264360 – [WPE] frameDisplayed may be called after View has been deleted

Bug 264360 - [WPE] frameDisplayed may be called after View has been deleted

Summary: [WPE] frameDisplayed may be called after View has been deleted

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WPE WebKit (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yury Semikhatsky

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-11-07 13:09 PST by Yury Semikhatsky
Modified:	2023-11-09 17:44 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yury Semikhatsky 2023-11-07 13:09:36 PST

We observe the following crash in Playwright:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fbde1311857 in WKWPE::View::View(wpe_view_backend*, API::PageConfiguration const&)::$_5::__invoke(void*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
[Current thread is 1 (Thread 0x7fbdd9282a00 (LWP 2240445))]
(gdb) bt
#0  0x00007fbde1311857 in WKWPE::View::View(wpe_view_backend*, API::PageConfiguration const&)::$_5::__invoke(void*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#1  0x00007fbde6ddae31 in wpe_view_backend_dispatch_frame_displayed () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libwpe-1.0.so.1
#2  0x00007fbde6debe8a in ViewBackend::~ViewBackend() () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1
#3  0x00007fbde6deb12e in $_1::__invoke(void*) () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1
#4  0x00007fbde6ddab81 in wpe_view_backend_destroy () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libwpe-1.0.so.1
#5  0x00007fbde6deb012 in wpe_view_backend_exportable_fdo_destroy () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libWPEBackend-fdo-1.0.so.1
#6  0x00005644402cfe97 in WPEToolingBackends::HeadlessViewBackend::~HeadlessViewBackend() ()
#7  0x00007fbde13179f7 in void WTF::derefGPtr<_WebKitWebViewBackend>(_WebKitWebViewBackend*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#8  0x00007fbde130502d in webkit_web_view_finalize(_GObject*) () from /root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#9  0x00007fbdda804c79 in g_object_unref () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0
#10 0x00007fbdda823514 in g_value_unset () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0
#11 0x00007fbdda816c4a in g_signal_emit_valist () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0
#12 0x00007fbdda816dee in g_signal_emit () from /root/webkit/WebKitBuild/DependenciesWPE/Root/lib/libgobject-2.0.so.0
...


It turns out that View::frameDisplayed is called after the View object has been destroyed.

Comment 1 Yury Semikhatsky 2023-11-07 13:17:51 PST

Pull request: https://github.com/WebKit/WebKit/pull/20123

Comment 2 EWS 2023-11-09 17:44:04 PST

Committed 270493@main (7d464f717df9): <https://commits.webkit.org/270493@main>

Reviewed commits have been landed. Closing PR #20123 and removing active labels.