[Webkit-unassigned] [Bug 249872] New: Crash in PDFDocument::injectStyleAndContentScript when downloading PDF

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Dec 24 10:15:57 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=249872

            Bug ID: 249872
           Summary: Crash in PDFDocument::injectStyleAndContentScript when
                    downloading PDF
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org

With WebKitGTK 2.39.3, open a PDF in PDF.js and try to save it using the download button. It will crash:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f999ad8cffd in WTF::RefCountedBase::ref (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RefCounted.h:49
49              ++m_refCount;
[Current thread is 1 (Thread 0x7f9991edc600 (LWP 2))]
(gdb) bt
#0  0x00007f999ad8cffd in WTF::RefCountedBase::ref() const (this=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RefCounted.h:49
#1  WTF::Ref<WebCore::EventListener, WTF::RawPtrTraits<WebCore::EventListener> >::Ref(WebCore::EventListener&)
    (object=..., this=0x7ffc3fbffd00)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/Ref.h:67
#2  WTF::Ref<WebCore::EventListener, WTF::RawPtrTraits<WebCore::EventListener> >::copyRef() const &
    (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/Ref.h:125
#3  WebCore::tryAddEventListener (listener=..., options=..., eventType=..., targetNode=0x7f97fe09fbc0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Node.cpp:2194
#4  WebCore::Node::addEventListener(WTF::AtomString const&, WTF::Ref<WebCore::EventListener, WTF::RawPtrTraits<WebCore::EventListener> >&&, WebCore::AddEventListenerOptions const&)
    (this=this at entry=0x7f97fe09fbc0, eventType=..., listener=..., options=...)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Node.cpp:2229
#5  0x00007f999b009f4d in WebCore::PDFDocument::injectStyleAndContentScript() (this=0x7f9936121800)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/html/PDFDocument.cpp:237
#6  0x00007f999ad60236 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)
    (this=this at entry=0x7f97fe002000, event=..., listeners=..., phase=phase at entry=WebCore::EventTarget::EventInvokePhase::Bubbling) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/EventTarget.cpp:369
#7  0x00007f999ad609d8 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (this=0x7f97fe002000, event=..., phase=WebCore::EventTarget::EventInvokePhase::Bubbling)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/EventTarget.cpp:301
#8  0x00007f999ad60e1f in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const (this=<optimized out>, event=<optimized out>, phase=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/EventContext.cpp:96
#9  0x00007f999ad615af in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)
    (event=..., path=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/EventDispatcher.cpp:109
#10 0x00007f999ad653fd in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)
     (node=..., event=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/EventDispatcher.cpp:190
#11 0x00007f999b2aa63f in WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)
     (this=this at entry=0x7f998a2110c0, request=..., redirectResponse=..., loader=loader at entry=0x7f99362a5000, formState=..., function=..., policyDecisionMode=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RawPtrTraits.h:44
#12 0x00007f999b284379 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)
    (this=0x7f998a029ba0, loader=0x7f99362a5000, type=<optimized out>, formState=<optimized out>, allowNavigationToInvalidURL=<optimized out>, completionHandler=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/FrameLoader.cpp:1682
#13 0x00007f999b2849d8 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction&&, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WebCore::ShouldTreatAsContinuingLoad, WTF::CompletionHandler<void ()>&&)
    (this=this at entry=0x7f998a029ba0, request=..., action=..., type=type at entry=WebCore::FrameLoadType::Standard, formState=..., allowNavigationToInvalidURL=allowNavigationToInvalidURL at entry=WebCore::AllowNavigationToInvalidURL::Yes, shouldTreatAsContinuingLoad=<optimized out>, completionHandler=<optimized out>)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/RawPtrTraits.h:44
#14 0x00007f999b2854a7 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest&&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDere--Type <RET> for more, q to quit, c to continue without paging--c
fTraits<WebCore::FormState> >&&, std::optional<WebCore::PrivateClickMeasurement>&&, WTF::CompletionHandler<void ()>&&) (this=0x7f998a029ba0, frameLoadRequest=..., referrer=<optimized out>, newLoadType=<optimized out>, event=<optimized out>, formState=<optimized out>, privateClickMeasurement=<optimized out>, completionHandler=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/FrameLoader.cpp:1463
#15 0x00007f999b286cef in WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest&&, WebCore::Event*, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, std::optional<WebCore::PrivateClickMeasurement>&&) (this=0x7f998a029ba0, request=..., event=<optimized out>, formState=<optimized out>, privateClickMeasurement=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/ThreadAssertions.h:119
#16 0x00007f999b28713a in WebCore::FrameLoader::changeLocation(WebCore::FrameLoadRequest&&, WebCore::Event*, std::optional<WebCore::PrivateClickMeasurement>&&) (this=this at entry=0x7f998a029ba0, frameRequest=..., triggeringEvent=triggeringEvent at entry=0x7f97fe09f710, privateClickMeasurement=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/FrameLoader.cpp:462
#17 0x00007f999b287545 in WebCore::FrameLoader::changeLocation(WTF::URL const&, WTF::AtomString const&, WebCore::Event*, WebCore::ReferrerPolicy const&, WebCore::ShouldOpenExternalURLsPolicy, std::optional<WebCore::NewFrameOpenerPolicy>, WTF::AtomString const&, WebCore::SystemPreviewInfo const&, std::optional<WebCore::PrivateClickMeasurement>&&) (this=this at entry=0x7f998a029ba0, url=..., passedTarget=..., triggeringEvent=triggeringEvent at entry=0x7f97fe09f710, referrerPolicy=@0x7ffc3fc01faf: WebCore::ReferrerPolicy::EmptyString, shouldOpenExternalURLsPolicy=<optimized out>, openerPolicy=std::optional<WebCore::NewFrameOpenerPolicy> = {...}, downloadAttribute=<optimized out>, systemPreviewInfo=<optimized out>, privateClickMeasurement=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/loader/FrameLoader.cpp:447
#18 0x00007f999af23914 in WebCore::HTMLAnchorElement::handleClick(WebCore::Event&) (this=0x7f97fe04a9c0, event=...) at /usr/include/c++/12.1.0/bits/refwrap.h:346
#19 0x00007f999ad65236 in WebCore::callDefaultEventHandlersInBubblingOrder (path=..., event=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/EventDispatcher.cpp:64
#20 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (node=..., event=...) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/EventDispatcher.cpp:206
#21 0x00007f999adcce7b in WebCore::simulateMouseEvent(WTF::AtomString const&, WebCore::Element&, WebCore::Event*, WebCore::SimulatedClickSource) (eventType=..., element=..., underlyingEvent=0x0, source=WebCore::SimulatedClickSource::Bindings) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WTF/Headers/wtf/Ref.h:143
#22 0x00007f999add07ea in WebCore::simulateClick(WebCore::Element&, WebCore::Event*, WebCore::SimulatedClickMouseEventOptions, WebCore::SimulatedClickVisualOptions, WebCore::SimulatedClickSource) (element=..., underlyingEvent=underlyingEvent at entry=0x0, mouseEventOptions=mouseEventOptions at entry=WebCore::SendNoEvents, visualOptions=visualOptions at entry=WebCore::DoNotShowPressedLook, creationOptions=creationOptions at entry=WebCore::SimulatedClickSource::Bindings) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/SimulatedClick.cpp:105
#23 0x00007f999af3b872 in WebCore::HTMLElement::click() (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/html/HTMLElement.cpp:689
#24 0x00007f999a13f5d9 in operator() (__closure=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4400
#25 WebCore::toJS<WebCore::IDLUndefined, WebCore::jsHTMLElementPrototypeFunction_clickBody(JSC::JSGlobalObject*, JSC::CallFrame*, IDLOperation<JSHTMLElement>::ClassParameter)::<lambda()> > (valueOrFunctor=<optimized out>, throwScope=<synthetic pointer>..., lexicalGlobalObject=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMConvertBase.h:165
#26 WebCore::jsHTMLElementPrototypeFunction_clickBody (castedThis=<optimized out>, callFrame=<optimized out>, lexicalGlobalObject=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4400
#27 WebCore::IDLOperation<WebCore::JSHTMLElement>::call<WebCore::jsHTMLElementPrototypeFunction_clickBody> (operationName=<optimized out>, callFrame=<optimized out>, lexicalGlobalObject=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMOperation.h:63
#28 WebCore::jsHTMLElementPrototypeFunction_click(JSC::JSGlobalObject*, JSC::CallFrame*) (lexicalGlobalObject=<optimized out>, callFrame=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/_builddir/WebCore/DerivedSources/JSHTMLElement.cpp:4405
#29 0x00007f9938008038 in  ()
#30 0x00007ffc3fc02820 in  ()
#31 0x00007f99971bb76a in op_call_slow_return_location () at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1179
#32 0x0000000000000000 in  ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221224/e841cc9b/attachment-0001.htm>

More information about the webkit-unassigned mailing list