[Webkit-unassigned] [Bug 209345] [GTK] Crash in WebKit::WebPageProxy::viewWidget()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 7 20:59:24 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=209345
--- Comment #5 from Michael Catanzaro <mcatanzaro at gnome.org> ---
Debugging:
$ jhbuild run epiphany
_WebKitWebViewBasePrivate::_WebKitWebViewBasePrivate(): creating this=0x173d160
WebKit::AcceleratedBackingStoreWayland::AcceleratedBackingStoreWayland(WebKit::WebPageProxy&): creating this=0x7fb8725eeb10
void WebKit::WaylandCompositor::registerWebPage(WebKit::WebPageProxy&): webPage=0x7fb8172e6000
void WebKit::WaylandCompositor::bindWebPage(WebKit::WebPageProxy&): webPage=0x7fb8172e6000
<<< example.com tab, unrelated
_WebKitWebViewBasePrivate::_WebKitWebViewBasePrivate(): creating this=0x121a8a0
WebKit::AcceleratedBackingStoreWayland::AcceleratedBackingStoreWayland(WebKit::WebPageProxy&): creating this=0x7fb8725f3390
void WebKit::WaylandCompositor::registerWebPage(WebKit::WebPageProxy&): webPage=0x7fb8172e2a00
void WebKit::WaylandCompositor::bindWebPage(WebKit::WebPageProxy&): webPage=0x7fb8172e2a00
>>>
WebKit::WaylandCompositor::Surface::Surface(): Creating this=0x7fb872590a80
void WebKit::WaylandCompositor::Surface::setWebPage(WebKit::WebPageProxy*): this=0x7fb872590a80 webPage=0x7fb8172e6000 m_webPage=(nil)
WebKit::WaylandCompositor::Surface::Surface(): Creating this=0x7fb87258fd20
void WebKit::WaylandCompositor::Surface::setWebPage(WebKit::WebPageProxy*): this=0x7fb87258fd20 webPage=0x7fb8172e6000 m_webPage=(nil)
So far so good. Now:
void WebKit::WaylandCompositor::unbindWebPage(WebKit::WebPageProxy&): webPage=0x7fb8172e6000
void WebKit::WaylandCompositor::Surface::setWebPage(WebKit::WebPageProxy*): this=0x7fb87258fd20 webPage=(nil) m_webPage=0x7fb8172e6000
virtual
We unbound only one of the two Surfaces. Surface 0x7fb87258fd20 (the surface for the second page, poster circle) is OK but Surface 0x7fb872590a80 (the surface for DuckDuckGo) got missed.
WebKit::AcceleratedBackingStoreWayland::~AcceleratedBackingStoreWayland(): destroying this=0x7fb8725eeb10
void WebKit::WaylandCompositor::unregisterWebPage(WebKit::WebPageProxy&): webPage=0x7fb8172e6000
void WebKit::WaylandCompositor::Surface::setWebPage(WebKit::WebPageProxy*): this=0x7fb87258fd20 webPage=(nil) m_webPage=(nil)
Here, we again unregistered only one of the two Surfaces. The DuckDuckGo surface is left with a dangling pointer to m_webPage that is no longer valid.
_WebKitWebViewBasePrivate::~_WebKitWebViewBasePrivate(): destroying this=0x173d160
WebKit::WaylandCompositor::Surface::~Surface(): Destroying this=0x7fb87258fd20
void WebKit::WaylandCompositor::Surface::setWebPage(WebKit::WebPageProxy*): this=0x7fb87258fd20 webPage=(nil) m_webPage=(nil)
WebKit::WaylandCompositor::Surface::~Surface(): Destroying this=0x7fb872590a80
void WebKit::WaylandCompositor::Surface::setWebPage(WebKit::WebPageProxy*): this=0x7fb872590a80 webPage=(nil) m_webPage=0x7fb8172e6000
Segmentation fault (core dumped)
Now the Surfaces get deleted by the lambda passed to wl_resource_set_implementation() (inside: static const struct wl_compositor_interface compositorInterface). m_webPage is dangling, so Surface::setWebPages tries to use it, and we die.
So problem is that both WaylandCompositor::unbindWebPage and WaylandCompositor::unregisterWebPage failed to call surface->setWebPage(nullptr) for the second Surface. They both should have done that. Will continue to debug.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200408/fc9ac577/attachment-0001.htm>
More information about the webkit-unassigned
mailing list