Crash when destroying ITP info bar
I finally found a page that uses the storage access API. Click twice on the Facebook video to trigger a UI process crash:
#0 g_type_check_instance_is_fundamentally_a
(type_instance=type_instance@entry=0x55e7cc6bf460, fundamental_type=fundamental_type@entry=0x50 [GObject])
at ../gobject/gtype.c:4028
#1 0x00007fd8a62c3cb9 in g_object_unref (_object=0x55e7cc6bf460) at ../gobject/gobject.c:3400
#2 0x00007fd8a61aa107 in g_datalist_clear (datalist=0x55e7cc5fb700) at ../glib/gdataset.c:273
#3 0x00007fd8a62c3e2e in g_object_unref (_object=<optimized out>) at ../gobject/gobject.c:3503
#4 g_object_unref (_object=0x55e7cc5fb6f0) at ../gobject/gobject.c:3395
#5 0x00007fd8a6e127a0 in untrack_info_bar (tracked_info_bar=tracked_info_bar@entry=0x55e7ce154180)
at ../embed/ephy-web-view.c:332
#6 0x00007fd8a6e12870 in track_info_bar (new_info_bar=0x55e7cc5fbc00 [GtkInfoBar], tracked_info_bar=0x55e7ce154180)
at ../embed/ephy-web-view.c:345
#7 0x00007fd8a6e15cad in ephy_web_view_show_itp_permission_info_bar
(decision=0x55e7cef59ee0 [WebKitWebsiteDataAccessPermissionRequest], web_view=0x55e7ce1540b0 [EphyWebView])
at ../embed/ephy-web-view.c:1175
#8 permission_request_cb (web_view=<optimized out>, decision=<optimized out>) at ../embed/ephy-web-view.c:1220
#9 0x00007fd8a00faf75 in ffi_call_unix64 () at ../src/x86/unix64.S:101
#10 0x00007fd8a00fa369 in ffi_call_int
(cif=<optimized out>, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, closure=<optimized out>) at ../src/x86/ffi64.c:669
#15 0x00007fd8a62d7df3 in <emit signal ??? on instance 0x55e7ce1540b0 [EphyWebView]>
(instance=<optimized out>, signal_id=<optimized out>, detail=detail@entry=0) at ../gobject/gsignal.c:3550
#11 0x00007fd8a62bf48d in g_cclosure_marshal_generic
(closure=<optimized out>, return_gvalue=<optimized out>, n_param_values=<optimized out>, param_values=<optimized out>, invocation_hint=<optimized out>, marshal_data=<optimized out>) at ../gobject/gclosure.c:1500
#12 0x00007fd8a62be98a in g_closure_invoke
(closure=<optimized out>, return_value=<optimized out>, n_param_values=<optimized out>, param_values=<optimized out>, invocation_hint=<optimized out>) at ../gobject/gclosure.c:810
#13 0x00007fd8a62d1523 in signal_emit_unlocked_R
(node=<optimized out>, detail=detail@entry=0, instance=instance@entry=0x55e7ce1540b0, emission_return=emission_return@entry=0x7fff4e280fe0, instance_and_params=instance_and_params@entry=0x7fff4e280ef0) at ../gobject/gsignal.c:3738
#14 0x00007fd8a62d75d6 in g_signal_emit_valist
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fff4e281090) at ../gobject/gsignal.c:3504
#16 0x00007fd8a2d3a6ad in webkitWebViewMakePermissionRequest(_WebKitWebView*, _WebKitPermissionRequest*)
(webView=<optimized out>, request=<optimized out>) at ../Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:2561
#17 0x00007fd8a2d26f0a in UIClient::requestStorageAccessConfirm(WebKit::WebPageProxy&, WebKit::WebFrameProxy*, WebCore::RegistrableDomain const&, WebCore::RegistrableDomain const&, WTF::CompletionHandler<void (bool)>&&)
(this=0x7fd7c006b7c8, requestingDomain=..., currentDomain=..., completionHandler=...)
at ../Source/WebKit/UIProcess/API/glib/WebKitUIClient.cpp:307
#18 0x00007fd8a29c79c2 in IPC::callMemberFunctionImpl<WebKit::NetworkProcessProxy, void (WebKit::NetworkProcessProxy::*)(WTF::ObjectIdentifier<WebKit::WebPageProxyIdentifierType>, WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebCore::RegistrableDomain const&, WebCore::RegistrableDomain const&, WTF::CompletionHandler<void (bool)>&&), void (bool), std::tuple<WTF::ObjectIdentifier<WebKit::WebPageProxyIdentifierType>, WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebCore::RegistrableDomain, WebCore::RegistrableDomain>, 0ul, 1ul, 2ul, 3ul>(WebKit::NetworkProcessProxy*, void (WebKit::NetworkProcessProxy::*)(WTF::ObjectIdentifier<WebKit::WebPageProxyIdentifierType>, WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebCore::RegistrableDomain const&, WebCore::RegistrableDomain const&, WTF::CompletionHandler<void (bool)>&&), WTF::CompletionHandler<void (bool)>&&, std::tuple<WTF::ObjectIdentifier<WebKit::WebPageProxyIdentifierType>, WTF::ObjectIdentifier<WebCore::FrameIdentifierType>, WebCore::RegistrableDomain, WebCore::RegistrableDomain>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>)
(args=..., completionHandler=..., function=<optimized out>, object=0x7fd7e021a000)
at /usr/include/c++/10.2.0/tuple:1306
I think problem is we unref the WebKitPolicyDecision, but don't have ownership of it. However, I'm having trouble testing this. I can only reproduce the issue in Tech Preview, not in my jhbuild nor my flatpak builds. Facebook just isn't triggering the Storage Access API there. Who knows why. So I will submit an untested fix, and I'll check to see if the crash is gone once merged.
CC @carlosgc