1382789 – Epiphany crash in XGetWindowAttributes

Bug 1382789 - Epiphany crash in XGetWindowAttributes

Summary: Epiphany crash in XGetWindowAttributes

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	webkitgtk4
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tomas Popela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1420127 1420909 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-07 18:09 UTC by Nathaniel McCallum
Modified:	2017-02-09 23:51 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-10-08 00:10:52 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
WebKit Project	163159	0	None	None	None	2016-10-08 00:10:51 UTC

Description Nathaniel McCallum 2016-10-07 18:09:29 UTC

I'm able to reproduce this by simply going to audible.com in epiphany on rawhide. Attached is a backtrace and some initial debugging. dpy->xcb clearly has a bad value. I suspect this is due to a bad message from Wayland's X11 emulation, so I'm filing this bug under the wayland component.

Thread 1 "epiphany" received signal SIGSEGV, Segmentation fault.
_XReply (dpy=dpy@entry=0x555555871100, rep=rep@entry=0x7fffffffd0b0, extra=extra@entry=0, discard=discard@entry=1) at xcb_io.c:566
566		if (dpy->xcb->reply_data)
(gdb) list
561		xcb_connection_t *c = dpy->xcb->connection;
562		char *reply;
563		PendingRequest *current;
564		uint64_t dpy_request;
565	
566		if (dpy->xcb->reply_data)
567			throw_extlib_fail_assert("Extra reply data still left in queue",
568			                         xcb_xlib_extra_reply_data_left);
569	
570		if(dpy->flags & XlibDisplayIOError)
(gdb) p dpy->xcb
$1 = (struct _X11XCBPrivate *) 0x2
(gdb) bt
#0  0x00007ffff78d7ad2 in _XReply (dpy=dpy@entry=0x555555871100, rep=rep@entry=0x7fffffffd0b0, extra=extra@entry=0, discard=discard@entry=1) at xcb_io.c:566
#1  0x00007ffff78be877 in _XGetWindowAttributes (dpy=dpy@entry=0x555555871100, w=0, attr=0x7fffffffd1a0) at GetWAttrs.c:115
#2  0x00007ffff78bea01 in XGetWindowAttributes (dpy=0x555555871100, w=w@entry=0, attr=attr@entry=0x7fffffffd1a0) at GetWAttrs.c:150
#3  0x00007ffff21f76e4 in gtk_socket_realize (widget=0x555556660380 [GtkSocket]) at gtksocket.c:420
#4  0x00007ffff02c85f4 in _g_closure_invoke_va (closure=closure@entry=0x5555558a6f10, return_value=return_value@entry=0x0, instance=instance@entry=0x555556660380, args=args@entry=0x7fffffffd480, n_params=<optimized out>, param_types=0x0) at gclosure.c:867
#5  0x00007ffff02e2db9 in g_signal_emit_valist (instance=0x555556660380, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd480) at gsignal.c:3300
#6  0x00007ffff02e341f in g_signal_emit (instance=instance@entry=0x555556660380, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
#7  0x00007ffff21bf354 in gtk_widget_realize (widget=widget@entry=0x555556660380 [GtkSocket]) at gtkwidget.c:5454
#8  0x00007ffff21c2b68 in gtk_widget_set_parent (widget=0x555556660380 [GtkSocket], parent=0x555556634c20 [EphyWebView]) at gtkwidget.c:9566
#9  0x00007ffff4c64474 in webkitWebViewBaseContainerAdd(_GtkContainer*, _GtkWidget*) () at /lib64/libwebkit2gtk-4.0.so.37
#10 0x00007ffff02cb450 in g_cclosure_marshal_VOID__OBJECTv (closure=0x5555558b0660, return_value=<optimized out>, instance=0x555556634c20, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5555558adc50) at gmarshal.c:2102
#11 0x00007ffff02c85f4 in _g_closure_invoke_va (closure=closure@entry=0x5555558b0660, return_value=return_value@entry=0x0, instance=instance@entry=0x555556634c20, args=args@entry=0x7fffffffd8d0, n_params=<optimized out>, param_types=0x5555558adc50) at gclosure.c:867
#12 0x00007ffff02e2db9 in g_signal_emit_valist (instance=0x555556634c20, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd8d0) at gsignal.c:3300
#13 0x00007ffff02e341f in g_signal_emit (instance=instance@entry=0x555556634c20, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
#14 0x00007ffff1f9cab5 in gtk_container_add (container=0x555556634c20 [EphyWebView], widget=0x555556660380 [GtkSocket]) at gtkcontainer.c:1875
#15 0x00007ffff4c8639c in WebKit::WebPageProxy::createPluginContainer(unsigned long&) () at /lib64/libwebkit2gtk-4.0.so.37
#16 0x00007ffff4cd6fa4 in WebKit::WebPageProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) () at /lib64/libwebkit2gtk-4.0.so.37
#17 0x00007ffff49e9a31 in IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) () at /lib64/libwebkit2gtk-4.0.so.37
#18 0x00007ffff4a9bf4b in WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) () at /lib64/libwebkit2gtk-4.0.so.37
#19 0x00007ffff49e57db in IPC::Connection::dispatchSyncMessage(IPC::Decoder&) () at /lib64/libwebkit2gtk-4.0.so.37
#20 0x00007ffff49e58cd in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at /lib64/libwebkit2gtk-4.0.so.37
#21 0x00007ffff49e64e8 in IPC::Connection::dispatchOneMessage() () at /lib64/libwebkit2gtk-4.0.so.37
#22 0x00007ffff42da715 in WTF::RunLoop::performWork() () at /lib64/libjavascriptcoregtk-4.0.so.18
#23 0x00007ffff43011d9 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () at /lib64/libjavascriptcoregtk-4.0.so.18
#24 0x00007fffefff0e62 in g_main_dispatch (context=0x555555867380) at gmain.c:3201
#25 0x00007fffefff0e62 in g_main_context_dispatch (context=context@entry=0x555555867380) at gmain.c:3854
#26 0x00007fffefff11e0 in g_main_context_iterate (context=context@entry=0x555555867380, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3927
#27 0x00007fffefff128c in g_main_context_iteration (context=context@entry=0x555555867380, may_block=may_block@entry=1) at gmain.c:3988
#28 0x00007ffff05a8bad in g_application_run (application=0x5555558dd140 [EphyShell], argc=1, argv=0x7fffffffdf28) at gapplication.c:2381
#29 0x00005555555867d4 in main ()

Comment 1 Adam Jackson 2016-10-07 19:52:14 UTC

(In reply to Nathaniel McCallum from comment #0)
> I'm able to reproduce this by simply going to audible.com in epiphany on
> rawhide. Attached is a backtrace and some initial debugging. dpy->xcb
> clearly has a bad value. I suspect this is due to a bad message from
> Wayland's X11 emulation, so I'm filing this bug under the wayland component.

Xwayland doesn't modify anything about the GetWindowAttributes code path in X, so, no.

Comment 2 Michael Catanzaro 2016-10-07 22:07:17 UTC

WebKit is a native Wayland client, there should be no XWayland involved. It looks like a WebKit bug. GtkSocket just crashes if used under Wayland, so the bug is that WebKit is trying to create one; the crash is an expected result of that. And we do have code that should prevent this from happening (windowed plugins are all disabled in Wayland). What version of WebKitGTK+ is this? What browser plugin is it trying to run? Any chance you could get a backtrace with debug info (files, line numbers, local variables)?

Comment 3 Nathaniel McCallum 2016-10-07 22:27:01 UTC

It is trying to load flash (surprise, surprise). Package versions and backtrace is below.

flash-plugin-11.2.202.635-release.x86_64
webkitgtk4-2.14.0-1.fc26.x86_64

#0  0x00007ffff78be9ee in XGetWindowAttributes (dpy=0x555555871100, w=w@entry=0, attr=attr@entry=0x7fffffffd1a0) at GetWAttrs.c:149
#1  0x00007ffff21f76e4 in gtk_socket_realize (widget=0x55555665a170 [GtkSocket]) at gtksocket.c:420
#2  0x00007ffff02c85f4 in _g_closure_invoke_va (closure=closure@entry=0x5555558a6d90, return_value=return_value@entry=0x0, instance=instance@entry=0x55555665a170, args=args@entry=0x7fffffffd480, n_params=<optimized out>, param_types=0x0) at gclosure.c:867
#3  0x00007ffff02e2db9 in g_signal_emit_valist (instance=0x55555665a170, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd480) at gsignal.c:3300
#4  0x00007ffff02e341f in g_signal_emit (instance=instance@entry=0x55555665a170, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
#5  0x00007ffff21bf354 in gtk_widget_realize (widget=widget@entry=0x55555665a170 [GtkSocket]) at gtkwidget.c:5454
#6  0x00007ffff21c2b68 in gtk_widget_set_parent (widget=0x55555665a170 [GtkSocket], parent=0x55555662f990 [EphyWebView]) at gtkwidget.c:9566
#7  0x00007ffff4c64474 in webkitWebViewBaseContainerAdd(GtkContainer*, GtkWidget*) (container=0x55555662f990 [EphyWebView], widget=<optimized out>, widget@entry=0x55555665a170 [GtkSocket])
    at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp:421
#8  0x00007ffff02cb450 in g_cclosure_marshal_VOID__OBJECTv (closure=0x5555558b24d0, return_value=<optimized out>, instance=0x55555662f990, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5555558b25f0) at gmarshal.c:2102
#9  0x00007ffff02c85f4 in _g_closure_invoke_va (closure=closure@entry=0x5555558b24d0, return_value=return_value@entry=0x0, instance=instance@entry=0x55555662f990, args=args@entry=0x7fffffffd8d0, n_params=<optimized out>, param_types=0x5555558b25f0) at gclosure.c:867
#10 0x00007ffff02e2db9 in g_signal_emit_valist (instance=0x55555662f990, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd8d0) at gsignal.c:3300
#11 0x00007ffff02e341f in g_signal_emit (instance=instance@entry=0x55555662f990, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
#12 0x00007ffff1f9cab5 in gtk_container_add (container=0x55555662f990 [EphyWebView], widget=0x55555665a170 [GtkSocket]) at gtkcontainer.c:1875
#13 0x00007ffff4c8639c in WebKit::WebPageProxy::createPluginContainer(unsigned long&) (this=this@entry=0x7fffdf73b000, windowID=windowID@entry=@0x7fffffffda10: 0)
    at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/UIProcess/gtk/WebPageProxyGtk.cpp:107
#14 0x00007ffff4cd6fa4 in IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long&), std::tuple<>, , std::tuple<unsigned long>, 0ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long&), std::tuple<>&&, std::tuple<unsigned long>&, std::integer_sequence<unsigned long>, std::integer_sequence<unsigned long, 0ul>) (args=<optimized out>, replyArgs=std::tuple containing = {...}, function=<optimized out>, object=0x7fffdf73b000) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/HandleMessage.h:27
#15 0x00007ffff4cd6fa4 in IPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long&), std::tuple<>, std::integer_sequence<unsigned long>, std::tuple<unsigned long>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<>&&, std::tuple<unsigned long>&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long&)) (args=<optimized out>, function=<optimized out>, object=0x7fffdf73b000, replyArgs=std::tuple containing = {...}) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/HandleMessage.h:33
#16 0x00007ffff4cd6fa4 in IPC::handleMessage<Messages::WebPageProxy::CreatePluginContainer, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long&)>(IPC::Decoder&, IPC::Encoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long&)) (decoder=..., function=<optimized out>, object=0x7fffdf73b000, replyEncoder=...)
    at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/HandleMessage.h:112
#17 0x00007ffff4cd6fa4 in WebKit::WebPageProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=0x7fffdf73b000, connection=..., decoder=..., replyEncoder=std::unique_ptr<IPC::Encoder> containing 0x7fffdf73d000) at /usr/src/debug/webkitgtk-2.14.0/x86_64-redhat-linux-gnu/DerivedSources/WebKit2/WebPageProxyMessageReceiver.cpp:1457
#18 0x00007ffff49e9a31 in IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=this@entry=0x7fffdf7eb638, connection=..., decoder=..., replyEncoder=std::unique_ptr<IPC::Encoder> containing 0x7fffdf73d000) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:140
#19 0x00007ffff4a495d9 in WebKit::ChildProcessProxy::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=this@entry=0x7fffdf7eb600, connection=..., decoder=..., replyEncoder=std::unique_ptr<IPC::Encoder> containing 0x7fffdf73d000) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/UIProcess/ChildProcessProxy.cpp:157
#20 0x00007ffff4a9bf4b in WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=
    0x7fffdf7eb600, connection=..., decoder=..., replyEncoder=std::unique_ptr<IPC::Encoder> containing 0x7fffdf73d000) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/UIProcess/WebProcessProxy.cpp:514
#21 0x00007ffff49e57db in IPC::Connection::dispatchSyncMessage(IPC::Decoder&) (this=0x7fffdf75e168, decoder=...) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/Connection.cpp:789
#22 0x00007ffff49e58cd in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=this@entry=0x7fffdf75e168, message=std::unique_ptr<IPC::Decoder> containing 0x7fffdf726478) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/Connection.cpp:856
#23 0x00007ffff49e64e8 in IPC::Connection::dispatchOneMessage() (this=0x7fffdf75e168) at /usr/src/debug/webkitgtk-2.14.0/Source/WebKit2/Platform/IPC/Connection.cpp:889
#24 0x00007ffff42da715 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /usr/src/debug/webkitgtk-2.14.0/Source/WTF/wtf/Function.h:50
#25 0x00007ffff42da715 in WTF::RunLoop::performWork() (this=0x7fffdf7f7000) at /usr/src/debug/webkitgtk-2.14.0/Source/WTF/wtf/RunLoop.cpp:105
#26 0x00007ffff43011d9 in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at /usr/src/debug/webkitgtk-2.14.0/Source/WTF/wtf/glib/RunLoopGLib.cpp:66
#27 0x00007ffff43011d9 in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at /usr/src/debug/webkitgtk-2.14.0/Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#28 0x00007fffefff0e62 in g_main_dispatch (context=0x555555867380) at gmain.c:3201
#29 0x00007fffefff0e62 in g_main_context_dispatch (context=context@entry=0x555555867380) at gmain.c:3854
#30 0x00007fffefff11e0 in g_main_context_iterate (context=context@entry=0x555555867380, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3927
#31 0x00007fffefff128c in g_main_context_iteration (context=context@entry=0x555555867380, may_block=may_block@entry=1) at gmain.c:3988
#32 0x00007ffff05a8bad in g_application_run (application=0x5555558de140 [EphyShell], argc=1, argv=0x7fffffffdf28) at gapplication.c:2381
#33 0x00005555555867d4 in main ()

Comment 4 Michael Catanzaro 2016-10-08 00:10:52 UTC

OK thanks, I've reported this upstream. I guess the code that stops windowed plugins from being loaded in Wayland is broken for some reason.

Comment 5 Michael Catanzaro 2017-02-09 23:50:32 UTC

*** Bug 1420127 has been marked as a duplicate of this bug. ***

Comment 6 Michael Catanzaro 2017-02-09 23:51:55 UTC

*** Bug 1420909 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.