Bug 213885

Summary: REGRESSION(r262680): [GTK] Crash in WebKit::DropTarget::didPerformAction
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, cgarcia, darin, ddkilzer, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Patch mcatanzaro: review+

Description Michael Catanzaro 2020-07-02 08:22:36 PDT 
I habitually click and drag text. This has long sometimes caused WebKit to crash (bug #190787, which I've never been able to figure out), but now we have a new crash as well:

(gdb) bt full
#0  0x00007fb3fab2ba15 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = 
            {__val = {0, 140410885067625, 93841847900496, 93842098070624, 0, 16, 140732286382400, 140410986429520, 140732286382616, 140732286382592, 0, 93842095324864, 140732286382464, 140410928956517, 93841852346096, 1}}
        pid = <optimized out>
        tid = <optimized out>
#1  0x00007fb3fab14855 in __GI_abort () at abort.c:79
        save_stage = 1
        act = 
          {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {140404907110656, 140732286382816, 140732286382656, 1, 140410926886456, 0, 0, 0, 0, 4294967296, 93841848715248, 93841848715424, 93842096080304, 1, 140410986544751, 0}}, sa_flags = -1119520440, sa_restorer = 0x0}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007fb3f75b9305 in WTF::Optional<WebCore::DragOperation>::operator*() & (this=<synthetic pointer>)
    at DerivedSources/ForwardingHeaders/wtf/Optional.h:534
        page = <optimized out>
        operation = <optimized out>
#3  0x00007fb3f75b9305 in WebKit::DropTarget::didPerformAction() (this=0x7fb2bd457948)
    at ../Source/WebKit/UIProcess/API/gtk/DropTargetGtk3.cpp:220
        page = <optimized out>
        operation = <optimized out>
#4  0x00007fb3f76b70a8 in IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&), std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect>, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&), std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul>)
    (args=..., function=
    (void (WebKit::WebPageProxy::*)(class WebKit::WebPageProxy * const, class WTF::Optional<WebCore::DragOperation>, enum WebCore::DragHandlingMethod, bool, unsigned int, const class WebCore::IntRect &, const class WebCore::IntRect &)) 0x7fb3f7972e90 <WebKit::WebPageProxy::didPerformDragControllerAction(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)>, object=0x7fb3e8051b00)
    at DerivedSources/ForwardingHeaders/wtf/Optional.h:386
        arguments = 
                    {<WTF::constexpr_Optional_base<std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect> >> = {init_ = true, storage_ = {dummy_ = 0 '\000', value_ = std::tuple containing = {[1] = {<WTF::constexpr_Optional_base<WebCore::DragOperation>> = {init_ = false, storage_ = {dummy_ = 1 '\001', value_ = WebCore::DragOperation::Copy}}, <No data fields>}, [2] = WebCore::DragHandlingMethod::EditPlainText, [3] = false, [4] = 0, [5] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}, [6] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}}}}, <No data fields>}
#5  0x00007fb3f76b70a8 in IPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&), std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect>, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul> >(std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect>&&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)) (function=
    (void (WebKit::WebPageProxy::*)(class WebKit::WebPageProxy * const, class WTF::Optional<WebCore::DragOperation>, enum WebCore::DragHandlingMethod, bool, unsigned int, const class WebCore::IntRect &, const class WebCore::IntRect &)) 0x7fb3f7972e90 <WebKit::WebPageProxy::didPerformDragControllerAction(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)>, object=0x7fb3e8051b00, args=...) at ../Source/WebKit/Platform/IPC/HandleMessage.h:47
        arguments = 
                    {<WTF::constexpr_Optional_base<std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect> >> = {init_ = true, storage_ = {dummy_ = 0 '\000', value_ = std::tuple containing = {[1] = {<WTF::constexpr_Optional_base<WebCore::DragOperation>> = {init_ = false, storage_ = {dummy_ = 1 '\001', value_ = WebCore::DragOperation::Copy}}, <No data fields>}, [2] = WebCore::DragHandlingMethod::EditPlainText, [3] = false, [4] = 0, [5] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}, [6] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}}}}, <No data fields>}
#6  0x00007fb3f76b70a8 in IPC::handleMessage<Messages::WebPageProxy::DidPerformDragControllerAction, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)>(IPC::Decoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)) (decoder=..., object=object@entry=0x7fb3e8051b00, function=(void (WebKit::WebPageProxy::*)(class WebKit::WebPageProxy * const, class WTF::Optional<WebCore::DragOperation>, enum WebCore::DragHandlingMethod, bool, unsigned int, const class WebCore::IntRect &, const class WebCore::IntRect &)) 0x7fb3f7972e90 <WebKit::WebPageProxy::didPerformDragControllerAction(WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect const&, WebCore::IntRect const&)>) at ../Source/WebKit/Platform/IPC/HandleMessage.h:114
        arguments = {<WTF::constexpr_Optional_base<std::tuple<WTF::Optional<WebCore::DragOperation>, WebCore::DragHandlingMethod, bool, unsigned int, WebCore::IntRect, WebCore::IntRect> >> = {init_ = true, storage_ = {dummy_ = 0 '\000', value_ = std::tuple containing = {[1] = {<WTF::constexpr_Optional_base<WebCore::DragOperation>> = {init_ = false, storage_ = {dummy_ = 1 '\001', value_ = WebCore::DragOperation::Copy}}, <No data fields>}, [2] = WebCore::DragHandlingMethod::EditPlainText, [3] = false, [4] = 0, [5] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}, [6] = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 0, m_height = 0}}}}}, <No data fields>}
#7  0x00007fb3f7698a2c in WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x7fb3e8051b00, connection=..., decoder=...) at DerivedSources/WebKit/WebPageProxyMessageReceiver.cpp:1553
        protectedThis = {static isRef = <optimized out>, m_ptr = 0x7fb3e8051b00}
#8  0x00007fb3f78b13a9 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x7fb3e825c370, connection=..., decoder=...) at ../Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:123
        messageReceiver = <optimized out>
#9  0x00007fb3f7939add in WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&) (this=this@entry=0x7fb3e825c340, connection=..., decoder=...) at ../Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp:209
#10 0x00007fb3f79836c7 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x7fb3e825c340, connection=..., decoder=...) at ../Source/WebKit/UIProcess/WebProcessProxy.cpp:772
#11 0x00007fb3f78ab98d in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7fb2bd473300, message=std::unique_ptr<class IPC::Decoder> = {...}) at /usr/include/c++/10.1.0/bits/unique_ptr.h:420
        isDispatchingMessageWhileWaitingForSyncReply = <optimized out>
        oldDidReceiveInvalidMessage = false
#12 0x00007fb3f78ac189 in IPC::Connection::dispatchIncomingMessages() (this=0x7fb2bd473300) at /usr/include/c++/10.1.0/bits/unique_ptr.h:171
        message = std::unique_ptr<class IPC::Decoder> = {get() = 0x0}
        messagesToProcess = 0
        __func__ = "dispatchIncomingMessages"
#13 0x00007fb3f6bb78e9 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Vector.h:341
        function = {m_callableWrapper = std::unique_ptr<class WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7fb29072d330}}
        functionsHandled = 0
        functionsToHandle = 1
        didSuspendFunctions = false
#14 0x00007fb3f6bb78e9 in WTF::RunLoop::performWork() (this=0x7fb3f01f9000) at ../Source/WTF/wtf/RunLoop.cpp:140
        function = {m_callableWrapper = std::unique_ptr<class WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7fb29072d330}}
        functionsHandled = 0
        functionsToHandle = 1
        didSuspendFunctions = false
#15 0x00007fb3f6c0558d in operator() (userData=<optimized out>, __closure=0x0) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#16 0x00007fb3f6c0558d in _FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#17 0x00007fb3fae87e6f in g_main_dispatch (context=0x555941fdac20) at ../glib/gmain.c:3322
        dispatch = 0x7fb3f6c055a0 <_FUN(GSource*, GSourceFunc, gpointer)>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x7fb3f01f9000
        callback = 0x7fb3f6c05580 <_FUN(gpointer)>
        cb_funcs = <optimized out>
        cb_data = 0x5559420f5180
        need_destroy = <optimized out>
        source = 0x5559420a7f50
        current = 0x555941fe3950
        i = 0
        __func__ = "g_main_dispatch"
#18 0x00007fb3fae87e6f in g_main_context_dispatch (context=0x555941fdac20) at ../glib/gmain.c:3987
#19 0x00007fb3fae88218 in g_main_context_iterate (context=context@entry=0x555941fdac20, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4060
        max_priority = 2147483647
        timeout = 39
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0x555950d6b3b0
#20 0x00007fb3fae882e3 in g_main_context_iteration (context=context@entry=0x555941fdac20, may_block=may_block@entry=1) at ../glib/gmain.c:4121
        retval = <optimized out>
#21 0x00007fb3fb0ab7cd in g_application_run (application=0x555942290230 [EphyShell], argc=-907004380, argv=<optimized out>) at ../gio/gapplication.c:2559
        arguments = 0x5559420e92a0
        status = 0
        context = 0x555941fdac20
        acquired_context = <optimized out>
        __func__ = "g_application_run"
#22 0x0000555940ea10b3 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:432
        option_context = <optimized out>
        option_group = <optimized out>
        error = 0x0
        user_time = 202242
        arbitrary_url = <optimized out>
        ctx = <optimized out>
        mode = <optimized out>
        status = <optimized out>
        flags = <optimized out>
        desktop_info = <optimized out>
Comment 1 Michael Catanzaro 2020-07-02 10:36:52 PDT 
The problem is that m_operation is not engaged (i.e. is not set), that causes the Optional to RELEASE_ASSERT() when it is dereferenced.

I haven't looked at this long enough to know if it's correct, but:

    if ((!operation && !m_operation) || *operation == *m_operation)

The crash would surely not occur if this was an || check:

    if (!operation || !m_operation || *operation == *m_operation)

That said, it looks like m_operation is not needed at all in the GTK 3 case. It can probably just be removed?
Comment 2 Michael Catanzaro 2020-07-03 08:15:40 PDT 
OK I found a reproducer. Drag any file from nautilus into the web view. Crash.
Comment 3 Carlos Garcia Campos 2020-07-07 06:30:19 PDT 
Created attachment 403681 [details]
Patch
Comment 4 Carlos Garcia Campos 2020-07-07 06:57:47 PDT 
Committed r264016: <https://trac.webkit.org/changeset/264016>