Use after free of EphyApplicationDialogData
Moving from downstream bug. Truncated backtrace is enough to show the problem:
Truncated backtrace:
Thread no. 1 (10 frames)
#0 gtk_widget_show
#1 download_failed_cb at ../src/window-commands.c:1133
#6 webkitDownloadFailed at ../Source/WebKit/UIProcess/API/glib/WebKitDownload.cpp:393
#7 DownloadClient::didFail at ../Source/WebKit/UIProcess/API/glib/WebKitDownloadClient.cpp:98
#8 WebKit::DownloadProxy::didFail at ../Source/WebKit/UIProcess/Downloads/DownloadProxy.cpp:237
#9 IPC::callMemberFunctionImpl<WebKit::DownloadProxy, void (WebKit::DownloadProxy::*)(WebCore::ResourceError const&, IPC::DataReference const&), std::tuple<WebCore::ResourceError, IPC::DataReference>, 0ul, 1ul> at /usr/include/c++/10/tuple:1305
#10 IPC::callMemberFunction<WebKit::DownloadProxy, void (WebKit::DownloadProxy::*)(WebCore::ResourceError const&, IPC::DataReference const&), std::tuple<WebCore::ResourceError, IPC::DataReference>, std::integer_sequence<unsigned long, 0ul, 1ul> > at ../Source/WebKit/Platform/IPC/HandleMessage.h:47
#11 IPC::handleMessage<Messages::DownloadProxy::DidFail, WebKit::DownloadProxy, void (WebKit::DownloadProxy::*)(WebCore::ResourceError const&, IPC::DataReference const&)> at ../Source/WebKit/Platform/IPC/HandleMessage.h:120
#12 WebKit::DownloadProxy::didReceiveMessage at DerivedSources/WebKit/DownloadProxyMessageReceiver.cpp:80
#13 IPC::MessageReceiverMap::dispatchMessage at ../Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:123
We have no code to disconnect signals when the user responds to the dialog. The code frees EphyApplicationDialogData when the user responds to the dialog, so if the download finishes (or fails) after that point, kaboom.
There's also a memory leak in dialog_save_as_application_response_cb(), where we return early and skip freeing EphyApplicationDataDialog altogether. Not good.