NULL pointer dereference in decide_policy_cb() when opening non-HTTP PDF
I am certain that this is a bug in Epiphany and not WebKit; I've just reported it downstream in Debian.
Try loading a local PDF with Epiphany, or perhaps a PDF from any location besides a conventional HTTP URI. (I was able to reproduce this from a blob: URL as well.) It will crash with a backtrace like this:
#0 0x00007f6619804608 in decide_policy_cb
(decision_type=WEBKIT_POLICY_DECISION_TYPE_RESPONSE, user_data=<optimized out>, decision=0x7f6600017e10 [WebKitResponsePolicyDecision], web_view=0x55a90c7f9230 [EphyWebView]) at ../embed/ephy-web-view.c:962
#1 decide_policy_cb
(web_view=0x55a90c7f9230 [EphyWebView], decision=0x7f6600017e10 [WebKitResponsePolicyDecision], decision_type=<optimized out>, user_data=<optimized out>) at ../embed/ephy-web-view.c:919
#2 0x00007f66126af9da in ffi_call_unix64 () at ../src/x86/unix64.S:105
#3 0x00007f66126aeb21 in ffi_call_int
(cif=0x7ffd473cb370, fn=0x7f66198044b0 <decide_policy_cb>, rvalue=<optimized out>, avalue=<optimized out>, closure=<optimized out>)
at ../src/x86/ffi64.c:672
#8 0x00007f6618cb92cf in <emit signal ??? on instance 0x55a90c7f9230 [EphyWebView]>
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../../../gobject/gsignal.c:3553
#4 0x00007f6618ca0edc in g_cclosure_marshal_generic
(closure=closure@entry=0x55a90c7ef070, return_gvalue=return_gvalue@entry=0x7ffd473cb510, n_param_values=n_param_values@entry=3, param_values=param_values@entry=0x7ffd473cb570, invocation_hint=invocation_hint@entry=0x7ffd473cb4f0, marshal_data=marshal_data@entry=0x0)
at ../../../gobject/gclosure.c:1534
#5 0x00007f6618ca06cf in g_closure_invoke
(closure=0x55a90c7ef070, return_value=return_value@entry=0x7ffd473cb510, n_param_values=3, param_values=param_values@entry=0x7ffd473cb570, invocation_hint=invocation_hint@entry=0x7ffd473cb4f0) at ../../../gobject/gclosure.c:830
#6 0x00007f6618cb2a8b in signal_emit_unlocked_R
(node=<optimized out>, detail=detail@entry=0, instance=instance@entry=0x55a90c7f9230, emission_return=emission_return@entry=0x7ffd473cb670, instance_and_params=instance_and_params@entry=0x7ffd473cb570) at ../../../gobject/gsignal.c:3742
#7 0x00007f6618cb88e9 in g_signal_emit_valist
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7ffd473cb720)
at ../../../gobject/gsignal.c:3507
#9 0x00007f661551ee8c in webkitWebViewMakePolicyDecision(_WebKitWebView*, WebKitPolicyDecisionType, _WebKitPolicyDecision*) ()
at ./Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:2627
#10 0x00007f66154fcd18 in NavigationClient::decidePolicyForNavigationResponse(WebKit::WebPageProxy&, WTF::Ref<API::NavigationResponse, WTF::RawPtrTraits<API::NavigationResponse> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::RawPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) () at ./Source/WebKit/UIProcess/API/glib/WebKitNavigationClient.cpp:150
#11 0x00007f661544ae33 in WebKit::WebPageProxy::decidePolicyForResponseShared(WTF::Ref<WebKit::WebProcessProxy, WTF::RawPtrTraits<WebKit::WebProcessProxy> >&&, WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&) () at ./Source/WebKit/UIProcess/WebPageProxy.cpp:5681
#12 0x00007f661544af3e in WebKit::WebPageProxy::decidePolicyForResponse(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&) () at ./Source/WebKit/UIProcess/WebPageProxy.cpp:5625
#13 0x00007f6615184d0d in IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul>) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:43
#14 IPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&), std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul, 8ul, 9ul, 10ul, 11ul, 12ul> >(std::tuple<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, WTF::String, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData>&&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:49
#15 IPC::handleMessage<Messages::WebPageProxy::DecidePolicyForResponse, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)>(IPC::Decoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebKit::FrameInfoData&&, WebCore::PolicyCheckIdentifier, unsigned long, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, WTF::String const&, bool, WebCore::BrowsingContextGroupSwitchDecision, unsigned long, unsigned long, WebKit::UserData const&)) () at ./Source/WebKit/Platform/IPC/HandleMessage.h:119
#16 0x00007f6615153a6d in WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at ./build/DerivedSources/WebKit/WebPageProxyMessageReceiver.cpp:1093
#17 0x00007f66153829eb in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) () at ./Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:129
#18 0x00007f661547ef13 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () at ./Source/WebKit/UIProcess/WebProcessProxy.cpp:844
#19 0x00007f661537be25 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () at ./Source/WebKit/Platform/IPC/Connection.cpp:1103
#20 0x00007f661537de21 in IPC::Connection::dispatchIncomingMessages() () at ./Source/WebKit/Platform/IPC/Connection.cpp:1217
#21 0x00007f6614621cdd in WTF::Function<void ()>::operator()() const () at ./Source/WTF/wtf/Function.h:82
#22 WTF::RunLoop::performWork() () at ./Source/WTF/wtf/RunLoop.cpp:133
#23 0x00007f6614670879 in operator() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#24 _FUN() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:82
#25 0x00007f661467119f in operator() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#26 _FUN() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#27 0x00007f6618babc0f in g_main_dispatch (context=0x55a90b308a40) at ../../../glib/gmain.c:3381
#28 g_main_context_dispatch (context=0x55a90b308a40) at ../../../glib/gmain.c:4099
#29 0x00007f6618babfb8 in g_main_context_iterate (context=context@entry=0x55a90b308a40, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4175
#30 0x00007f6618bac06f in g_main_context_iteration (context=context@entry=0x55a90b308a40, may_block=may_block@entry=1) at ../../../glib/gmain.c:4240
#31 0x00007f6618dc87d5 in g_application_run (application=0x55a90b3006a0 [EphyShell], argc=1195166532, argc@entry=1, argv=argv@entry=0x7ffd473ccce8) at ../../../gio/gapplication.c:2569
#32 0x000055a9098d5c24 in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:431
If one looks at embed/ephy-web-view.c:962
, this is
} else if (strcmp (mime_type, "application/pdf") == 0 && strcmp (method, "GET") == 0) {
The problem is that in this case, method
is a NULL pointer according to bt full
. (Let me know if you want the full thing.) method
is obtained on line 953 via
const char *method = webkit_uri_request_get_http_method (request);
so it would seem that, as someone that doesn't know the WebKit APIs at all, perhaps because the URI is not plain HTTP, this function returns a NULL pointer?