evolution crashed with SIGSEGV, while pasting from clipboard

WebKitGTK+ 2.4.10 seems to have introduced a bug that is causing a crash when loading HTML images in Geary (See https://bugzilla.gnome.org/show_bug.cgi?id=763933). This didn't occur using earlier versions of WebKitGTK+.

Geary currently implements user-controlled image loading by what amounts to using a random scheme string for the IMG SRC attribute - when the user has assented to loading images for a specific message, it updates every IMG SRC attribute value to be prefixed with the random scheme. The crash occurs during this process, at random, when displaying a HTML message.

A workaround exists in removing the src element first using webkit_dom_element_remove_attribute(), causing the subsequent call to webkit_dom_element_set_attribute() not crash. Workarounds that do not work include cloning the IMG element and setting the SRC element on that instead, nor does casting the element and using webkit_dom_html_image_element_set_src(). I didn't try creating a new Attr instance, setting the value on that, then setting that on the IMG element.

I know you guys aren't interested in supporting 2.4.x, but I thought I'd log it since it's a regression with 2.4.10 (thanks for doing a new release, BTW!).

Thread 1 "geary" received signal SIGSEGV, Segmentation fault.
WebCore::AXObjectCache::handleAttributeChanged (this=0x7fff9191b500, attrName=..., element=0x5df8210)
    at ../Source/WebCore/accessibility/AXObjectCache.cpp:880
880 if (!attrName.localName().string().startsWith("aria-"))
(gdb) bt
#0 0x00007ffff4d8aae9 in WebCore::AXObjectCache::handleAttributeChanged(WebCore::QualifiedName const&, WebCore::Element*) (this=0x7fff9191b500, attrName=..., element=0x5df8210) at ../Source/WebCore/accessibility/AXObjectCache.cpp:880
#1 0x00007ffff4f8105a in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (this=0x5df8210, name=..., oldValue=..., newValue=...)
    at ../Source/WebCore/dom/Element.cpp:1137
#2 0x00007ffff4f80530 in WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) (this=this@entry=0x5df8210, name=..., oldValue=..., newValue=...) at ../Source/WebCore/dom/Element.cpp:2851
#3 0x00007ffff4f8777d in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (this=this@entry=0x5df8210, index=<optimised out>, name=..., newValue=..., inSynchronizationOfLazyAttribute=inSynchronizationOfLazyAttribute@entry=WebCore::Element::NotInSynchronizationOfLazyAttribute)
    at ../Source/WebCore/dom/Element.cpp:1075
#4 0x00007ffff4f8494f in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&, int&) (this=this@entry=0x5df8210, localName=..., value=..., ec=@0x7fffffffddec: 0) at ../Source/WebCore/dom/Element.cpp:1027
#5 0x00007ffff5bd7a5c in webkit_dom_element_set_attribute(WebKitDOMElement*, gchar const*, gchar const*, GError**) (self=self@entry=0x5dcd0b0 [WebKitDOMHTMLImageElement], name=name@entry=0x6ac5bc "src", value=value@entry=0x5851a00 "glxaowi...

NB, while the crash occurs in WebCore::AXObjectCache::handleAttributeChanged, I don't think it's related to accessibility, by that stage attrName has gone bad: attrName.m_impl is pointing to an invalid memory location.

This seems to be not just limited to setting IMG SRC attributes. Geary is also occasionally crashing when pasting content into an editable web view, with a similar top of the stack, e.g.: https://bugzilla.gnome.org/show_bug.cgi?id=764168

They seem to be related in that in both cases, an attribute value is being set via the DOM API in a document that is already being displayed by a web view.

We received 1333 reports of this crash from Evolution and Geary users in Fedora in the past two weeks. It is definitely a regression from the 2.4.10 update.

There are possibly more reports, but since it's a WebKit1 crash the crashes get assigned to individual applications rather than to WebKit, making it impossible to search for them. I only checked Evolution and Geary.

Also, I will just add we have several slight variations on this crash:

https://retrace.fedoraproject.org/faf/problems/1886091/
https://retrace.fedoraproject.org/faf/problems/1875612/
https://retrace.fedoraproject.org/faf/problems/1888402/
https://retrace.fedoraproject.org/faf/problems/1864883/

(In reply to comment #2)
> This seems to be not just limited to setting IMG SRC attributes. Geary is
> also occasionally crashing when pasting content into an editable web view,
> with a similar top of the stack, e.g.:
> https://bugzilla.gnome.org/show_bug.cgi?id=764168
>
> They seem to be related in that in both cases, an attribute value is being
> set via the DOM API in a document that is already being displayed by a web
> view.

This is how Evolution is crashing as well (at least, it's the report for which we received a description and full backtrace, see the See Also field).

(In reply to comment #5)
> This is how Evolution is crashing as well (at least, it's the report for
> which we received a description and full backtrace, see the See Also field).

Sigh, I realize this is a private bug... I think thread 1 is probably the only important part; note the string "aria-" in the crash frame.

Core was generated by `/usr/bin/evolution'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 WTF::StringImpl::startsWith (this=0xbad801d800000002, matchString=matchString@entry=0x7f85ba36fea7 "aria-", matchLength=matchLength@entry=5, caseSensitive=caseSensitive@entry=true) at Source/WTF/wtf/text/StringImpl.cpp:1363
1363 if (matchLength > length())
[Current thread is 1 (Thread 0x7f85c0247ac0 (LWP 17496))]

Thread 1 (Thread 0x7f85c0247ac0 (LWP 17496)):
#0 WTF::StringImpl::startsWith (this=0xbad801d800000002, matchString=matchString@entry=0x7f85ba36fea7 "aria-", matchLength=matchLength@entry=5, caseSensitive=caseSensitive@entry=true) at Source/WTF/wtf/text/StringImpl.cpp:1363
No locals.
#1 0x00007f85b8f3e00f in WTF::StringImpl::startsWith<6u> (caseSensitive=true, prefix=..., this=<optimized out>) at Source/WTF/wtf/text/StringImpl.h:730
No locals.
#2 WTF::String::startsWith<6u> (caseSensitive=true, prefix=..., this=<optimized out>) at Source/WTF/wtf/text/WTFString.h:281
No locals.
#3 WebCore::AXObjectCache::handleAttributeChanged (this=0x7f851b997f00, attrName=..., element=0x558fcfb67cb0) at Source/WebCore/accessibility/AXObjectCache.cpp:880
No locals.
#4 0x00007f85b91641ea in WebCore::Element::attributeChanged (this=0x558fcfb67cb0, name=..., oldValue=..., newValue=...) at Source/WebCore/dom/Element.cpp:1137
        cache = <optimized out>
        styleResolver = <optimized out>
        testShouldInvalidateStyle = true
        shouldInvalidateStyle = <optimized out>
#5 0x00007f85b9163520 in WebCore::Element::didModifyAttribute (this=this@entry=0x558fcfb67cb0, name=..., oldValue=..., newValue=...) at Source/WebCore/dom/Element.cpp:2851
No locals.
#6 0x00007f85b916b449 in WebCore::Element::setAttributeInternal (this=0x558fcfb67cb0, index=<optimized out>, name=..., newValue=..., inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at Source/WebCore/dom/Element.cpp:1075
        oldValue = {m_string = {m_impl = {m_ptr = 0x7f858c676000}}}
        valueChanged = <optimized out>
        attributeName = <optimized out>
#7 0x00007f85b91de4b9 in WebCore::CompositeEditCommand::applyCommandToComposite (this=this@entry=0x7f853a37c900, prpCommand=...) at Source/WebCore/editing/CompositeEditCommand.cpp:278
        command = {m_ptr = 0x7f853a56ad20}
#8 0x00007f85b91e4f1a in WebCore::CompositeEditCommand::setNodeAttribute (this=this@entry=0x7f853a37c900, element=..., attribute=..., value=...) at Source/WebCore/editing/CompositeEditCommand.cpp:664
No locals.
#9 0x00007f85b926c8f9 in WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline (this=this@entry=0x7f853a37c900, insertedNodes=...) at Source/WebCore/editing/ReplaceSelectionCommand.cpp:525
        element = 0x558fcfb67cb0
        inlineStyle = 0x7f853a3cb410
        newInlineStyle = {m_ptr = 0x7f851b975b70}
  ...

Comment from the downstream bug:

"""Ok, I've done a bit more experimentation and I think I can give you some additional info, hopefully even useful!

If I have my email format set to Plain Text, I cannot get the crash that I reported regardless of how or what I copy/paste.

If I have the email format set to HTML, I cannot get the crash if I copy plain text into the email. However, If I copy HTML text into the email I can reproduce the crash every time.

The specific steps to reproduce are as follows:

- Click New > Compose Email Message
- Enter any email address in 'To:'
- Enter anything into 'Subject"
- Go to any webpage, and highlight a few lines
- Click 'ctrl c'
- Place cursor into the body of the open Compose Message window
- Click 'ctrl v'
- Crash will occur 100% of time for me.

The trick seems to be to have the email formatting to be HTML and then copy-paste HTML content.

Hopefully this is helpful."""

Seems it's 100% reproducible for some users, but not for others.

(In reply to comment #7)
> Seems it's 100% reproducible for some users, but not for others.

It would be easy to bisect to the bad commit, but when we can't reproduce this on our machines:/.

With Milan we figured out that this backported change http://trac.webkit.org/changeset/197274 had a follow-up (security bug) http://trac.webkit.org/changeset/165044 that was not backported and is causing the crash.

Just an FYI, we're up to 1,871 reports of this crash, i.e. we got over 500 new reports over this past weekend.

(In reply to comment #10)
> Just an FYI, we're up to 1,871 reports of this crash, i.e. we got over 500
> new reports over this past weekend.

I'll fix t and make a new release as soon as I find the time

Patch backported to 2.4 branch in r199282. Thanks!