Bug 2400463

Summary: [abrt] epiphany-runtime: WTFCrashWithInfo(): epiphany killed by SIGABRT
Product: [Fedora] Fedora Reporter: Leandro Paz <leandropaz>
Component: epiphanyAssignee: Michael Catanzaro <mcatanza>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 42CC: gecko-bugs-nobody, gnome-sig, jhorak, leandropaz, mcatanza, mclasen, rstrode, tpopela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/26d4e9e0c8a96a3cf473fc82acb4b01fa2f0f79
Whiteboard: abrt_hash:2aef62cb41cb624b5137087342296744ae630c27;VARIANT_ID=workstation;
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-09-30 17:54:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: proc_pid_status
none
File: maps
none
File: limits
none
File: environ
none
File: open_fds
none
File: mountinfo
none
File: os_info
none
File: cpuinfo
none
File: core_backtrace
none
File: backtrace none

Description Leandro Paz 2025-09-30 14:13:40 UTC 
Description of problem:
It crashed when I changed the default search engine from duckduckGo to Google and tried to search from the URL bar

Version-Release number of selected component:
epiphany-runtime-1:48.5-1.fc42

Additional info:
reporter:       libreport-2.17.15
type:           CCpp
reason:         epiphany killed by SIGABRT
journald_cursor: s=340560ff638e466786d4bdb6f606e584;i=45f954;b=abdf83060b3d4f9fa6673588e36f714d;m=106095d0f;t=63ff0d4fa2c80;x=2da6c539f2e0de89
executable:     /usr/bin/epiphany
cmdline:        /usr/bin/epiphany
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/dbus-:1.2-org.gnome.Software
rootdir:        /
uid:            1000
kernel:         6.16.8-200.fc42.x86_64
package:        epiphany-runtime-1:48.5-1.fc42
runlevel:       N 5
dso_list:       /usr/bin/epiphany epiphany-runtime-1:48.5-1.fc42.x86_64 (Fedora Project) 1756089958
backtrace_rating: 4
crash_function: WTFCrashWithInfo
comment:        It crashed when I changed the default search engine from duckduckGo to Google and tried to search from the URL bar

Truncated backtrace:
Thread no. 1 (2 frames)
 #4 WTFCrashWithInfo at WTF/Headers/wtf/Assertions.h:972
 #5 WebKit::FenceMonitor::addFileDescriptor at /usr/src/debug/webkitgtk-2.50.0-1.fc42.x86_64/Source/WebKit/UIProcess/glib/FenceMonitor.cpp:104
Comment 1 Leandro Paz 2025-09-30 14:13:44 UTC 
Created attachment 2108106 [details]
File: proc_pid_status
Comment 2 Leandro Paz 2025-09-30 14:13:46 UTC 
Created attachment 2108107 [details]
File: maps
Comment 3 Leandro Paz 2025-09-30 14:13:47 UTC 
Created attachment 2108108 [details]
File: limits
Comment 4 Leandro Paz 2025-09-30 14:13:49 UTC 
Created attachment 2108109 [details]
File: environ
Comment 5 Leandro Paz 2025-09-30 14:13:50 UTC 
Created attachment 2108110 [details]
File: open_fds
Comment 6 Leandro Paz 2025-09-30 14:13:52 UTC 
Created attachment 2108111 [details]
File: mountinfo
Comment 7 Leandro Paz 2025-09-30 14:13:53 UTC 
Created attachment 2108112 [details]
File: os_info
Comment 8 Leandro Paz 2025-09-30 14:13:55 UTC 
Created attachment 2108113 [details]
File: cpuinfo
Comment 9 Leandro Paz 2025-09-30 14:13:56 UTC 
Created attachment 2108114 [details]
File: core_backtrace
Comment 10 Leandro Paz 2025-09-30 14:13:58 UTC 
Created attachment 2108115 [details]
File: backtrace
Comment 11 Michael Catanzaro 2025-09-30 15:03:09 UTC 
There are two bugs here:

 * AcceleratedBackingStore::frame passed an invalid WTF::UnixFileDescriptor to FenceMonitor::addFileDescriptor. Why is the fd invalid?
 * This is an IPC interface; the fd is sent from the web process to the UI process, and it's expected that the message may be malicious and invalid. The UI process should message check it and kill the web process if the message is invalid. It shouldn't be possible for anything the web process does to crash the UI process.

I will forward this to upstream WebKit Bugzilla.