[Webkit-unassigned] [Bug 199402] New: [GTK] Crash in webkitWebViewBaseRenderHostFileDescriptor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 2 05:36:52 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199402

            Bug ID: 199402
           Summary: [GTK] Crash in
                    webkitWebViewBaseRenderHostFileDescriptor
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com
                CC: bugs-noreply at webkitgtk.org

>From this backtrace:

                Stack trace of thread 764:
                #0  0x00007fbbc42b16df _Z41webkitWebViewBaseRenderHostFileDescriptorP18_WebKitWebViewBase (libwebkit2gtk-4.0.so.37)
                #1  0x00007fbbc42a1c6a _ZN6WebKit14PageClientImpl18hostFileDescriptorEv (libwebkit2gtk-4.0.so.37)
                #2  0x00007fbbc41d33d0 _ZN6WebKit12WebPageProxy18creationParametersERNS_15WebProcessProxyERNS_16DrawingAreaProxyE (libwebkit2gtk-4.0.so.37)
                #3  0x00007fbbc41d38f0 _ZN6WebKit12WebPageProxy17initializeWebPageEv (libwebkit2gtk-4.0.so.37)
                #4  0x00007fbbc41d3aed _ZN6WebKit12WebPageProxy27finishAttachingToWebProcessENS0_13IsProcessSwapE (libwebkit2gtk-4.0.so.37)
                #5  0x00007fbbc41d3e8e _ZN6WebKit12WebPageProxy11loadRequestEON7WebCore15ResourceRequestENS1_28ShouldOpenExternalURLsPolicyEPN3API6ObjectE (libwebkit2gtk-4.0.so.37)
                #6  0x00007fbbc4292f6a webkit_web_view_load_uri (libwebkit2gtk-4.0.so.37)
                #7  0x00007fbbc7e2bee2 ephy_web_view_load_url (libephymain.so)
                #8  0x00007fbbc7e2f96a ephy_web_view_load_homepage (libephymain.so)
                #9  0x00007fbbc7e0c2f6 ephy_window_open_link (libephymain.so)
                #10 0x00007fbbc1a36bb8 ffi_call_unix64 (libffi.so.6)
                #11 0x00007fbbc1a363b4 ffi_call (libffi.so.6)
                #12 0x00007fbbc73f024d g_cclosure_marshal_generic (libgobject-2.0.so.0)
                #13 0x00007fbbc73ef742 g_closure_invoke (libgobject-2.0.so.0)
                #14 0x00007fbbc7402cf6 signal_emit_unlocked_R (libgobject-2.0.so.0)
                #15 0x00007fbbc740b94e g_signal_emit_valist (libgobject-2.0.so.0)
                #16 0x00007fbbc740c963 g_signal_emit (libgobject-2.0.so.0)
                #17 0x00007fbbc7df6fff ephy_link_open (libephymain.so)
                #18 0x00007fbbc7e00f8a ephy_session_resume (libephymain.so)
                #19 0x00007fbbc73ef996 _g_closure_invoke_va (libgobject-2.0.so.0)
                #20 0x00007fbbc740c31c g_signal_emit_valist (libgobject-2.0.so.0)
                #21 0x00007fbbc740c963 g_signal_emit (libgobject-2.0.so.0)
                #22 0x00007fbbc751c5f8 g_application_real_local_command_line (libgio-2.0.so.0)
                #23 0x00007fbbc751c7b2 g_application_run (libgio-2.0.so.0)
                #24 0x00005594709be096 main (epiphany)
                #25 0x00007fbbc6f45f13 __libc_start_main (libc.so.6)
                #26 0x00005594709be31e _start (epiphany)

We can see a crash here, probably because acceleratedBackingStore is null:

#if USE(WPE_RENDERER)
int webkitWebViewBaseRenderHostFileDescriptor(WebKitWebViewBase* webkitWebViewBase)
{
    return webkitWebViewBase->priv->acceleratedBackingStore->renderHostFileDescriptor();
}
#endif

It can happen if AcceleratedBackingStore::create returns null. AcceleratedBackingStore::create has a release assert to make sure that never happens directly, but AcceleratedBackingStoreWayland::create and AcceleratedBackingStoreX11::create do not. Both can return null for various reasons. The crash occurs on a VM image that's probably either got broken OpenGL or a missing GL extension, but it's impossible to tell which from this backtrace because the crash occurs too late.

I suggest we either make WebKitWebViewBase expect and handle the case where acceleratedBackingStore is null, or else crash earlier with a RELEASE_ASSERT in AcceleratedBackingStoreWayland::create and AcceleratedBackingStoreX11::create when it's not. Ideally line number of the crash would indicate why creation failed, e.g.:

RELEASE_ASSERT(display.supportsXComposite());
RELEASE_ASSERT(display.supportsXDamage(s_damageEventBase, s_damageErrorBase));

Missing information:

 * I don't know whether X11 or Wayland is being used here, but it's probably not relevant to this bug because both can return null
 * I don't have an actual proper backtrace from gdb, but I think we see what's going wrong without it

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190702/840e517e/attachment-0001.html>

More information about the webkit-unassigned mailing list