<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [GTK] Crash in WebProcess when loading large content with custom URI schemes"
href="https://bugs.webkit.org/show_bug.cgi?id=144262">144262</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[GTK] Crash in WebProcess when loading large content with custom URI schemes
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>528+ (Nightly build)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Keywords</th>
<td>Gtk
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>WebKit Gtk
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mario@webkit.org
</td>
</tr>
<tr>
<th>CC</th>
<td>cgarcia@igalia.com, mrobinson@webkit.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=251750" name="attach_251750" title="Test case (C example code)">attachment 251750</a> <a href="attachment.cgi?id=251750&action=edit" title="Test case (C example code)">[details]</a></span>
Test case (C example code)
In the past weeks, we've been seeing crashes in one WebKitGTK+ based app when the user navigates web content "too quickly", loaded via custom URI schemes (this bit is important), by clicking very fast in links rendered inside large HTML documents, which causes the current load to be cancelled and start a new load, inside the same web view.
This is not a "happens all the time" thing, but depending on the load, the size of the original document containing the links, how fast the user is clicking and other factors alike, it's certainly likely to hit this crash over and over again, so it would be nice to have it fixed upstream, where I could reproduce it without any trouble using a debug build (although we initially detected using webkitgtk 2.4.6 and 2.6.2).
Last, this is possibly related to these two bugs recently reported in RedHat's bugzilla:
* <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1196677">https://bugzilla.redhat.com/show_bug.cgi?id=1196677</a>
* <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1209130">https://bugzilla.redhat.com/show_bug.cgi?id=1209130</a>
I'm attaching a minimal example in C code that causes the web process to crash when trying to load a 'crashy.html' file (to be attached later) twice in the same web view, causing the following crash:
$ ./webkitcrash
ASSERTION FAILED: task.get()
../../Source/WebKit2/Shared/Network/CustomProtocols/soup/CustomProtocolManagerImpl.cpp(120) : void WebKit::CustomProtocolManagerImpl::didFailWithError(uint64_t, const WebCore::ResourceError&)
1 0x7f41d220d0e9 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f41d220d0e9]
2 0x7f41d76da965 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit25CustomProtocolManagerImpl16didFailWithErrorEmRKN7WebCore13ResourceErrorE+0xa7) [0x7f41d76da965]
3 0x7f41d76de1b0 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit21CustomProtocolManager16didFailWithErrorEmRKN7WebCore13ResourceErrorE+0x3a) [0x7f41d76de1b0]
4 0x7f41d77d9fb1 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC22callMemberFunctionImplIN6WebKit21CustomProtocolManagerEMS2_FvmRKN7WebCore13ResourceErrorEESt5tupleIImS4_EEILm0ELm1EEEEvPT_T0_OT1_St14index_sequenceIIXspT2_EEE+0x9c) [0x7f41d77d9fb1]
5 0x7f41d77d9c5e /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC18callMemberFunctionIN6WebKit21CustomProtocolManagerEMS2_FvmRKN7WebCore13ResourceErrorEESt5tupleIImS4_EESt19make_index_sequenceILm2EEEEvOT1_PT_T0_+0x41) [0x7f41d77d9c5e]
6 0x7f41d77d9625 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC13handleMessageIN8Messages21CustomProtocolManager16DidFailWithErrorEN6WebKit21CustomProtocolManagerEMS5_FvmRKN7WebCore13ResourceErrorEEEEvRNS_14MessageDecoderEPT0_T1_+0xa3) [0x7f41d77d9625]
7 0x7f41d77d91e4 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit21CustomProtocolManager17didReceiveMessageERN3IPC10ConnectionERNS1_14MessageDecoderE+0xb2) [0x7f41d77d91e4]
8 0x7f41d734eb09 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC10Connection39dispatchWorkQueueMessageReceiverMessageERNS0_24WorkQueueMessageReceiverERNS_14MessageDecoderE+0x47) [0x7f41d734eb09]
9 0x7f41d7350552 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x41d8552) [0x7f41d7350552]
10 0x7f41d7352ce3 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x41dace3) [0x7f41d7352ce3]
11 0x7f41d733ac50 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x32) [0x7f41d733ac50]
12 0x7f41d2256029 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF15GMainLoopSource12voidCallbackEv+0x6d) [0x7f41d2256029]
13 0x7f41d225672d /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF15GMainLoopSource18voidSourceCallbackEPS0_+0x23) [0x7f41d225672d]
14 0x7f41cdbc658d /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x13d) [0x7f41cdbc658d]
15 0x7f41cdbc6928 /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(+0x48928) [0x7f41cdbc6928]
16 0x7f41cdbc6c42 /home/mario/work/WebKit/WebKitBuild/DependenciesGTK/Root/lib64/libglib-2.0.so.0(g_main_loop_run+0xc2) [0x7f41cdbc6c42]
17 0x7f41d9289cfc /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x6111cfc) [0x7f41d9289cfc]
18 0x7f41d928a94b /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x611294b) [0x7f41d928a94b]
19 0x7f41d733ac50 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNKSt8functionIFvvEEclEv+0x32) [0x7f41d733ac50]
20 0x7f41d2220176 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x14b5176) [0x7f41d2220176]
21 0x7f41d224c8a7 /home/mario/work/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x14e18a7) [0x7f41d224c8a7]
22 0x7f41d054052a /lib64/libpthread.so.0(+0x752a) [0x7f41d054052a]
23 0x7f41c809a22d /lib64/libc.so.6(clone+0x6d) [0x7f41c809a22d]
Now see below the backtrace as taken from gdb, while connecting to the crashing process:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffcd880700 (LWP 31538)]
0x00007fffed1ab0ee in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00007fffed1ab0ee in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1 0x00007ffff2678965 in WebKit::CustomProtocolManagerImpl::didFailWithError (this=0x682fc0, customProtocolID=1, error=...) at ../../Source/WebKit2/Shared/Network/CustomProtocols/soup/CustomProtocolManagerImpl.cpp:120
#2 0x00007ffff267c1b0 in WebKit::CustomProtocolManager::didFailWithError (this=0x7fffc5ff3000, customProtocolID=1, error=...) at ../../Source/WebKit2/Shared/Network/CustomProtocols/soup/CustomProtocolManagerSoup.cpp:91
#3 0x00007ffff2777fb1 in IPC::callMemberFunctionImpl<WebKit::CustomProtocolManager, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&), std::tuple<unsigned long, WebCore::ResourceError>, 0ul, 1ul>(WebKit::CustomProtocolManager*, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&), std::tuple<unsigned long, WebCore::ResourceError>&&, std::index_sequence<0ul, 1ul>) (object=0x7fffc5ff3000, function=
(void (WebKit::CustomProtocolManager::*)(WebKit::CustomProtocolManager * const, unsigned long, const WebCore::ResourceError &)) 0x7ffff267c176 <WebKit::CustomProtocolManager::didFailWithError(unsigned long, WebCore::ResourceError const&)>, args=<unknown type in /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0xbfa7cb1, DIE 0xbfd4e45>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:16
#4 0x00007ffff2777c5e in IPC::callMemberFunction<WebKit::CustomProtocolManager, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&), std::tuple<unsigned long, WebCore::ResourceError>, std::make_index_sequence<2ul> >(std::tuple<unsigned long, WebCore::ResourceError>&&, WebKit::CustomProtocolManager*, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&)) (
args=<unknown type in /home/mario/work/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0xbfa7cb1, DIE 0xbfd4082>, object=0x7fffc5ff3000, function=
(void (WebKit::CustomProtocolManager::*)(WebKit::CustomProtocolManager * const, unsigned long, const WebCore::ResourceError &)) 0x7ffff267c176 <WebKit::CustomProtocolManager::didFailWithError(unsigned long, WebCore::ResourceError const&)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:22
#5 0x00007ffff2777625 in IPC::handleMessage<Messages::CustomProtocolManager::DidFailWithError, WebKit::CustomProtocolManager, void (WebKit::CustomProtocolManager::*)(unsigned long, WebCore::ResourceError const&)> (decoder=...,
object=0x7fffc5ff3000, function=
(void (WebKit::CustomProtocolManager::*)(WebKit::CustomProtocolManager * const, unsigned long, const WebCore::ResourceError &)) 0x7ffff267c176 <WebKit::CustomProtocolManager::didFailWithError(unsigned long, WebCore::ResourceError const&)>) at ../../Source/WebKit2/Platform/IPC/HandleMessage.h:92
#6 0x00007ffff27771e4 in WebKit::CustomProtocolManager::didReceiveMessage (this=0x7fffc5ff3000, connection=..., decoder=...) at DerivedSources/WebKit2/CustomProtocolManagerMessageReceiver.cpp:44
#7 0x00007ffff22ecb09 in IPC::Connection::dispatchWorkQueueMessageReceiverMessage (this=0x7fffc57fb000, workQueueMessageReceiver=..., decoder=...) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:306
#8 0x00007ffff22ee552 in IPC::Connection::<lambda()>::operator()(void) const (__closure=0x7fff68001f10) at ../../Source/WebKit2/Platform/IPC/Connection.cpp:678
#9 0x00007ffff22f0ce3 in std::_Function_handler<void(), IPC::Connection::processIncomingMessage(std::unique_ptr<IPC::MessageDecoder>)::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...)
at /usr/include/c++/4.9.2/functional:2039
#10 0x00007ffff22d8c50 in std::function<void ()>::operator()() const (this=0x7fffcd87f908) at /usr/include/c++/4.9.2/functional:2439
#11 0x00007fffed1f4029 in WTF::GMainLoopSource::voidCallback (this=0x7fffc5fecdc0) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:365
#12 0x00007fffed1f472d in WTF::GMainLoopSource::voidSourceCallback (source=0x7fffc5fecdc0) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:456
#13 0x00007fffe8b6458d in g_main_dispatch (context=0x716470) at gmain.c:3064
#14 g_main_context_dispatch (context=context@entry=0x716470) at gmain.c:3663
#15 0x00007fffe8b64928 in g_main_context_iterate (context=0x716470, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734
#16 0x00007fffe8b64c42 in g_main_loop_run (loop=0x5cacf0) at gmain.c:3928
#17 0x00007ffff4227cfc in WTF::WorkQueue::<lambda()>::operator()(void) const (__closure=0x8e93e0) at ../../Source/WTF/wtf/gtk/WorkQueueGtk.cpp:59
#18 0x00007ffff422894b in std::_Function_handler<void(), WTF::WorkQueue::platformInitialize(char const*, WTF::WorkQueue::Type, WTF::WorkQueue::QOS)::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...)
at /usr/include/c++/4.9.2/functional:2039
#19 0x00007ffff22d8c50 in std::function<void ()>::operator()() const (this=0x7fffcd87fb50) at /usr/include/c++/4.9.2/functional:2439
#20 0x00007fffed1be176 in WTF::threadEntryPoint (contextData=0x7fffc5ff50a0) at ../../Source/WTF/wtf/Threading.cpp:58
#21 0x00007fffed1ea8a7 in WTF::wtfThreadEntryPoint (param=0x7fffc5ffb050) at ../../Source/WTF/wtf/ThreadingPthreads.cpp:170
#22 0x00007fffeb4de52a in start_thread (arg=0x7fffcd880700) at pthread_create.c:310
#23 0x00007fffe303822d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>