<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [GTK] Crash on drag above web view of nautilus' tab"
href="https://bugs.webkit.org/show_bug.cgi?id=166059">166059</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[GTK] Crash on drag above web view of nautilus' tab
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Local Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Critical
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>WebKit Gtk
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mcrha@redhat.com
</td>
</tr>
<tr>
<th>CC</th>
<td>bugs-noreply@webkitgtk.org
</td>
</tr></table>
<p>
<div>
<pre>This had been reported downstream against evolution:
<a href="https://bugzilla.gnome.org/show_bug.cgi?id=776224">https://bugzilla.gnome.org/show_bug.cgi?id=776224</a>
When a user adds a tab into nautilus and then drops it above message preview of the evolution, then it causes a crash in the WebKit with this backtrace:
Thread 1 "evolution" received signal SIGSEGV, Segmentation fault.
0x00007fffefb91d5d in WebKit::DragAndDropHandler::drop(_GdkDragContext*, WebCore::IntPoint const&, unsigned int) () from /lib64/libwebkit2gtk-4.0.so.37
(gdb) bt full
#0 0x00007fffefb91d5d in WebKit::DragAndDropHandler::drop(_GdkDragContext*, WebCore::IntPoint const&, unsigned int) () at /lib64/libwebkit2gtk-4.0.so.37
#1 0x00007fffefb7703c in webkitWebViewBaseDragDrop(_GtkWidget*, _GdkDragContext*, int, int, unsigned int) () at /lib64/libwebkit2gtk-4.0.so.37
#2 0x00007fffed8f13d7 in _gtk_marshal_BOOLEAN__OBJECT_INT_INT_UINT () at /lib64/libgtk-3.so.0
#6 0x00007fffec0408eb in <emit signal 0x7fffedabe22c "drag-drop" on instance 0x5555569cdbb0 [EMailDisplay]> (instance=0x5555569cdbb0, detailed_signal=0x7fffedabe22c "drag-drop") at gsignal.c:3487
var_args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffffffe1a0, reg_save_area = 0x7fffffffe0b0}}
detail = 0
itype = 93825002162336
__func__ = "g_signal_emit_by_name"
#3 0x00007fffec0253e5 in g_closure_invoke (closure=closure@entry=0x5555557eaa10, return_value=return_value@entry=0x7fffffffdda0, n_param_values=5, param_values=param_values@entry=0x7fffffffde00, invocation_hint=invocation_hint@entry=0x7fffffffdd80) at gclosure.c:804
marshal = <optimized out>
marshal_data = <optimized out>
in_marshal = 0
real_closure = 0x5555557ea9f0
__func__ = "g_closure_invoke"
#4 0x00007fffec03782d in signal_emit_unlocked_R (node=node@entry=0x5555557eaa40, detail=detail@entry=0, instance=instance@entry=0x5555569cdbb0, emission_return=emission_return@entry=0x7fffffffdf70, instance_and_params=instance_and_params@entry=0x7fffffffde00) at gsignal.c:3673
accumulator = 0x555555782440
emission = {next = 0x0, instance = 0x5555569cdbb0, ihint = {signal_id = 91, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 93825002162336}
class_closure = 0x5555557eaa10
handler_list = <optimized out>
return_accu = 0x7fffffffdda0
accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
signal_id = 91
max_sequential_handler_number = 62687
return_value_altered = 0
#5 0x00007fffec03fb8f in g_signal_emit_valist (instance=instance@entry=0x5555569cdbb0, signal_id=signal_id@entry=91, detail=detail@entry=0, var_args=var_args@entry=0x7fffffffe068) at gsignal.c:3401
return_value = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
error = 0x0
rtype = 20
static_scope = 0
instance_and_params = 0x7fffffffde00
signal_return_type = <optimized out>
param_values = 0x7fffffffde18
node = <optimized out>
i = <optimized out>
n_params = <optimized out>
__func__ = "g_signal_emit_valist"
#7 0x00007fffeda69b57 in gtk_drag_dest_drop () at /lib64/libgtk-3.so.0
#8 0x00007fffeda6a6d0 in _gtk_drag_dest_handle_event () at /lib64/libgtk-3.so.0
#9 0x00007fffed8ef33a in gtk_main_do_event () at /lib64/libgtk-3.so.0
#10 0x00007fffed406485 in _gdk_event_emit () at /lib64/libgdk-3.so.0
#11 0x00007fffed437452 in gdk_event_source_dispatch () at /lib64/libgdk-3.so.0
#12 0x00007fffebd4ce42 in g_main_dispatch (context=0x5555557ddeb0) at gmain.c:3203
dispatch = 0x7fffed437430 <gdk_event_source_dispatch>
prev_source = 0x0
was_in_call = 0
user_data = 0x0
callback = 0x0
cb_funcs = 0x0
cb_data = 0x0
need_destroy = <optimized out>
source = 0x5555557bed60
current = 0x555555821eb0
i = 0
#13 0x00007fffebd4ce42 in g_main_context_dispatch (context=context@entry=0x5555557ddeb0) at gmain.c:3856
#14 0x00007fffebd4d1c0 in g_main_context_iterate (context=0x5555557ddeb0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3929
max_priority = 2147483647
timeout = 31
some_ready = 1
nfds = 4
allocated_nfds = 4
fds = <optimized out>
#15 0x00007fffebd4d4e2 in g_main_loop_run (loop=0x555556c5cab0) at gmain.c:4125
__func__ = "g_main_loop_run"
#16 0x00007fffed8ee655 in gtk_main () at /lib64/libgtk-3.so.0
#17 0x0000555555557e05 in main (argc=<optimized out>, argv=<optimized out>) at main.c:665
settings = <optimized out>
success = <optimized out>
error = 0x0
-------------------------------------------------------------------------------
I also used gdb with this output (note of a NULL 'this' pointer there, which seems that Fedora either has disabled asserts or the test checks that the structure is not NULL, but not its content):
Thread 1 "evolution" hit Breakpoint 1, webkitWebViewBaseDragDrop (widget=0x36ae320 [EMailDisplay], context=0x32898a0, x=30, y=225, time=20018240)
at /usr/src/debug/webkitgtk-2.14.2/Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp:1054
1054 return priv->dragAndDropHandler->drop(context, IntPoint(x, y), time);
(gdb) p priv
$2 = (WebKitWebViewBasePrivate *) 0x36ae040
(gdb) p priv->dragAndDropHandler
$3 = std::unique_ptr<WebKit::DragAndDropHandler> containing 0x0
(gdb) s
WebCore::IntPoint::IntPoint (y=225, x=30, this=0x7fffffffd2e0) at /usr/src/debug/webkitgtk-2.14.2/Source/WebCore/platform/graphics/IntPoint.h:64
64 IntPoint(int x, int y) : m_x(x), m_y(y) { }
(gdb) n
webkitWebViewBaseDragDrop (widget=0x36ae320 [EMailDisplay], context=0x32898a0, x=30, y=225, time=20018240) at /usr/src/debug/webkitgtk-2.14.2/Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp:1054
1054 return priv->dragAndDropHandler->drop(context, IntPoint(x, y), time);
(gdb) s
WebKit::DragAndDropHandler::drop (this=0x0, context=context@entry=0x32898a0, position=..., time=time@entry=20018240) at /usr/src/debug/webkitgtk-2.14.2/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.cpp:285
285 {
(gdb) n
286 DroppingContext* droppingContext = m_droppingContexts.get(context);
(gdb)
285 {
(gdb)
286 DroppingContext* droppingContext = m_droppingContexts.get(context);
(gdb)
Thread 1 "evolution" received signal SIGSEGV, Segmentation fault.
WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::inlineLookup<WTF::Ident
at /usr/src/debug/webkitgtk-2.14.2/Source/WTF/wtf/HashTable.h:611
611 unsigned sizeMask = m_tableSizeMask;
-------------------------------------------------------------------------------
Note that the EMailDisplay is a descendant of EWebView, which is a descendant of WebKitWebView. The EWebView overrides GtkWidgetClass::drag_motion and simply returns FALSE, which is meant to indicate that the widget is not used as a drop zone, but for some reason (I suspect due to WebKit), the widget finally claims to be a drop zone (based on the mouse cursor). To workaround that I changed the body of the overridden function and made it return TRUE, while also calling gdk_drag_status (context, 0, time_);. That fixes the drop zone detection, but crashes in drag-leave, when I move away from the widget, again in the WebKit code, unless I also redefine GtkWidgetClass::drag_leave function. To have it complete, there's also redefined a GtkWidgetClass::drag_drop function to avoid the crash there (see the downstream bug report).
I hope it is only a temporary change.
Interestingly, neither Epiphany, nor MiniBrowser, suffer of this. Could it be because they both do something in those drag-related callbacks on their own, thus the default implementations in the WebKitWebViewBase are not called? I'm only guessing here and I definitely do not want to mislead your investigation of the cause with it.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>