[Webkit-unassigned] [Bug 280150] [GTK] Crash on inputting booking field on IRCTC website in ScriptMessageClientGtk::didPostMessage

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 23 14:01:31 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=280150

--- Comment #1 from Michael Catanzaro <mcatanzaro at redhat.com> ---
WebKitNavigationClient has the same problem. Today I accidentally broke the process launcher when making local changes to WebKit. This resulted in a similar use after free:

(gdb) bt
#0  _g_log_abort (breakpoint=1) at ../../../../Projects/glib/glib/gmessages.c:429
#1  0x00007ff3750db686 in g_logv (log_domain=0x7ff37571ad66 "epiphany", log_level=G_LOG_LEVEL_WARNING, format=0x7ff37571af43 "Web process crashed", args=0x7ffe52366ea8) at ../../../../Projects/glib/glib/gmessages.c:1273
#2  0x00007ff3750db77d in g_log (log_domain=0x7ff37571ad66 "epiphany", log_level=G_LOG_LEVEL_WARNING, format=0x7ff37571af43 "Web process crashed") at ../../../../Projects/glib/glib/gmessages.c:1315
#3  0x00007ff37569f8c6 in process_terminated_cb (web_view=0x5084490, reason=WEBKIT_WEB_PROCESS_CRASHED, user_data=0x0) at ../../../../Projects/epiphany/embed/ephy-web-view.c:788
#4  0x00007ff375541c26 in g_cclosure_marshal_VOID__ENUM (closure=0x50a96f0, return_value=0x0, n_param_values=2, param_values=0x7ffe523672d0, invocation_hint=0x7ffe52367170, marshal_data=0x0) at ../../../../Projects/glib/gobject/gmarshal.c:972
#5  0x00007ff37553d182 in g_closure_invoke (closure=0x50a96f0, return_value=0x0, n_param_values=2, param_values=0x7ffe523672d0, invocation_hint=0x7ffe52367170) at ../../../../Projects/glib/gobject/gclosure.c:833
#6  0x00007ff37556025c in signal_emit_unlocked_R (node=0x7ffe52367420, detail=0, instance=0x5084490, emission_return=0x0, instance_and_params=0x7ffe523672d0) at ../../../../Projects/glib/gobject/gsignal.c:3887
#7  0x00007ff37555f14d in signal_emit_valist_unlocked (instance=0x5084490, signal_id=293, detail=0, var_args=0x7ffe52367628) at ../../../../Projects/glib/gobject/gsignal.c:3519
#8  0x00007ff37555de53 in g_signal_emit_valist (instance=0x5084490, signal_id=293, detail=0, var_args=0x7ffe52367628) at ../../../../Projects/glib/gobject/gsignal.c:3262
#9  0x00007ff37555f6de in g_signal_emit (instance=0x5084490, signal_id=293, detail=0) at ../../../../Projects/glib/gobject/gsignal.c:3582
#10 0x00007ff36f44dc55 in webkitWebViewWebProcessTerminated (webView=0x1, reason=(WEBKIT_WEB_PROCESS_EXCEEDED_MEMORY_LIMIT | WEBKIT_WEB_PROCESS_TERMINATED_BY_API | unknown: 0x4)) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:5085
#11 0x00007ff36f41e868 in NavigationClient::processDidTerminate (this=<optimized out>, reason=WebKit::ProcessTerminationReason::ExceededCPULimit) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/API/glib/WebKitNavigationClient.cpp:117
#12 0x00007ff36f36ff0e in WebKit::WebPageProxy::dispatchProcessDidTerminate (this=0x7ff359000c40, reason=WebKit::ProcessTerminationReason::Crash) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebPageProxy.cpp:10408
#13 0x00007ff36f3c53dc in WebKit::WebProcessProxy::processDidTerminateOrFailedToLaunch (this=this at entry=0x7ff3590000c0, reason=reason at entry=WebKit::ProcessTerminationReason::Crash) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebProcessProxy.cpp:1293
#14 0x00007ff36f3c65f5 in WebKit::WebProcessProxy::didFinishLaunching (this=0x7ff3590000c0, launcher=<optimized out>, connectionIdentifier=...) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebProcessProxy.cpp:1384
#15 0x00007ff36f4a8be5 in WebKit::ProcessLauncher::launchProcess()::$_0::operator()(GIOCondition) (this=0x7ff359025da8, condition=<optimized out>) at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp:258
#16 WTF::Detail::CallableWrapper<WebKit::ProcessLauncher::launchProcess()::$_0, int, GIOCondition>::call (this=0x7ff359025da0, in=<optimized out>) at WTF/Headers/wtf/Function.h:53
#17 0x00007ff375299caf in socket_source_dispatch (source=0x48d8800, callback=0x7ff36e6add50 <WTF::GSocketMonitor::socketSourceCallback(_GSocket*, GIOCondition, WTF::GSocketMonitor*)>, user_data=0x7ff359014550) at ../../../../Projects/glib/gio/gsocket.c:4266
#18 0x00007ff3750cdf45 in g_main_dispatch (context=0x4820530) at ../../../../Projects/glib/glib/gmain.c:3357
#19 0x00007ff3750cf2cc in g_main_context_dispatch_unlocked (context=0x4820530) at ../../../../Projects/glib/glib/gmain.c:4208
#20 0x00007ff3750cf48c in g_main_context_iterate_unlocked (context=0x4820530, block=1, dispatch=1, self=0x4825570) at ../../../../Projects/glib/glib/gmain.c:4273
#21 0x00007ff3750cf5ba in g_main_context_iteration (context=0x4820530, may_block=1) at ../../../../Projects/glib/glib/gmain.c:4338
#22 0x00007ff3752f2a44 in g_application_run (application=0x4865590, argc=1, argv=0x7ffe52367cf8) at ../../../../Projects/glib/gio/gapplication.c:2715
#23 0x0000000000402e07 in main (argc=1, argv=0x7ffe52367cf8) at ../../../../Projects/epiphany/src/ephy-main.c:445

These probably aren't the only broken clients. We should audit all API clients and make sure they're not using raw pointers to WebKitWebViews.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240923/f64e01f4/attachment-0001.htm>

More information about the webkit-unassigned mailing list