkit/webkitgtk to somehow auto-cleanup somewhere that didn't exist before?

Btw, what's the correct way to destroy/dispose webkit/webview?

System:
Linux Fedora 25
Gtk3.22
WebkitGtk 2.18 (New from upstream/Rawhide)

Please advise, thank you.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170927/69dae5eb/attachment-0001.html>

More information about the webkit-unassigned mailing list