[Webkit-unassigned] [Bug 218612] New: [WPE] Crash if the a view loads a blocked URL by a content blocker

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 5 05:39:27 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=218612

            Bug ID: 218612
           Summary: [WPE] Crash if the a view loads a blocked URL by a
                    content blocker
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WPE WebKit
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: psaavedra at igalia.com
                CC: bugs-noreply at webkitgtk.org

Created attachment 413286

  --> https://bugs.webkit.org/attachment.cgi?id=413286&action=review

Test case

Crash happens in WPE when attempting to load a page blocked by the Content filters:

{{{
#0  0x00007f74fc23f310 in wl_connection_flush (connection=0x727574616e676973) at ../src/connection.c:297
#1  0x00007f750a07d220 in ViewBackend::releaseBuffer(wl_resource*) () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#2  0x00007f750a07c3aa in (anonymous namespace)::ClientBundleEGL::releaseImage(wpe_fdo_egl_exported_image*) () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#3  0x00007f750a07c649 in wpe_view_backend_exportable_fdo_egl_dispatch_release_exported_image () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#4  0x0000562f7d00bb4d in on_buffer_release (data=0x562f7f1ae770, buffer=0x562f7f1dbb10) at surface.c:173
#5  0x00007f74fc24f8ee in ffi_call_unix64 () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#6  0x00007f74fc24f2bf in ffi_call () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#7  0x00007f750a0a028d in wl_closure_invoke (closure=0x562f7f18f800, flags=1, target=<optimized out>, opcode=0, data=<optimized out>) at ../src/connection.c:1006
#8  0x00007f750a09cac9 in dispatch_event (display=display at entry=0x562f7eff0d90, queue=<optimized out>) at ../src/wayland-client.c:1427
#9  0x00007f750a09df94 in dispatch_queue (queue=0x562f7eff0e58, display=0x562f7eff0d90) at ../src/wayland-client.c:1573
#10 0x00007f750a09df94 in wl_display_dispatch_queue_pending (display=0x562f7eff0d90, queue=0x562f7eff0e58) at ../src/wayland-client.c:1815
#11 0x0000562f7d00bd23 in on_export_fdo_egl_image (data=0x0, image=0x562f7f1dfc40) at surface.c:213
#12 0x00007f750a07c47a in (anonymous namespace)::ClientBundleEGL::exportImage(wpe_fdo_egl_exported_image*) () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#13 0x00007f750a07c20d in (anonymous namespace)::ClientBundleEGL::exportBuffer(linux_dmabuf_buffer const*) () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#14 0x00007f750a07d0f2 in ViewBackend::exportLinuxDmabuf(linux_dmabuf_buffer const*) () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#15 0x00007f750a083314 in WS::ImplEGL::surfaceCommit(WS::Surface&) () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#16 0x00007f750a07ddfd in WS::{lambda(wl_client*, wl_resource*)#10}::operator()(wl_client*, wl_resource*) const () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#17 0x00007f750a07de25 in WS::{lambda(wl_client*, wl_resource*)#10}::_FUN(wl_client*, wl_resource*) () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#18 0x00007f74fc24f8ee in ffi_call_unix64 () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#19 0x00007f74fc24f2bf in ffi_call () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#20 0x00007f74fc240b2d in wl_closure_invoke (closure=closure at entry=0x562f7f1e0aa0, flags=flags at entry=2, target=<optimized out>, target at entry=0x562f7f1ad1e0, opcode=opcode at entry=6, data=<optimized out>, data at entry=0x562f7f195260)
    at ../src/connection.c:1006
#21 0x00007f74fc23d5a9 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x562f7f195260) at ../src/wayland-server.c:420
#22 0x00007f74fc23eb72 in wl_event_loop_dispatch (loop=0x562f7f16b0f0, timeout=<optimized out>) at ../src/event-loop.c:641
#23 0x00007f750a07da25 in WS::ServerSource::{lambda(_GSource*, int (*)(void*), void*)#3}::operator()(_GSource*, int (*)(void*), void*) const () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#24 0x00007f750a07da8c in WS::ServerSource::{lambda(_GSource*, int (*)(void*), void*)#3}::_FUN(_GSource*, int (*)(void*), void*) () at /home/igalia/psaavedra/install/lib/libWPEBackend-fdo-1.0.so.1
#25 0x00007f74fdb10f2e in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x00007f74fdb111c8 in  () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#27 0x00007f74fdb114c2 in g_main_loop_run () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#28 0x0000562f7d00c5e9 in main (argc=1, argv=0x7fffb7f511a8) at surface.c:445
}}}

AFAIK, what is happening is that the wl_client of the surface associated to the load request of the blocked content is being closed because an WL_EVENT_HANGUP (5). The UI-process doesn't knows about it and because it has its own copy of the wl_client pointer it keeps trying to operate over it during the release/dispatch actions even when the memory is or will be freed. The client is being freed in the wayland code when the error happens but the ViewBackend will never will know that its copy of the pointer is pointing to an area that it will be deleted.

The WL_EVENT_HANGUP happens immediately after that the content is blocked. If we are able to close the client and/or unregister the surface related to this request in a civilized way, we could avoid this situation.

Another possibility could be to add a wl_client_add_destroy_listener(). Something like this:
https://paste.debian.net/1170037/ to give the chance to the Surface to know if the client was being destroyed and avoid dispatching and/or releasing over that already closed client's connection. That patch works and acts immediately before to any other flush action but still doesn't address all the problems (for example: the wl_connection_flush() is also called in a close action invoked in in another non-located place).

HOW TO REPRODUCE:

The synthetic code to reproduce the crash is attached in the issue: launcher.c


* Build instructions:

```
# Set this variables to the right place where you have the WPE related libraries
# export PKG_CONFIG_PATH=/home/igalia/psaavedra/install/lib/pkgconfig/
# export LD_LIBRARY_PATH=/home/igalia/psaavedra/install/lib

filename="launcher"

CFLAGS="gtk+-3.0 wpe-webkit-1.0 wpebackend-fdo-1.0 egl"
LIBS="gtk+-3.0 wayland-client wpe-1.0 wpebackend-fdo-1.0 wpe-web-extension-1.0  wpe-webkit-1.0 egl"

gcc -g3 `pkg-config --cflags $CFLAGS` -o $filename $filename.c `pkg-config --libs $LIBS`
```

* Execution: 

```
export WAYLAND_DISPLAY=wayland-0
export XDG_RUNTIME_DIR=/xdg
export LD_LIBRARY_PATH=/home/igalia/psaavedra/install/lib
export WEBKIT_IGNORE_SSL_ERRORS=1
./launcher
```

The issue is reproducible in:

* WebKit: 2.28; 2.30; trunk
* libwpe: 1.6; 1.8
* Weston: 1.3; 5.0 
* Wayland-protocols: 1.13 and 1.17



ii  wayland-protocols                      1.17-1                              all          wayland compositor protocols
ii  weston                                 5.0.0-3                             amd64        reference implementation of a wayland compositor

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201105/2af3d1da/attachment.htm>

More information about the webkit-unassigned mailing list