1813993 – Crash on mouse-wheel scroll in Preferences

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1813993 - Crash on mouse-wheel scroll in Preferences

Summary: Crash on mouse-wheel scroll in Preferences

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	epiphany
Sub Component:
Version:	33
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michael Catanzaro
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1815275 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-16 17:09 UTC by Milan Crha
Modified:	2020-08-11 13:13 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
WebKit Project	209118	0	None	None	None	2020-03-16 21:11:37 UTC

Description Milan Crha 2020-03-16 17:09:22 UTC

This is with a rawhide machine and:

epiphany-3.36.0-1.fc33.x86_64
gtk3-3.24.14-1.fc33.x86_64
glib2-2.64.1-1.fc33.x86_64
libwayland-server-1.18.0-1.fc33.x86_64

Opening Preferences from the Menu button and using mouse wheel to scroll down causes a crash with this backtrace (it seems to be deep in Wayland):

Thread 1 "epiphany" received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in  ()
#1  0x00007ffff18c0af0 in ffi_call_unix64 () at /lib64/libffi.so.6
#2  0x00007ffff18c02ab in ffi_call () at /lib64/libffi.so.6
#3  0x00007ffff0739cd2 in wl_closure_invoke
    (closure=closure@entry=0x555556cf4db0, flags=flags@entry=2, target=<optimized out>, 
    target@entry=0x555556a4ce70, opcode=opcode@entry=6, data=<optimized out>, data@entry=0x555556954970)
    at src/connection.c:1018
#4  0x00007ffff0735132 in wl_client_connection_data (fd=<optimized out>, mask=<optimized out>, data=0x555556954970)
    at src/wayland-server.c:432
#5  0x00007ffff0737bea in wl_event_loop_dispatch (loop=0x5555558664a0, timeout=<optimized out>) at src/event-loop.c:1027
#6  0x00007ffff142c7b3 in WS::ServerSource::{lambda(_GSource*, int (*)(void*), void*)#3}::_FUN(_GSource*, int (*)(void*), void*) () at /lib64/libWPEBackend-fdo-1.0.so.1
#7  0x00007ffff744176f in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#8  0x00007ffff7441af8 in g_main_context_iterate.constprop () at /lib64/libglib-2.0.so.0
#9  0x00007ffff7441bc3 in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#10 0x00007ffff765788d in g_application_run () at /lib64/libgio-2.0.so.0
#11 0x0000555555559064 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:427

Doing the same with GNOME on Xorg doesn't cause the crash. Scrolling the page itself doesn't cause the crash either, in both Wayland and Xorg.

Comment 1 Michael Catanzaro 2020-03-16 22:00:28 UTC

Workaround is to disable the WPE renderer.

Comment 2 Milan Crha 2020-03-17 09:42:56 UTC

I see, feel free to close this as 'upstream'. No need to duplicate the bug here and in webkit.

Comment 3 Milan Crha 2020-03-17 10:49:40 UTC

I tried to run epiphany under valgrind and it claims just this:

Warning: disabling gigacage because GIGACAGE_ENABLED=0!
Warning: disabling gigacage because GIGACAGE_ENABLED=0!
==4459== Warning: unimplemented fcntl command: 1034

(epiphany:4459): Json-CRITICAL **: 11:44:30.889: json_object_get_object_member: assertion 'JSON_NODE_HOLDS_OBJECT (node) || JSON_NODE_HOLDS_NULL (node)' failed

** (epiphany:4459): WARNING **: 11:44:30.894: Failed to parse message from FxA Content Server: Message has missing or invalid 'detail' member
==4459== Jump to the invalid address stated on the next line
==4459==    at 0x0: ???
==4459==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4459== 
==4459== 
==4459== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4459==  Bad permissions for mapped region at address 0x0
==4459==    at 0x0: ???


I see similar "Json-CRITICAL" and "WARNING" under X11, but they just repeat and do not cause a crash.

------------------------------------------------------------------------------------------

By the way (it's unrelated, but I do not want to file a useless bug report):

==4459== Thread 4 pool-epiphany:
==4459== Syscall param write(buf) points to uninitialised byte(s)
==4459==    at 0x1016F94CF: write (in /usr/lib64/libc-2.31.9000.so)
==4459==    by 0x1011FF3F2: ??? (in /usr/lib64/libgio-2.0.so.0.6400.1)
==4459==    by 0x10114E35D: ??? (in /usr/lib64/libgio-2.0.so.0.6400.1)
==4459==    by 0x101172CB1: ??? (in /usr/lib64/libgio-2.0.so.0.6400.1)
==4459==    by 0x101376F59: ??? (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x101376651: ??? (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x106E72461: start_thread (in /usr/lib64/libpthread-2.31.9000.so)
==4459==    by 0x101708B52: clone (in /usr/lib64/libc-2.31.9000.so)
==4459==  Address 0x11bbe10ca is 138 bytes inside a block of size 256 alloc'd
==4459==    at 0x10083BCE3: realloc (vg_replace_malloc.c:836)
==4459==    by 0x10135294F: g_realloc (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x10136FD11: g_string_insert_len (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x100940FAF: file_builder_serialise (gvdb-builder.c:495)
==4459==    by 0x100941708: gvdb_table_write_contents_async (gvdb-builder.c:599)
==4459==    by 0x100891C13: ephy_bookmarks_import (ephy-bookmarks-import.c:150)
==4459==    by 0x1008945A7: ephy_bookmarks_manager_init (ephy-bookmarks-manager.c:237)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B978C: g_object_new_with_properties (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012BA420: g_object_new (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x100892AA5: ephy_bookmarks_manager_new (ephy-bookmarks-manager.c:275)
==4459==    by 0x1008ABE14: ephy_shell_get_bookmarks_manager (ephy-shell.c:938)
==4459==    by 0x100894E64: ephy_bookmarks_popover_init (ephy-bookmarks-popover.c:520)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B9B1C: g_object_newv (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x100ACFF03: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100AD149C: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100AD187C: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x101350463: ??? (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x1013512C9: g_markup_parse_context_parse (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x100AD342D: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100ACE0C7: gtk_builder_extend_with_template (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100D524C5: gtk_widget_init_template (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x10089803A: ephy_action_bar_end_init (ephy-action-bar-end.c:255)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B978C: g_object_new_with_properties (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012BA420: g_object_new (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==  Uninitialised value was created by a heap allocation
==4459==    at 0x100839809: malloc (vg_replace_malloc.c:309)
==4459==    by 0x101352898: g_malloc (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x100940E83: file_builder_allocate (gvdb-builder.c:241)
==4459==    by 0x10094126F: file_builder_allocate_for_hash (gvdb-builder.c:330)
==4459==    by 0x10094126F: file_builder_add_hash (gvdb-builder.c:374)
==4459==    by 0x1009414AD: file_builder_add_hash (gvdb-builder.c:433)
==4459==    by 0x1009416FB: gvdb_table_write_contents_async (gvdb-builder.c:598)
==4459==    by 0x100891C13: ephy_bookmarks_import (ephy-bookmarks-import.c:150)
==4459==    by 0x1008945A7: ephy_bookmarks_manager_init (ephy-bookmarks-manager.c:237)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B978C: g_object_new_with_properties (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012BA420: g_object_new (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x100892AA5: ephy_bookmarks_manager_new (ephy-bookmarks-manager.c:275)
==4459==    by 0x1008ABE14: ephy_shell_get_bookmarks_manager (ephy-shell.c:938)
==4459==    by 0x100894E64: ephy_bookmarks_popover_init (ephy-bookmarks-popover.c:520)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B9B1C: g_object_newv (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x100ACFF03: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100AD149C: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100AD187C: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x101350463: ??? (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x1013512C9: g_markup_parse_context_parse (in /usr/lib64/libglib-2.0.so.0.6400.1)
==4459==    by 0x100AD342D: ??? (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100ACE0C7: gtk_builder_extend_with_template (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x100D524C5: gtk_widget_init_template (in /usr/lib64/libgtk-3.so.0.2404.10)
==4459==    by 0x10089803A: ephy_action_bar_end_init (ephy-action-bar-end.c:255)
==4459==    by 0x1012D25B9: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B82BC: ??? (in /usr/lib64/libgobject-2.0.so.0.6400.1)
==4459==    by 0x1012B978C: g_object_new_with_properties (in /usr/lib64/libgobject-2.0.so.0.6400.1)

Comment 4 Fedora Update System 2020-03-17 14:36:40 UTC

FEDORA-2020-851ab3ca3c has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-851ab3ca3c

Comment 5 Michael Catanzaro 2020-03-17 14:40:25 UTC

gvdb writes some uninitialized memory into the gvdb, but afaik it does not read it back, so shouldn't cause malfunction in practice. That said, yes it's bad and should be fixed. Bug tracker: https://gitlab.gnome.org/GNOME/gvdb/issues

Comment 6 Milan Crha 2020-03-17 16:10:49 UTC

(In reply to Michael Catanzaro from comment #5)
> gvdb writes some uninitialized memory into the gvdb, but afaik it does not
> read it back, so shouldn't cause malfunction in practice. That said, yes
> it's bad and should be fixed. Bug tracker:
> https://gitlab.gnome.org/GNOME/gvdb/issues

Sure think, here you are:
https://gitlab.gnome.org/GNOME/gvdb/issues/2

Comment 7 Milan Crha 2020-03-17 16:11:09 UTC

*thing

Comment 8 Fedora Update System 2020-03-18 02:38:43 UTC

webkit2gtk3-2.28.0-7.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-851ab3ca3c

Comment 9 Michael Catanzaro 2020-03-19 23:36:27 UTC

*** Bug 1815275 has been marked as a duplicate of this bug. ***

Comment 10 Michael Catanzaro 2020-04-13 19:03:03 UTC

Milan, could you test 2.28.0-9 real quick please, and let me know if this crash has been reintroduced?

Comment 11 Milan Crha 2020-04-14 07:31:55 UTC

Yes, after update to 2.28.0-9 Epiphany crashes with the steps from comment #0.

It's even better with this version of webkit2gtk3, because Epiphany crashes with the similar backtrace (comment #0) also when opening https://www.root.cz , without opening the Preferences and scrolling in them.

Comment 12 Michael Catanzaro 2020-04-14 14:14:15 UTC

(In reply to Milan Crha from comment #11)
> It's even better with this version of webkit2gtk3, because Epiphany crashes
> with the similar backtrace (comment #0) also when opening
> https://www.root.cz , without opening the Preferences and scrolling in them.

I'm very frustrated that I cannot reproduce. :/

I wonder if we have different versions of some system package. If we could manage to guess why you can reproduce but I can't, then maybe we can fix it instead of having to work around it by disabling WPE renderer.

Comment 13 Milan Crha 2020-04-15 08:34:48 UTC

As we spoke on IRC, I test in a virtual machine, while you test on a bare metal.

Comment 14 Fedora Update System 2020-04-15 22:56:48 UTC

FEDORA-2020-c19726a1c2 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-c19726a1c2

Comment 15 Milan Crha 2020-04-16 06:39:42 UTC

(In reply to Fedora Update System from comment #14)
> FEDORA-2020-c19726a1c2 has been submitted as an update to Fedora 32.
> https://bodhi.fedoraproject.org/updates/FEDORA-2020-c19726a1c2

I downloaded the package from koji and it doesn't crash any more. The root.cz website doesn't cause crash too.

Comment 16 Ben Cotton 2020-08-11 13:13:57 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.

Note You need to log in before you can comment on or make changes to this bug.