Bug 752997 – Crash when replying to the message

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 752997 - Crash when replying to the message


Summary:	Crash when replying to the message


Status:	RESOLVED FIXED

Product:	evolution
Classification:	Applications
Component:	Composer
Version:	3.16.x (obsolete)
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Tomas Popela
QA Contact:	Evolution QA team

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-07-29 06:23 UTC by Milan Crha
Modified:	2015-07-31 09:43 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
test message (3.17 KB, text/plain) 2015-07-29 06:24 UTC, Milan Crha	Details
Reproducer (1.58 KB, text/html) 2015-07-31 08:40 UTC, Tomas Popela	Details

Description Milan Crha 2015-07-29 06:23:44 UTC

Evolution crashes when replying to the attached message.

Backtrace when using "Lose Formatting" options:

+ Trace 235302

Thread 1 (Thread 0x7fb69037ca40 (LWP 5395))

#0 waitpid
#1 g_spawn_sync
#2 g_spawn_command_line_sync
#3 run_bug_buddy
at gnome-segvhanlder.c line 245
#4 bugbuddy_segv_handle
at gnome-segvhanlder.c line 196
#5 <signal handler called>
#6 WebCore::RenderBlockFlow::removeFloatingObject(WebCore::RenderBox&)
#7 WebCore::RenderBlockFlow::markAllDescendantsWithFloatsForLayout(WebCore::RenderBox*, bool)
#8 WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists()
#9 WebCore::RenderElement::removeChildInternal(WebCore::RenderObject&, WebCore::RenderElement::NotifyChildrenType)
#10 WebCore::RenderObject::willBeDestroyed()
#11 WebCore::RenderObject::destroy()
#12 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
#13 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
#14 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
#15 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
#16 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
#17 WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&)
#18 WebCore::ContainerNode::removeChild(WebCore::Node*, int&)
#19 WebCore::ContainerNode::replaceChild(WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&)
#20 WebCore::Node::replaceChild(WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&)
#21 webkit_dom_node_replace_child
#22 html_editor_convert_view_content
at e-html-editor-view.c line 7165
#23 html_editor_view_load_status_changed
at e-html-editor-view.c line 9731
#24 g_closure_invoke
#25 signal_emit_unlocked_R
#26 g_signal_emit_valist
#27 g_signal_emit
#28 g_object_dispatch_properties_changed
#29 g_object_notify
#30 WebCore::FrameLoader::checkLoadCompleteForThisFrame()
#31 WebCore::FrameLoader::checkLoadComplete()
#32 WebCore::FrameLoader::checkCompleted()
#33 WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool)
#34 WebCore::SubresourceLoader::notifyDone()
#35 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&)
#36 WebCore::ResourceLoader::cannotShowURL(WebCore::ResourceHandle*)
#37 WebCore::ThreadTimers::sharedTimerFiredInternal()
#38 WebCore::sharedTimerTimeoutCallback(void*)
#39 g_timeout_dispatch
#40 g_main_context_dispatch
#41 g_main_context_iterate.isra
#42 g_main_loop_run
#43 gtk_main
at gtkmain.c line 1219
#44 main
at main.c line 638

Comment 1 Milan Crha 2015-07-29 06:24:15 UTC

Created attachment 308354 [details]
test message

Comment 2 Milan Crha 2015-07-29 06:26:03 UTC

Backtrace when using "Don't lose formatting":

+ Trace 235303

Thread 1 (Thread 0x7fd95c2fea40 (LWP 6205))

#0 waitpid
#1 g_spawn_sync
#2 g_spawn_command_line_sync
#3 run_bug_buddy
at gnome-segvhanlder.c line 245
#4 bugbuddy_segv_handle
at gnome-segvhanlder.c line 196
#5 <signal handler called>
#6 WebCore::RenderBlockFlow::removeFloatingObject(WebCore::RenderBox&)
#7 WebCore::RenderBlockFlow::markAllDescendantsWithFloatsForLayout(WebCore::RenderBox*, bool)
#8 WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists()
#9 WebCore::RenderElement::removeChildInternal(WebCore::RenderObject&, WebCore::RenderElement::NotifyChildrenType)
#10 WebCore::RenderObject::willBeDestroyed()
#11 WebCore::RenderObject::destroy()
#12 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
#13 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
#14 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
#15 WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&)
#16 WebCore::ContainerNode::removeChild(WebCore::Node*, int&)
#17 WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&)
#18 WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, int&)
#19 webkit_dom_node_append_child
#20 put_body_in_citation
at e-html-editor-view.c line 1330
#21 html_editor_view_load_status_changed
at e-html-editor-view.c line 9745
#22 g_closure_invoke
#23 signal_emit_unlocked_R
#24 g_signal_emit_valist
#25 g_signal_emit
#26 g_object_dispatch_properties_changed
#27 g_object_notify
#28 WebCore::FrameLoader::checkLoadCompleteForThisFrame()
#29 WebCore::FrameLoader::checkLoadComplete()
#30 WebCore::FrameLoader::checkCompleted()
#31 WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool)
#32 WebCore::SubresourceLoader::notifyDone()
#33 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&)
#34 WebCore::ResourceLoader::cannotShowURL(WebCore::ResourceHandle*)
#35 WebCore::ThreadTimers::sharedTimerFiredInternal()
#36 WebCore::sharedTimerTimeoutCallback(void*)
#37 g_timeout_dispatch
#38 g_main_context_dispatch
#39 g_main_context_iterate.isra
#40 g_main_loop_run
#41 gtk_main
at gtkmain.c line 1219
#42 main
at main.c line 638

Comment 3 Tomas Popela 2015-07-31 08:40:58 UTC

Created attachment 308521 [details]
Reproducer

Reproducer, that can be opened in WebKit1 based browser (GtkLauncher, Midori) that will lead to the crash.

Comment 4 Tomas Popela 2015-07-31 09:43:12 UTC

Fixed with following commits:

    The problem is that WebKit1 (2.4.9) crashes when it is trying to move or
    remove an anchor element that has an image element inside and this image
    element has the CSS float property set in the style attribute. To workaround
    it we will rename the style attribute and rename it back when we will send
    the message. It is unfortunate that we can change the formatting with this,
    but this is definitely better than crashing. This could be removed once
    Evolution switches to WebKit2 as the WebKit2 is unaffected (tested on 2.8.4).

commit 720e17489e35c73ad2325f8d513c51e1044a3979 in the master branch for Evolution 3.17.90

commit 44974c8869533e562869f3899455de9769e81098 in the gnome-3-16 branch for Evolution 3.16.5