GNOME Bugzilla – Bug 776224
Workaround crash in WebKit on drag over preview
Last modified: 2016-12-20 16:49:51 UTC
If you have Evolution open in the background displaying a mail in the preview pane, and you have Nautilus in the foreground and you try to "rip out" a tab from Nautilus (to create a new window), dropping it in the empty area where Evolution is sitting in the background, Nautilus will crash Evolution! Thread 1 "evolution" received signal SIGSEGV, Segmentation fault. 0x00007fffefb91d5d in WebKit::DragAndDropHandler::drop(_GdkDragContext*, WebCore::IntPoint const&, unsigned int) () from /lib64/libwebkit2gtk-4.0.so.37 (gdb) bt full
+ Trace 236994
Correction: seems like Nautilus crashing afterwards was just a occurrence (either that or it didn't want to crash when observed under gdb).
Thanks for a bug report. I can reproduce it too (that was a challenge to find where in nautilus one adds the tab, but once I used the last icon on the right and there the function on the right in the first row it was there). Interestingly neither MiniBrowser, nor Epiphany, suffer of this, but none of the two pretends that it accepts the web view as a drop zone for the dragged object. I'll fix this on the evolution side. I was also able to reproduce the nautilus crash, it has nothing to do with the evolution itself and worth a separate bug report (in case you didn't do so yet). Steps: add tab, detach it, close the new window, add tab - and it crashes just here. There are also some runtime warnings on the nautilus console, if you run it from a terminal, which may or may not be relevant (I do not know nautilus code base at all). Below is my gdb session, notice of a NULL 'this' there. At least this part might be better checked in the webkit place, when the asserts are disabled (or why it didn't trigger, if not due to a structure not being NULL, but its content was). I'll keep the decision to Michael, if he'd want to upstream this part, then I'll be happy to do so. Thread 1 "evolution" hit Breakpoint 1, webkitWebViewBaseDragDrop (widget=0x36ae320 [EMailDisplay], context=0x32898a0, x=30, y=225, time=20018240) at /usr/src/debug/webkitgtk-2.14.2/Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp:1054 1054 return priv->dragAndDropHandler->drop(context, IntPoint(x, y), time); (gdb) p priv $2 = (WebKitWebViewBasePrivate *) 0x36ae040 (gdb) p priv->dragAndDropHandler $3 = std::unique_ptr<WebKit::DragAndDropHandler> containing 0x0 (gdb) s WebCore::IntPoint::IntPoint (y=225, x=30, this=0x7fffffffd2e0) at /usr/src/debug/webkitgtk-2.14.2/Source/WebCore/platform/graphics/IntPoint.h:64 64 IntPoint(int x, int y) : m_x(x), m_y(y) { } (gdb) n webkitWebViewBaseDragDrop (widget=0x36ae320 [EMailDisplay], context=0x32898a0, x=30, y=225, time=20018240) at /usr/src/debug/webkitgtk-2.14.2/Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp:1054 1054 return priv->dragAndDropHandler->drop(context, IntPoint(x, y), time); (gdb) s WebKit::DragAndDropHandler::drop (this=0x0, context=context@entry=0x32898a0, position=..., time=time@entry=20018240) at /usr/src/debug/webkitgtk-2.14.2/Source/WebKit2/UIProcess/gtk/DragAndDropHandler.cpp:285 285 { (gdb) n 286 DroppingContext* droppingContext = m_droppingContexts.get(context); (gdb) 285 { (gdb) 286 DroppingContext* droppingContext = m_droppingContexts.get(context); (gdb) Thread 1 "evolution" received signal SIGSEGV, Segmentation fault. WTF::HashTable<_GdkDragContext*, WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >, WTF::PtrHash<_GdkDragContext*>, WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::HashTraits<_GdkDragContext*> >::inlineLookup<WTF::IdentityHashTranslator<WTF::HashMap<_GdkDragContext*, std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> >, WTF::PtrHash<_GdkDragContext*>, WTF::HashTraits<_GdkDragContext*>, WTF::HashTraits<std::unique_ptr<WebKit::DragAndDropHandler::DroppingContext, std::default_delete<WebKit::DragAndDropHandler::DroppingContext> > > >::KeyValuePairTraits, WTF::PtrHash<_GdkDragContext*> >, _GdkDragContext*> (key=<optimized out>, this=<optimized out>) at /usr/src/debug/webkitgtk-2.14.2/Source/WTF/wtf/HashTable.h:611 611 unsigned sizeMask = m_tableSizeMask;
Let's call this a workaround. If I change the web_view_drag_motion() to return TRUE and set that no action is allowed, then I get another crash in WebKit, this time in the drag-leave, also when dragging a message from a message list above the preview pane, above the preview and leaving the cursor. That's why I believe it's only a workaround and the proper fix should go to WebKit. Created commit 3d5b60e in evo master (3.23.4+) Created commit 4919461 in evo gnome-3-22 (3.22.4+)
Yeah I agree this looks like a WebKit bug (in addition to the nautilus bug), please report it. Thanks!
Okay, I filled: https://bugs.webkit.org/show_bug.cgi?id=166059