[Webkit-unassigned] [Bug 175602] [GTK] ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) when dragging file into webview

Wed Jun 27 15:12:53 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=175602

Michael Catanzaro <mcatanzaro at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mcatanzaro at igalia.com

--- Comment #1 from Michael Catanzaro <mcatanzaro at igalia.com> ---
Hit this today. I think exploiting this would be very difficult since it would require an attacker to trick the user into dragging a file into the webview, so let's just treat it as a normal bug.

==27598==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030003cd660 at pc 0x7f1d9c1b3fd4 bp 0x7ffcdf424cd0 sp 0x7ffcdf424cc0
READ of size 8 at 0x6030003cd660 thread T0
    #0 0x7f1d9c1b3fd3 in bool WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >::equal<_GdkDragContext*, _GdkDragContext*>(_GdkDragContext* const&, _GdkDragContext* const&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:284
    #1 0x7f1d9c1b4468 in void WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::checkKey<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*>(_GdkDragContext* const&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:587
    #2 0x7f1d9c1b32da in WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >* WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::inlineLookup<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*>(_GdkDragContext* const&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:608
    #3 0x7f1d9c1b1a0e in WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >* WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::lookup<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*>(_GdkDragContext* const&) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f5a0e)
    #4 0x7f1d9c1afedf in WTF::HashTableIterator<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> > WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::find<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*>(_GdkDragContext* const&) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f3edf)
    #5 0x7f1d9c1aca76 in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::find(_GdkDragContext* const&) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f0a76)
    #6 0x7f1d9c1a9fd6 in WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::find(_GdkDragContext* const&) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44edfd6)
    #7 0x7f1d9c199496 in operator() /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:261
    #8 0x7f1d9c1a8b77 in call DerivedSources/ForwardingHeaders/wtf/Function.h:101
    #9 0x7f1d955cec87 in WTF::Function<void ()>::operator()() const /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/Function.h:56
    #10 0x7f1d955fde48 in WTF::RunLoop::performWork() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/RunLoop.cpp:123
    #11 0x7f1d956afd09 in operator() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:68
    #12 0x7f1d956afd2d in _FUN /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:70
    #13 0x7f1d956afcbb in operator() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:45
    #14 0x7f1d956afceb in _FUN /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:46
    #15 0x7f1dac73d3ad in g_main_dispatch ../../../../Projects/glib/glib/gmain.c:3182
    #16 0x7f1dac73e22f in g_main_context_dispatch ../../../../Projects/glib/glib/gmain.c:3835
    #17 0x7f1dac73e413 in g_main_context_iterate ../../../../Projects/glib/glib/gmain.c:3908
    #18 0x7f1dac73e4d7 in g_main_context_iteration ../../../../Projects/glib/glib/gmain.c:3969
    #19 0x7f1dacd69d86 in g_application_run ../../../../Projects/glib/gio/gapplication.c:2470
    #20 0x403e88 in main ../../../../../../../../../Projects/epiphany/src/ephy-main.c:437
    #21 0x7f1dabdda18a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #22 0x402719 in _start (/home/mcatanzaro/Projects/GNOME/install/bin/epiphany+0x402719)

0x6030003cd660 is located 0 bytes inside of 32-byte region [0x6030003cd660,0x6030003cd680)
freed by thread T0 here:
    #0 0x7f1dae2a0e50 in operator delete(void*, unsigned long) (/lib64/libasan.so.5+0xf1e50)
    #1 0x7f1d9c10620e in std::default_delete<WebKit::DragAndDropHandler::DroppingContext>::operator()(WebKit::DragAndDropHandler::DroppingContext*) const /usr/include/c++/8/bits/unique_ptr.h:81
    #2 0x7f1d9c1046f4 in std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >::~unique_ptr() /usr/include/c++/8/bits/unique_ptr.h:274
    #3 0x7f1d9c1b4c50 in WTF::KeyValuePairHashTraits<WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::customDeleteBucket(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >&) DerivedSources/ForwardingHeaders/wtf/HashTraits.h:302
    #4 0x7f1d9c1b45bf in std::enable_if<WTF::HashTraitHasCustomDelete<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::value, void>::type WTF::hashTraitsDeleteBucket<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >&) DerivedSources/ForwardingHeaders/wtf/HashTraits.h:227
    #5 0x7f1d9c1b349c in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::deleteBucket(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:461
    #6 0x7f1d9c1b1bbd in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::remove(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >*) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f5bbd)
    #7 0x7f1d9c1b0130 in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::removeAndInvalidateWithoutEntryConsistencyCheck(WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >*) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f4130)
    #8 0x7f1d9c1ad0df in WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::removeWithoutEntryConsistencyCheck(WTF::HashTableIterator<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44f10df)
    #9 0x7f1d9c1aa4ec in WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::remove(WTF::HashTableIteratorAdapter<WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >) (/home/mcatanzaro/Projects/GNOME/install/lib/libwebkit2gtk-4.0.so.37+0x44ee4ec)
    #10 0x7f1d9c1999a2 in operator() /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:279
    #11 0x7f1d9c1a8b77 in call DerivedSources/ForwardingHeaders/wtf/Function.h:101
    #12 0x7f1d955cec87 in WTF::Function<void ()>::operator()() const /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/Function.h:56
    #13 0x7f1d955fdc64 in WTF::RunLoop::performWork() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/RunLoop.cpp:106
    #14 0x7f1d956afd09 in operator() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:68
    #15 0x7f1d956afd2d in _FUN /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:70
    #16 0x7f1d956afcbb in operator() /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:45
    #17 0x7f1d956afceb in _FUN /home/mcatanzaro/Projects/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:46
    #18 0x7f1dac73d3ad in g_main_dispatch ../../../../Projects/glib/glib/gmain.c:3182
    #19 0x7f1dac73e22f in g_main_context_dispatch ../../../../Projects/glib/glib/gmain.c:3835
    #20 0x7f1dac73e413 in g_main_context_iterate ../../../../Projects/glib/glib/gmain.c:3908
    #21 0x7f1dac73e4d7 in g_main_context_iteration ../../../../Projects/glib/glib/gmain.c:3969
    #22 0x7f1dacd69d86 in g_application_run ../../../../Projects/glib/gio/gapplication.c:2470
    #23 0x403e88 in main ../../../../../../../../../Projects/epiphany/src/ephy-main.c:437
    #24 0x7f1dabdda18a in __libc_start_main (/lib64/libc.so.6+0x2318a)

previously allocated by thread T0 here:
    #0 0x7f1dae29f870 in operator new(unsigned long) (/lib64/libasan.so.5+0xf0870)
    #1 0x7f1d9c1a9ca6 in std::_MakeUniq<WebKit::DragAndDropHandler::DroppingContext>::__single_object std::make_unique<WebKit::DragAndDropHandler::DroppingContext, _GdkDragContext*&, WebCore::IntPoint const&>(_GdkDragContext*&, WebCore::IntPoint const&) /usr/include/c++/8/bits/unique_ptr.h:831
    #2 0x7f1d9c198b07 in WebKit::DragAndDropHandler::dragDataSelection(_GdkDragContext*, WebCore::IntPoint const&, unsigned int) /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:223
    #3 0x7f1d9c199002 in WebKit::DragAndDropHandler::dragMotion(_GdkDragContext*, WebCore::IntPoint const&, unsigned int) /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/gtk/DragAndDropHandler.cpp:241
    #4 0x7f1d9c0edbc6 in webkitWebViewBaseDragMotion /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/API/gtk/WebKitWebViewBase.cpp:1222
    #5 0x7f1dad5b49c0 in _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT /home/mcatanzaro/.cache/jhbuild/build/gtk/gtk/gtkmarshalers.c:713
    #6 0x7f1daca2a555 in g_type_class_meta_marshal ../../../../Projects/glib/gobject/gclosure.c:1003
    #7 0x7f1daca29f01 in g_closure_invoke ../../../../Projects/glib/gobject/gclosure.c:810
    #8 0x7f1daca47be1 in signal_emit_unlocked_R ../../../../Projects/glib/gobject/gsignal.c:3673
    #9 0x7f1daca46e06 in g_signal_emit_valist ../../../../Projects/glib/gobject/gsignal.c:3401
    #10 0x7f1daca4745c in g_signal_emit_by_name ../../../../Projects/glib/gobject/gsignal.c:3487
    #11 0x7f1dad57e947 in gtk_drag_dest_motion /home/mcatanzaro/Projects/gtk/gtk/gtkdnd.c:1572
    #12 0x7f1dad57df00 in gtk_drag_find_widget /home/mcatanzaro/Projects/gtk/gtk/gtkdnd.c:1270
    #13 0x7f1dad57d98f in _gtk_drag_dest_handle_event /home/mcatanzaro/Projects/gtk/gtk/gtkdnd.c:1091
    #14 0x7f1dad36f88b in gtk_main_do_event /home/mcatanzaro/Projects/gtk/gtk/gtkmain.c:1933
    #15 0x7f1daa5d6874 in _gdk_event_emit /home/mcatanzaro/Projects/gtk/gdk/gdkevents.c:73
    #16 0x7f1daa652378 in gdk_event_source_dispatch /home/mcatanzaro/Projects/gtk/gdk/wayland/gdkeventsource.c:124
    #17 0x7f1dac73d3ad in g_main_dispatch ../../../../Projects/glib/glib/gmain.c:3182
    #18 0x7f1dac73e22f in g_main_context_dispatch ../../../../Projects/glib/glib/gmain.c:3835
    #19 0x7f1dac73e413 in g_main_context_iterate ../../../../Projects/glib/glib/gmain.c:3908
    #20 0x7f1dac73e4d7 in g_main_context_iteration ../../../../Projects/glib/glib/gmain.c:3969
    #21 0x7f1dacd69d86 in g_application_run ../../../../Projects/glib/gio/gapplication.c:2470
    #22 0x403e88 in main ../../../../../../../../../Projects/epiphany/src/ephy-main.c:437
    #23 0x7f1dabdda18a in __libc_start_main (/lib64/libc.so.6+0x2318a)

SUMMARY: AddressSanitizer: heap-use-after-free DerivedSources/ForwardingHeaders/wtf/HashTable.h:284 in bool WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >::equal<_GdkDragContext*, _GdkDragContext*>(_GdkDragContext* const&, _GdkDragContext* const&)
Shadow bytes around the buggy address:
  0x0c0680071a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c0680071a80: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c0680071a90: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fa
  0x0c0680071aa0: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa fd fd
  0x0c0680071ab0: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
=>0x0c0680071ac0: fd fd fd fd fa fa fd fd fd fd fa fa[fd]fd fd fd
  0x0c0680071ad0: fa fa 00 00 00 00 fa fa 00 00 00 02 fa fa fd fd
  0x0c0680071ae0: fd fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
  0x0c0680071af0: fa fa fa fa fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c0680071b00: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0680071b10: fd fa fa fa fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27598==ABORTING

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180627/12010a7c/attachment-0001.html>