[Webkit-unassigned] [Bug 241954] New: [GTK] Segfault in firstChild when clicking on a pull request on GitHub while logged in
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 23 20:55:20 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=241954
Bug ID: 241954
Summary: [GTK] Segfault in firstChild when clicking on a pull
request on GitHub while logged in
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Keywords: Gtk
Severity: Normal
Priority: P3
Component: WebCore JavaScript
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bouanto at zoho.com
Hi.
Reproduction steps:
* Login to GitHub in Epiphany
* Navigate to https://github.com/GNOME/gtk/pulls?q=is:pr+is:closed
* Click on a PR link.
* The page crash with the message: "Something went wrong while displaying this page. Please reload or visit a different page to continue."
It reproduces 100% of the time (assuming you are logged in; when logged out, the problem doesn't happen).
Here's the stacktrace:
Core was generated by `/usr/lib/webkit2gtk-4.0/WebKitWebProcess 16 32'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 WebCore::ContainerNode::firstChild() const () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/ContainerNode.h:43
#1 WebCore::RenderFileUploadControl::uploadButton() const () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/RenderFileUploadControl.cpp:246
#2 WebCore::RenderFileUploadControl::updateFromElement() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/RenderFileUploadControl.cpp:78
#3 0x00007f0137fbfe36 in WebCore::HTMLFormControlElement::didAttachRenderers() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/html/HTMLFormControlElement.cpp:215
#4 WebCore::HTMLInputElement::didAttachRenderers() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/html/HTMLInputElement.cpp:875
#5 0x00007f01386a48b6 in WebCore::RenderTreeUpdater::updateAfterDescendants(WebCore::Element&, WebCore::Style::ElementUpdates const*) ()
at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:272
#6 WebCore::RenderTreeUpdater::popParent() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:237
#7 0x00007f01386a4cb8 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) ()
at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:250
#8 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:158
#9 0x00007f0137e0206b in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) ()
at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:125
#10 WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) ()
at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:113
#11 WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update const, std::default_delete<WebCore::Style::Update const> >) ()
at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:1983
#12 0x00007f0137e02b0b in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2087
#13 0x00007f0137e03545 in WebCore::Document::updateStyleIfNeeded() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2182
#14 0x00007f0137e03729 in WebCore::Document::updateLayout() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2203
#15 0x00007f0138b301b5 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) [clone .constprop.0] ()
at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Document.cpp:2229
#16 0x00007f0137e254b2 in WebCore::Element::offsetParent() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Element.cpp:1322
#17 WebCore::Element::offsetParentForBindings() () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/dom/Element.cpp:1312
#18 0x00007f0137599361 in jsHTMLElement_offsetParentGetter () at /usr/src/debug/build/WebCore/DerivedSources/JSHTMLElement.cpp:4105
#19 get<WebCore::jsHTMLElement_offsetParentGetter, (WebCore::CastedThisErrorBehavior)3> () at /usr/src/debug/webkitgtk-2.36.3/Source/WebCore/bindings/js/JSDOMAttribute.h:88
#20 jsHTMLElement_offsetParent() () at /usr/src/debug/build/WebCore/DerivedSources/JSHTMLElement.cpp:4110
#21 0x00007f0135531c58 in JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const ()
at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/PropertySlot.cpp:47
#22 0x00007f013528b64e in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const ()
at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/PropertySlot.h:408
#23 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const ()
at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1021
#24 performLLIntGetByID() () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:814
#25 0x00007f013528c443 in llint_slow_path_get_by_id() () at /usr/src/debug/webkitgtk-2.36.3/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:888
#26 0x00007f01349569a8 in llint_op_get_by_id () at /usr/lib/libjavascriptcoregtk-4.0.so.18
#27 0xfffe000000000002 in ()
#28 0x00007f00d7fff1d8 in ()
#29 0x00007fff2da790b0 in ()
#30 0x00007f01349697a9 in op_call_slow_return_location () at /usr/lib/libjavascriptcoregtk-4.0.so.18
#31 0x0000000000000000 in ()
Thanks to fix this issue.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220624/138c02a7/attachment-0001.htm>
More information about the webkit-unassigned
mailing list