After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 785031 - Indefinite loop under e_editor_dom_merge_siblings_if_necessary()
Indefinite loop under e_editor_dom_merge_siblings_if_necessary()
Status: RESOLVED FIXED
Product: evolution
Classification: Applications
Component: Composer
3.24.x (obsolete)
Other Linux
: Normal critical
: ---
Assigned To: evolution-mail-maintainers
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2017-07-17 16:31 UTC by Jean-François Fortin Tam
Modified: 2017-07-18 09:08 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
sample (30.78 KB, application/mbox)
2017-07-17 16:31 UTC, Jean-François Fortin Tam 		Details
screencast (855.88 KB, video/x-matroska)
2017-07-17 16:33 UTC, Jean-François Fortin Tam 		Details

Description Jean-François Fortin Tam 2017-07-17 16:31:58 UTC 
Created attachment 355767 [details]
sample

When replying to some emails like the attached sample, you can bork your system by running out of memory due to this leak, triggered by typing random stuff and then pressing (or holding) backspace a couple times.

Ideally besides not having the bug in the first place, Evolution should containerize webkit to detect and defend against freezes or memory leaks.

Webkit process backtrace with gdb --batch --ex "t a a bt" -pid=20102 &>bt.txt :

[New LWP 20109]
[New LWP 20113]
[New LWP 20114]
[New LWP 20115]
[New LWP 20116]
[New LWP 20117]
[New LWP 20120]
[New LWP 20121]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
0x00007f7b1a632010 in WebCore::Node::Node(WebCore::Document&, WebCore::Node::ConstructionType) () from /lib64/libwebkit2gtk-4.0.so.37

+ Trace 237657

Thread 1 (Thread 0x7f7b1c2b4f80 (LWP 20102))

  • #0 WebCore::Node::Node(WebCore::Document&, WebCore::Node::ConstructionType)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #1 WebCore::Element::Element(WebCore::QualifiedName const&, WebCore::Document&, WebCore::Node::ConstructionType)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #2 WebCore::HTMLQuoteElement::create(WebCore::QualifiedName const&, WebCore::Document&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #3 WebCore::quoteConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #4 WebCore::HTMLElementFactory::createKnownElement(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #5 WebCore::Document::createElement(WebCore::QualifiedName const&, bool)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #6 WebCore::Element::cloneElementWithoutAttributesAndChildren(WebCore::Document&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #7 WebCore::Element::cloneElementWithoutChildren(WebCore::Document&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #8 WebCore::Element::cloneNodeInternal(WebCore::Document&, WebCore::Node::CloningOperation)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #9 WebCore::Node::cloneNodeForBindings(bool)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #10 webkit_dom_node_clone_node_with_error
    from /lib64/libwebkit2gtk-4.0.so.37
  • #11 e_editor_dom_merge_siblings_if_necessary
    from /usr/lib64/evolution/web-extensions/webkit-editor/module-webkit-editor-webextension.so
  • #12 e_editor_dom_body_key_up_event_process_backspace_or_delete
    from /usr/lib64/evolution/web-extensions/webkit-editor/module-webkit-editor-webextension.so
  • #13 body_keyup_event_cb
    from /usr/lib64/evolution/web-extensions/webkit-editor/module-webkit-editor-webextension.so
  • #14 ffi_call_unix64
    from /lib64/libffi.so.6
  • #15 ffi_call
    from /lib64/libffi.so.6
  • #16 g_cclosure_marshal_generic
    from /lib64/libgobject-2.0.so.0
  • #17 g_closure_invoke
    from /lib64/libgobject-2.0.so.0
  • #18 WebKit::GObjectEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #19 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #20 WebCore::EventTarget::fireEventListeners(WebCore::Event&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #21 WebCore::EventContext::handleLocalEvents(WebCore::Event&) const
    from /lib64/libwebkit2gtk-4.0.so.37
  • #22 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #23 WebCore::Element::dispatchKeyEvent(WebCore::PlatformKeyboardEvent const&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #24 WebCore::EventHandler::internalKeyEvent(WebCore::PlatformKeyboardEvent const&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #25 WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #26 WebKit::WebPage::keyEvent(WebKit::WebKeyboardEvent const&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #27 WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #28 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #29 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #30 IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #31 IPC::Connection::dispatchOneMessage()
    from /lib64/libwebkit2gtk-4.0.so.37
  • #32 WTF::RunLoop::performWork()
    from /lib64/libjavascriptcoregtk-4.0.so.18
  • #33 WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*)
    from /lib64/libjavascriptcoregtk-4.0.so.18
  • #34 g_main_context_dispatch
    from /lib64/libglib-2.0.so.0
  • #35 g_main_context_iterate.isra
    from /lib64/libglib-2.0.so.0
  • #36 g_main_loop_run
    from /lib64/libglib-2.0.so.0
  • #37 WTF::RunLoop::run()
    from /lib64/libjavascriptcoregtk-4.0.so.18
  • #38 int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**)
    from /lib64/libwebkit2gtk-4.0.so.37
  • #39 __libc_start_main
    from /lib64/libc.so.6
  • #40 _start 






Comment 1


Jean-François Fortin Tam





          2017-07-17 16:33:43 UTC
        



Created attachment 355768 [details]
screencast

Demonstration of how easy it is to trigger the issue...






Comment 2


Jean-François Fortin Tam





          2017-07-17 16:35:10 UTC
        



There might be other ways to trigger this issue with this sample mail, I didn't really test thoroughly with ctrl+arrows selections, word deletions, delete key, etc., I simply saw that the "press and hold backspace" trick is the easiest one to trigger it.






Comment 3


Milan Crha





          2017-07-18 09:08:37 UTC
        



It was in indefinite loop under e_editor_dom_merge_siblings_if_necessary(), where the selector picked the same node again and again, despite the node had already set the attribute it was meant not to have it. I changed the selector, but whether it's truly correct or not I cannot tell for sure. The higher memory usage in this loop was most likely caused by webkit_dom_node_clone_node_with_error() calls, which do not really leak the memory, because it is managed by the WebKit itself and it frees it when it thinks it's a good time to free it, which can be when the composer closes.

Created commit 4413fd0 in evo master (3.25.90+)
Created commit 58b4e7c in evo gnome-3-24 (3.24.5+)