Bug 1813993

Summary: Crash on mouse-wheel scroll in Preferences
Product: [Fedora] Fedora Reporter: Milan Crha <mcrha>
Component: epiphanyAssignee: Michael Catanzaro <mcatanza>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 33CC: gecko-bugs-nobody, gnome-sig, itrombley, jhorak, john.j5live, mcatanza, mclasen, peter, rhughes, rstrode, sandmann, tpopela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-10 18:28:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milan Crha 2020-03-16 17:09:22 UTC 
This is with a rawhide machine and:

epiphany-3.36.0-1.fc33.x86_64
gtk3-3.24.14-1.fc33.x86_64
glib2-2.64.1-1.fc33.x86_64
libwayland-server-1.18.0-1.fc33.x86_64

Opening Preferences from the Menu button and using mouse wheel to scroll down causes a crash with this backtrace (it seems to be deep in Wayland):

Thread 1 "epiphany" received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in  ()
#1  0x00007ffff18c0af0 in ffi_call_unix64 () at /lib64/libffi.so.6
#2  0x00007ffff18c02ab in ffi_call () at /lib64/libffi.so.6
#3  0x00007ffff0739cd2 in wl_closure_invoke
    (closure=closure@entry=0x555556cf4db0, flags=flags@entry=2, target=<optimized out>, 
    target@entry=0x555556a4ce70, opcode=opcode@entry=6, data=<optimized out>, data@entry=0x555556954970)
    at src/connection.c:1018
#4  0x00007ffff0735132 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x555556954970)
    at src/wayland-server.c:432
#5  0x00007ffff0737bea in wl_event_loop_dispatch (loop=0x5555558664a0, timeout=<optimized out>) at src/event-loop.c:1027
#6  0x00007ffff142c7b3 in WS::ServerSource::{lambda(_GSource*, int (*)(void*), void*)#3}::_FUN(_GSource*, int (*)(void*), void*) () at /lib64/libWPEBackend-fdo-1.0.so.1
#7  0x00007ffff744176f in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#8  0x00007ffff7441af8 in g_main_context_iterate.constprop () at /lib64/libglib-2.0.so.0
#9  0x00007ffff7441bc3 in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#10 0x00007ffff765788d in g_application_run () at /lib64/libgio-2.0.so.0
#11 0x0000555555559064 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:427

Doing the same with GNOME on Xorg doesn't cause the crash. Scrolling the page itself doesn't cause the crash either, in both Wayland and Xorg.
Comment 1 Michael Catanzaro 2020-03-16 22:00:28 UTC 
Workaround is to disable the WPE renderer.
Comment 2 Milan Crha 2020-03-17 09:42:56 UTC 
I see, feel free to close this as 'upstream'. No need to duplicate the bug here and in webkit.
Comment 3 Milan Crha 2020-03-17 10:49:40 UTC 
I tried to run epiphany under valgrind and it claims just this:

Warning: disabling gigacage because GIGACAGE_ENABLED=0!
Warning: disabling gigacage because GIGACAGE_ENABLED=0!
==4459== Warning: unimplemented fcntl command: 1034

(epiphany:4459): Json-CRITICAL **: 11:44:30.889: json_object_get_object_member: assertion 'JSON_NODE_HOLDS_OBJECT (node) || JSON_NODE_HOLDS_NULL (node)' failed

** (epiphany:4459): WARNING **: 11:44:30.894: Failed to parse message from FxA Content Server: Message has missing or invalid 'detail' member
==4459== Jump to the invalid address stated on the next line
==4459==    at 0x0: ???
==4459==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4459== 
==4459== 
==4459== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4459==  Bad permissions for mapped region at address 0x0
==4459==    at 0x0: ???


I see similar "Json-CRITICAL" and "WARNING" under X11, but they just repeat and do not cause a crash.

------------------------------------------------------------------------------------------

By the way (it's unrelated, but I do not want to file a useless bug report):

==4459== Thread 4 pool-epiphany:
==4459== Syscall param write(buf) points to uninitialised byte(s)
==4459==    at 0x1016F94CF: write (in /usr/lib64/libc-2.31.9000.so)
==4459==    by 0x1011FF3F2: ??? (in /usr/lib64/libgio-2.0.so.0.6400.1)
==4459==    by 0x10114E35D: ??? (in /usr/lib64/libgio-2.0.so.0.6400.1)
==4459==    by 0x101172CB1: ??? (in /usr/lib64/libgio-2.0.so.0.6400.1)
==4459==    by 0x101376F59: ??? (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x101376651: ??? (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x106E72461: start_thread (in /usr/lib64/libpthread-2.31.9000.so)
==4459==    by 0x101708B52: clone (in /usr/lib64/libc-2.31.9000.so)
==4459==  Address 0x11bbe10ca is 138 bytes inside a block of size 256 alloc'd
==4459==    at 0x10083BCE3: realloc (vg_replace_malloc.c:836)
==4459==    by 0x10135294F: g_realloc (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x10136FD11: g_string_insert_len (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x100940FAF: file_builder_serialise (gvdb-builder.c:495)
==4459==    by 0x100941708: gvdb_table_write_contents_async (gvdb-builder.c:599)
==4459==    by 0x100891C13: ephy_bookmarks_import (ephy-bookmarks-import.c:150)
==4459==    by 0x1008945A7: ephy_bookmarks_manager_init (ephy-bookmarks-manager.c:237)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B978C: g_object_new_with_properties (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012BA420: g_object_new (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x100892AA5: ephy_bookmarks_manager_new (ephy-bookmarks-manager.c:275)
==4459==    by 0x1008ABE14: ephy_shell_get_bookmarks_manager (ephy-shell.c:938)
==4459==    by 0x100894E64: ephy_bookmarks_popover_init (ephy-bookmarks-popover.c:520)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B9B1C: g_object_newv (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x100ACFF03: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100AD149C: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100AD187C: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x101350463: ??? (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x1013512C9: g_markup_parse_context_parse (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x100AD342D: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100ACE0C7: gtk_builder_extend_with_template (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100D524C5: gtk_widget_init_template (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x10089803A: ephy_action_bar_end_init (ephy-action-bar-end.c:255)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B978C: g_object_new_with_properties (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012BA420: g_object_new (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==  Uninitialised value was created by a heap allocation
==4459==    at 0x100839809: malloc (vg_replace_malloc.c:309)
==4459==    by 0x101352898: g_malloc (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x100940E83: file_builder_allocate (gvdb-builder.c:241)
==4459==    by 0x10094126F: file_builder_allocate_for_hash (gvdb-builder.c:330)
==4459==    by 0x10094126F: file_builder_add_hash (gvdb-builder.c:374)
==4459==    by 0x1009414AD: file_builder_add_hash (gvdb-builder.c:433)
==4459==    by 0x1009416FB: gvdb_table_write_contents_async (gvdb-builder.c:598)
==4459==    by 0x100891C13: ephy_bookmarks_import (ephy-bookmarks-import.c:150)
==4459==    by 0x1008945A7: ephy_bookmarks_manager_init (ephy-bookmarks-manager.c:237)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B978C: g_object_new_with_properties (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012BA420: g_object_new (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x100892AA5: ephy_bookmarks_manager_new (ephy-bookmarks-manager.c:275)
==4459==    by 0x1008ABE14: ephy_shell_get_bookmarks_manager (ephy-shell.c:938)
==4459==    by 0x100894E64: ephy_bookmarks_popover_init (ephy-bookmarks-popover.c:520)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B9B1C: g_object_newv (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x100ACFF03: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100AD149C: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100AD187C: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x101350463: ??? (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x1013512C9: g_markup_parse_context_parse (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x100AD342D: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100ACE0C7: gtk_builder_extend_with_template (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100D524C5: gtk_widget_init_template (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x10089803A: ephy_action_bar_end_init (ephy-action-bar-end.c:255)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B978C: g_object_new_with_properties (in /usr/lib64/libgobject-2.0.so.0.6400.1)
Comment 4 Fedora Update System 2020-03-17 14:36:40 UTC 
FEDORA-2020-851ab3ca3c has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-851ab3ca3c
Comment 5 Michael Catanzaro 2020-03-17 14:40:25 UTC 
gvdb writes some uninitialized memory into the gvdb, but afaik it does not read it back, so shouldn't cause malfunction in practice. That said, yes it's bad and should be fixed. Bug tracker: https://gitlab.gnome.org/GNOME/gvdb/issues
Comment 6 Milan Crha 2020-03-17 16:10:49 UTC 
(In reply to Michael Catanzaro from comment #5)
> gvdb writes some uninitialized memory into the gvdb, but afaik it does not
> read it back, so shouldn't cause malfunction in practice. That said, yes
> it's bad and should be fixed. Bug tracker:
> https://gitlab.gnome.org/GNOME/gvdb/issues

Sure think, here you are:
https://gitlab.gnome.org/GNOME/gvdb/issues/2
Comment 7 Milan Crha 2020-03-17 16:11:09 UTC 
*thing
Comment 8 Fedora Update System 2020-03-18 02:38:43 UTC 
webkit2gtk3-2.28.0-7.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-851ab3ca3c
Comment 9 Michael Catanzaro 2020-03-19 23:36:27 UTC 
*** Bug 1815275 has been marked as a duplicate of this bug. ***
Comment 10 Michael Catanzaro 2020-04-13 19:03:03 UTC 
Milan, could you test 2.28.0-9 real quick please, and let me know if this crash has been reintroduced?
Comment 11 Milan Crha 2020-04-14 07:31:55 UTC 
Yes, after update to 2.28.0-9 Epiphany crashes with the steps from comment #0.

It's even better with this version of webkit2gtk3, because Epiphany crashes with the similar backtrace (comment #0) also when opening https://www.root.cz , without opening the Preferences and scrolling in them.
Comment 12 Michael Catanzaro 2020-04-14 14:14:15 UTC 
(In reply to Milan Crha from comment #11)
> It's even better with this version of webkit2gtk3, because Epiphany crashes
> with the similar backtrace (comment #0) also when opening
> https://www.root.cz , without opening the Preferences and scrolling in them.

I'm very frustrated that I cannot reproduce. :/

I wonder if we have different versions of some system package. If we could manage to guess why you can reproduce but I can't, then maybe we can fix it instead of having to work around it by disabling WPE renderer.
Comment 13 Milan Crha 2020-04-15 08:34:48 UTC 
As we spoke on IRC, I test in a virtual machine, while you test on a bare metal.
Comment 14 Fedora Update System 2020-04-15 22:56:48 UTC 
FEDORA-2020-c19726a1c2 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-c19726a1c2
Comment 15 Milan Crha 2020-04-16 06:39:42 UTC 
(In reply to Fedora Update System from comment #14)
> FEDORA-2020-c19726a1c2 has been submitted as an update to Fedora 32.
> https://bodhi.fedoraproject.org/updates/FEDORA-2020-c19726a1c2

I downloaded the package from koji and it doesn't crash any more. The root.cz website doesn't cause crash too.
Comment 16 Ben Cotton 2020-08-11 13:13:57 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.
Comment 17 Michael Catanzaro 2021-08-10 18:28:22 UTC 
I think this is obsolete nowadays.