Bug 1382789

Summary: Epiphany crash in XGetWindowAttributes
Product: [Fedora] Fedora Reporter: Nathaniel McCallum <npmccallum>
Component: webkitgtk4Assignee: Tomas Popela <tpopela>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: ajax, gecko-bugs-nobody, klember, mcatanzaro+wrong-account-do-not-cc, npmccallum, pvarn01, rob.townley, tpopela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-08 00:10:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathaniel McCallum 2016-10-07 18:09:29 UTC 
I'm able to reproduce this by simply going to audible.com in epiphany on rawhide. Attached is a backtrace and some initial debugging. dpy->xcb clearly has a bad value. I suspect this is due to a bad message from Wayland's X11 emulation, so I'm filing this bug under the wayland component.

Thread 1 "epiphany" received signal SIGSEGV, Segmentation fault.
_XReply (dpy=dpy@entry=0x555555871100, rep=rep@entry=0x7fffffffd0b0, extra=extra@entry=0, discard=discard@entry=1) at xcb_io.c:566
566		if (dpy->xcb->reply_data)
(gdb) list
561		xcb_connection_t *c = dpy->xcb->connection;
562		char *reply;
563		PendingRequest *current;
564		uint64_t dpy_request;
565	
566		if (dpy->xcb->reply_data)
567			throw_extlib_fail_assert("Extra reply data still left in queue",
568			                         xcb_xlib_extra_reply_data_left);
569	
570		if(dpy->flags & XlibDisplayIOError)
(gdb) p dpy->xcb
$1 = (struct _X11XCBPrivate *) 0x2
(gdb) bt
#0  0x00007ffff78d7ad2 in _XReply (dpy=dpy@entry=0x555555871100, rep=rep@entry=0x7fffffffd0b0, extra=extra@entry=0, discard=discard@entry=1) at xcb_io.c:566
#1  0x00007ffff78be877 in _XGetWindowAttributes (dpy=dpy@entry=0x555555871100, w=0, attr=0x7fffffffd1a0) at GetWAttrs.c:115
#2  0x00007ffff78bea01 in XGetWindowAttributes (dpy=0x555555871100, w=w@entry=0, attr=attr@entry=0x7fffffffd1a0) at GetWAttrs.c:150
#3  0x00007ffff21f76e4 in gtk_socket_realize (widget=0x555556660380 [GtkSocket]) at gtksocket.c:420
#4  0x00007ffff02c85f4 in _g_closure_invoke_va (closure=closure@entry=0x5555558a6f10, return_value=return_value@entry=0x0, instance=instance@entry=0x555556660380, args=args@entry=0x7fffffffd480, n_params=<optimized out>, param_types=0x0) at gclosure.c:867
#5  0x00007ffff02e2db9 in g_signal_emit_valist (instance=0x555556660380, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd480) at gsignal.c:3300
#6  0x00007ffff02e341f in g_signal_emit (instance=instance@entry=0x555556660380, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
#7  0x00007ffff21bf354 in gtk_widget_realize (widget=widget@entry=0x555556660380 [GtkSocket]) at gtkwidget.c:5454
#8  0x00007ffff21c2b68 in gtk_widget_set_parent (widget=0x555556660380 [GtkSocket], parent=0x555556634c20 [EphyWebView]) at gtkwidget.c:9566
#9  0x00007ffff4c64474 in webkitWebViewBaseContainerAdd(_GtkContainer*, _GtkWidget*) () at /lib64/libwebkit2gtk-4.0.so.37
#10 0x00007ffff02cb450 in g_cclosure_marshal_VOID__OBJECTv (closure=0x5555558b0660, return_value=<optimized out>, instance=0x555556634c20, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5555558adc50) at gmarshal.c:2102
#11 0x00007ffff02c85f4 in _g_closure_invoke_va (closure=closure@entry=0x5555558b0660, return_value=return_value@entry=0x0, instance=instance@entry=0x555556634c20, args=args@entry=0x7fffffffd8d0, n_params=<optimized out>, param_types=0x5555558adc50) at gclosure.c:867
#12 0x00007ffff02e2db9 in g_signal_emit_valist (instance=0x555556634c20, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd8d0) at gsignal.c:3300
#13 0x00007ffff02e341f in g_signal_emit (instance=instance@entry=0x555556634c20, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
#14 0x00007ffff1f9cab5 in gtk_container_add (container=0x555556634c20 [EphyWebView], widget=0x555556660380 [GtkSocket]) at gtkcontainer.c:1875
#15 0x00007ffff4c8639c in WebKit::WebPageProxy::createPluginContainer(unsigned long&) () at /lib64/libwebkit2gtk-4.0.so.37
#16 0x00007ffff4cd6fa4 in WebKit::WebPageProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) () at /lib64/libwebkit2gtk-4.0.so.37
#17 0x00007ffff49e9a31 in IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) () at /lib64/libwebkit2gtk-4.0.so.37
#18 0x00007ffff4a9bf4b in WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) () at /lib64/libwebkit2gtk-4.0.so.37
#19 0x00007ffff49e57db in IPC::Connection::dispatchSyncMessage(IPC::Decoder&) () at /lib64/libwebkit2gtk-4.0.so.37
#20 0x00007ffff49e58cd in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at /lib64/libwebkit2gtk-4.0.so.37
#21 0x00007ffff49e64e8 in IPC::Connection::dispatchOneMessage() () at /lib64/libwebkit2gtk-4.0.so.37
#22 0x00007ffff42da715 in WTF::RunLoop::performWork() () at /lib64/libjavascriptcoregtk-4.0.so.18
#23 0x00007ffff43011d9 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () at /lib64/libjavascriptcoregtk-4.0.so.18
#24 0x00007fffefff0e62 in g_main_dispatch (context=0x555555867380) at gmain.c:3201
#25 0x00007fffefff0e62 in g_main_context_dispatch (context=context@entry=0x555555867380) at gmain.c:3854
#26 0x00007fffefff11e0 in g_main_context_iterate (context=context@entry=0x555555867380, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3927
#27 0x00007fffefff128c in g_main_context_iteration (context=context@entry=0x555555867380, may_block=may_block@entry=1) at gmain.c:3988
#28 0x00007ffff05a8bad in g_application_run (application=0x5555558dd140 [EphyShell], argc=1, argv=0x7fffffffdf28) at gapplication.c:2381
#29 0x00005555555867d4 in main ()
Comment 1 Adam Jackson 2016-10-07 19:52:14 UTC 
(In reply to Nathaniel McCallum from comment #0)
> I'm able to reproduce this by simply going to audible.com in epiphany on
> rawhide. Attached is a backtrace and some initial debugging. dpy->xcb
> clearly has a bad value. I suspect this is due to a bad message from
> Wayland's X11 emulation, so I'm filing this bug under the wayland component.

Xwayland doesn't modify anything about the GetWindowAttributes code path in X, so, no.
Comment 2 Michael Catanzaro 2016-10-07 22:07:17 UTC 
WebKit is a native Wayland client, there should be no XWayland involved. It looks like a WebKit bug. GtkSocket just crashes if used under Wayland, so the bug is that WebKit is trying to create one; the crash is an expected result of that. And we do have code that should prevent this from happening (windowed plugins are all disabled in Wayland). What version of WebKitGTK+ is this? What browser plugin is it trying to run? Any chance you could get a backtrace with debug info (files, line numbers, local variables)?
Comment 3 Nathaniel McCallum 2016-10-07 22:27:01 UTC 
It is trying to load flash (surprise, surprise). Package versions and backtrace is below.

flash-plugin-11.2.202.635-release.x86_64
webkitgtk4-2.14.0-1.fc26.x86_64

#0  0x00007ffff78be9ee in XGetWindowAttributes (dpy=0x555555871100, w=w@entry=0, attr=attr@entry=0x7fffffffd1a0) at GetWAttrs.c:149
#1  0x00007ffff21f76e4 in gtk_socket_realize (widget=0x55555665a170 [GtkSocket]) at gtksocket.c:420
#2  0x00007ffff02c85f4 in _g_closure_invoke_va (closure=closure@entry=0x5555558a6d90, return_value=return_value@entry=0x0, instance=instance@entry=0x55555665a170, args=args@entry=0x7fffffffd480, n_params=<optimized out>, param_types=0x0) at gclosure.c:867
#3  0x00007ffff02e2db9 in g_signal_emit_valist (instance=0x55555665a170, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd480) at gsignal.c:3300
#4  0x00007ffff02e341f in g_signal_emit (instance=instance@entry=0x55555665a170, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
#5  0x00007ffff21bf354 in gtk_widget_realize (widget=widget@entry=0x55555665a170 [GtkSocket]) at gtkwidget.c:5454
#6  0x00007ffff21c2b68 in gtk_widget_set_parent (widget=0x55555665a170 [GtkSocket], parent=0x55555662f990 [EphyWebView]) at gtkwidget.c:9566
#7  0x00007ffff4c64474 in webkitWebViewBaseContainerAdd(GtkContainer*, GtkWidget*) (container=0x55555662f990 [EphyWebView], widget=<optimized out>, widget@entry=0x55555665a170 [GtkSocket])
    at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp:421
#8  0x00007ffff02cb450 in g_cclosure_marshal_VOID__OBJECTv (closure=0x5555558b24d0, return_value=<optimized out>, instance=0x55555662f990, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5555558b25f0) at gmarshal.c:2102
#9  0x00007ffff02c85f4 in _g_closure_invoke_va (closure=closure@entry=0x5555558b24d0, return_value=return_value@entry=0x0, instance=instance@entry=0x55555662f990, args=args@entry=0x7fffffffd8d0, n_params=<optimized out>, param_types=0x5555558b25f0) at gclosure.c:867
#10 0x00007ffff02e2db9 in g_signal_emit_valist (instance=0x55555662f990, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd8d0) at gsignal.c:3300
#11 0x00007ffff02e341f in g_signal_emit (instance=instance@entry=0x55555662f990, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
#12 0x00007ffff1f9cab5 in gtk_container_add (container=0x55555662f990 [EphyWebView], widget=0x55555665a170 [GtkSocket]) at gtkcontainer.c:1875
#13 0x00007ffff4c8639c in WebKit::WebPageProxy::createPluginContainer(unsigned long&) (this=this@entry=0x7fffdf73b000, windowID=windowID@entry=@0x7fffffffda10: 0)
    at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/UIProcess/gtk/WebPageProxyGtk.cpp:107
#14 0x00007ffff4cd6fa4 in IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long&), std::tuple<>, , std::tuple<unsigned long>, 0ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long&), std::tuple<>&&, std::tuple<unsigned long>&, std::integer_sequence<unsigned long>, std::integer_sequence<unsigned long, 0ul>) (args=<optimized out>, replyArgs=std::tuple containing = {...}, function=<optimized out>, object=0x7fffdf73b000) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/HandleMessage.h:27
#15 0x00007ffff4cd6fa4 in IPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long&), std::tuple<>, std::integer_sequence<unsigned long>, std::tuple<unsigned long>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<>&&, std::tuple<unsigned long>&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long&)) (args=<optimized out>, function=<optimized out>, object=0x7fffdf73b000, replyArgs=std::tuple containing = {...}) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/HandleMessage.h:33
#16 0x00007ffff4cd6fa4 in IPC::handleMessage<Messages::WebPageProxy::CreatePluginContainer, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long&)>(IPC::Decoder&, IPC::Encoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long&)) (decoder=..., function=<optimized out>, object=0x7fffdf73b000, replyEncoder=...)
    at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/HandleMessage.h:112
#17 0x00007ffff4cd6fa4 in WebKit::WebPageProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=0x7fffdf73b000, connection=..., decoder=..., replyEncoder=std::unique_ptr<IPC::Encoder> containing 0x7fffdf73d000) at /usr/src/debug/webkitgtk-2.14.0/x86_64-redhat-linux-gnu/DerivedSources/WebKit2/WebPageProxyMessageReceiver.cpp:1457
#18 0x00007ffff49e9a31 in IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=this@entry=0x7fffdf7eb638, connection=..., decoder=..., replyEncoder=std::unique_ptr<IPC::Encoder> containing 0x7fffdf73d000) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:140
#19 0x00007ffff4a495d9 in WebKit::ChildProcessProxy::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=this@entry=0x7fffdf7eb600, connection=..., decoder=..., replyEncoder=std::unique_ptr<IPC::Encoder> containing 0x7fffdf73d000) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/UIProcess/ChildProcessProxy.cpp:157
#20 0x00007ffff4a9bf4b in WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=
    0x7fffdf7eb600, connection=..., decoder=..., replyEncoder=std::unique_ptr<IPC::Encoder> containing 0x7fffdf73d000) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/UIProcess/WebProcessProxy.cpp:514
#21 0x00007ffff49e57db in IPC::Connection::dispatchSyncMessage(IPC::Decoder&) (this=0x7fffdf75e168, decoder=...) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/Connection.cpp:789
#22 0x00007ffff49e58cd in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=this@entry=0x7fffdf75e168, message=std::unique_ptr<IPC::Decoder> containing 0x7fffdf726478) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/Connection.cpp:856
#23 0x00007ffff49e64e8 in IPC::Connection::dispatchOneMessage() (this=0x7fffdf75e168) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/Connection.cpp:889
#24 0x00007ffff42da715 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/src/debug/webkitgtk-2.14.0/Source/WTF/wtf/Function.h:50
#25 0x00007ffff42da715 in WTF::RunLoop::performWork() (this=0x7fffdf7f7000) at /usr/src/debug/webkitgtk-2.14.0/Source/WTF/wtf/RunLoop.cpp:105
#26 0x00007ffff43011d9 in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at /usr/src/debug/webkitgtk-2.14.0/Source/WTF/wtf/glib/RunLoopGLib.cpp:66
#27 0x00007ffff43011d9 in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at /usr/src/debug/webkitgtk-2.14.0/Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#28 0x00007fffefff0e62 in g_main_dispatch (context=0x555555867380) at gmain.c:3201
#29 0x00007fffefff0e62 in g_main_context_dispatch (context=context@entry=0x555555867380) at gmain.c:3854
#30 0x00007fffefff11e0 in g_main_context_iterate (context=context@entry=0x555555867380, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3927
#31 0x00007fffefff128c in g_main_context_iteration (context=context@entry=0x555555867380, may_block=may_block@entry=1) at gmain.c:3988
#32 0x00007ffff05a8bad in g_application_run (application=0x5555558de140 [EphyShell], argc=1, argv=0x7fffffffdf28) at gapplication.c:2381
#33 0x00005555555867d4 in main ()
Comment 4 Michael Catanzaro 2016-10-08 00:10:52 UTC 
OK thanks, I've reported this upstream. I guess the code that stops windowed plugins from being loaded in Wayland is broken for some reason.
Comment 5 Michael Catanzaro 2017-02-09 23:50:32 UTC 
*** Bug 1420127 has been marked as a duplicate of this bug. ***
Comment 6 Michael Catanzaro 2017-02-09 23:51:55 UTC 
*** Bug 1420909 has been marked as a duplicate of this bug. ***