Bug 1687185

Summary: [abrt] epiphany-runtime: ephy_embed_event_new(): epiphany killed by SIGSEGV
Product: [Fedora] Fedora Reporter: kxra
Component: webkit2gtk3Assignee: Eike Rathke <erack>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: erack, gecko-bugs-nobody, gnome-sig, jhorak, john.j5live, mcatanzaro+wrong-account-do-not-cc, mclasen, phatina, rhughes, rstrode, sandmann, tpopela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/efe9a610ada6d04c45186bc29c5a3ca506fd1fa5
Whiteboard: abrt_hash:937eda7675366ab0dbe81534ddca21a39f40d092;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-18 15:02:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: cpuinfo
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description kxra 2019-03-10 18:27:18 UTC 
Version-Release number of selected component:
1:epiphany-runtime-3.30.3-1.fc29

Additional info:
reporter:       libreport-2.10.0
backtrace_rating: 4
cmdline:        epiphany
crash_function: ephy_embed_event_new
executable:     /usr/bin/epiphany
journald_cursor: s=2c7941ff6ceb40ce8dc8bec9c9216333;i=cce;b=e019931372024ab693336e09ea3720a5;m=17324018;t=583c157e85669;x=b81539c8c40307fc
kernel:         4.20.13-200.fc29.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 ephy_embed_event_new at ../embed/ephy-embed-event.c:68
 #1 populate_context_menu at ../src/ephy-window.c:1459
 #2 ffi_call_unix64 at ../src/x86/unix64.S:76
 #3 ffi_call at ../src/x86/ffi64.c:525
 #4 g_cclosure_marshal_generic at gclosure.c:1496
 #9 webkitWebViewPopulateContextMenu at /usr/src/debug/webkit2gtk3-2.22.6-1.fc29.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:2319
 #10 ContextMenuClient::getContextMenuFromProposedMenu at /usr/src/debug/webkit2gtk3-2.22.6-1.fc29.x86_64/Source/WebKit/UIProcess/API/glib/WebKitContextMenuClient.cpp:50
 #11 WebKit::WebContextMenuProxyGtk::show at /usr/src/debug/webkit2gtk3-2.22.6-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Vector.h:365
 #12 WebKit::WebPageProxy::showContextMenu at /usr/src/debug/webkit2gtk3-2.22.6-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:41
 #13 IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WebKit::ContextMenuContextData&&, WebKit::UserData const&), std::tuple<WebKit::ContextMenuContextData, WebKit::UserData>, 0ul, 1ul> at /usr/src/debug/webkit2gtk3-2.22.6-1.fc29.x86_64/Source/WebKit/Platform/IPC/HandleMessage.h:45
Comment 1 kxra 2019-03-10 18:27:20 UTC 
Created attachment 1542674 [details]
File: backtrace
Comment 2 kxra 2019-03-10 18:27:21 UTC 
Created attachment 1542675 [details]
File: cgroup
Comment 3 kxra 2019-03-10 18:27:22 UTC 
Created attachment 1542676 [details]
File: core_backtrace
Comment 4 kxra 2019-03-10 18:27:23 UTC 
Created attachment 1542677 [details]
File: cpuinfo
Comment 5 kxra 2019-03-10 18:27:24 UTC 
Created attachment 1542678 [details]
File: dso_list
Comment 6 kxra 2019-03-10 18:27:25 UTC 
Created attachment 1542679 [details]
File: environ
Comment 7 kxra 2019-03-10 18:27:26 UTC 
Created attachment 1542680 [details]
File: exploitable
Comment 8 kxra 2019-03-10 18:27:27 UTC 
Created attachment 1542681 [details]
File: limits
Comment 9 kxra 2019-03-10 18:27:28 UTC 
Created attachment 1542682 [details]
File: maps
Comment 10 kxra 2019-03-10 18:27:29 UTC 
Created attachment 1542683 [details]
File: mountinfo
Comment 11 kxra 2019-03-10 18:27:30 UTC 
Created attachment 1542684 [details]
File: open_fds
Comment 12 kxra 2019-03-10 18:27:31 UTC 
Created attachment 1542685 [details]
File: proc_pid_status
Comment 13 kxra 2019-03-10 18:27:32 UTC 
Created attachment 1542686 [details]
File: var_log_messages
Comment 14 Michael Catanzaro 2019-03-10 18:54:45 UTC 
This looks like a WebKit bug (or a GTK bug). The documentation of WebKitWebView's context-menu signal says this of the event parameter:

"""
The event is expected to be one of the following types:

a GdkEventButton of type GDK_BUTTON_PRESS when the context menu was triggered with mouse.

a GdkEventKey of type GDK_KEY_PRESS if the keyboard was used to show the menu.

a generic GdkEvent of type GDK_NOTHING when the “popup-menu” signal was used to show the context menu.
"""

Epiphany just assumes it's non-NULL, but here WebKit is emitting context-menu with a NULL event. It's not Epiphany's job to handle that: it's WebKit's job to ensure it doesn't happen.
Comment 15 Michael Catanzaro 2019-03-10 18:57:37 UTC 
(Actually, Epiphany is wrong to cast it to a GdkEventButton without checking the type of the event. So there is an Epiphany bug here too. But that can't cause this crash, and it's not what happened in this backtrace.)
Comment 16 Michael Catanzaro 2019-03-27 15:26:23 UTC 
kxra, if you know any way to reproduce this, we need help figuring out how WebKit got into this weird state.