138211 2014-10-30 02:55:46 -0700 [GTK] [Stable] Crash in EventPath::updateTouchLists() 2016-04-03 08:06:12 -0700 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 berto webkit-unassigned cgarcia zan oldest_to_newest 1045004 0 berto 2014-10-30 02:55:46 -0700 This happens while browsing http://www.ekinops.net/ with WebKitGTK+ 2.4.7. The 2.6 series does not seem to be affected. Here's a backtrace from the debug build: (gdb) bt #0 0x00007ffff38ddc7e in WTF::Vector<WTF::RefPtr<WebCore::Touch>, 0ul, WTF::CrashOnOverflow>::size (this=0x8) at ../../Source/WTF/wtf/Vector.h:576 #1 0x00007ffff3bb36f8 in WebCore::TouchList::length (this=0x0) at ../../Source/WebCore/dom/TouchList.h:46 #2 0x00007ffff3bb4f86 in WebCore::EventPath::updateTouchLists (this=0x7fffffffbd10, touchEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:438 #3 0x00007ffff3bb45f2 in WebCore::EventDispatcher::dispatchEvent (origin=0x7f3b80, prpEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:316 #4 0x00007ffff3be92ed in WebCore::Node::dispatchTouchEvent (this=0x7f3b80, event=...) at ../../Source/WebCore/dom/Node.cpp:2068 #5 0x00007ffff3be8f71 in WebCore::Node::dispatchEvent (this=0x7f3b80, event=...) at ../../Source/WebCore/dom/Node.cpp:2035 #6 0x00007ffff3bbd9df in WebCore::EventTarget::dispatchEvent (this=0x7f3b80, event=..., ec=@0x7fffffffbfcc: 0) at ../../Source/WebCore/dom/EventTarget.cpp:152 #7 0x00007ffff4760e3a in WebCore::jsNodePrototypeFunctionDispatchEvent (exec=0x7fff8c7f8ec8) at DerivedSources/WebCore/JSNode.cpp:768 #8 0x00007fff97fff0e5 in ?? () #9 0x00007fff8c7f8f48 in ?? () #10 0x00007ffff15dc601 in llint_op_call () from WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #11 0x00007fff97fff8e0 in ?? () #12 0x00000000008a5e20 in ?? () #13 0x00000000008bcb70 in ?? () #14 0x00007fffec5bbbc0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #15 0x0000000000961380 in ?? () #16 0x00007ffff38d24fa in WebCore::JSDOMWindowBase::supportsProfiling (object=0x7fff97fff8e0) at ../../Source/WebCore/bindings/js/JSDOMWindowBase.cpp:121 #17 0x00007fffffffc0d0 in ?? () #18 0x00007ffff15939e0 in JSC::JITCode::execute (this=0xf0458b4832eb0000, vm=0xb8077500f07d, protoCallFrame=0x8348f04589480000, topOfStack=0xd90e8c7894860c0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:48 Backtrace stopped: previous frame inner to this frame (corrupt stack?) #2 0x00007ffff3bb4f86 in WebCore::EventPath::updateTouchLists (this=0x7fffffffbd10, touchEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:438 438 const size_t touchNodeCount = touchEvent.touches()->length() + touchEvent.targetTouches()->length() + touchEvent.changedTouches()->length(); (gdb) print touchEvent.touches() $6 = (WebCore::TouchList *) 0x0 (gdb) print touchEvent.targetTouches() $7 = (WebCore::TouchList *) 0x0 (gdb) print touchEvent.changedTouches() $8 = (WebCore::TouchList *) 0x0 1045005 1 berto 2014-10-30 02:59:00 -0700 And it looks like here's the fix: http://trac.webkit.org/changeset/167805 1045008 2 berto 2014-10-30 03:16:38 -0700 Ok, the aforementioned fix is enough to solve this problem in release builds. In debug builds it asserts here, though: ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit #0 0x00007f8c0ebb0b5f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333 #1 0x00007f8c0e87e7d5 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x1ea2b00, kind=JSC::Uncountable, jsValueSource=..., node=0x0, jumpToFail=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:113 #2 0x00007f8c0e88b55e in JSC::DFG::SpeculativeJIT::compileMakeRope (this=0x1ea2b00, node=0x7f8ba109f000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2753 #3 0x00007f8c0e853666 in JSC::DFG::SpeculativeJIT::compile (this=0x1ea2b00, node=0x7f8ba109f000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2427 #4 0x00007f8c0e884977 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x1ea2b00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1431 #5 0x00007f8c0e884fbc in JSC::DFG::SpeculativeJIT::compile (this=0x1ea2b00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1543 #6 0x00007f8c0e7f0e16 in JSC::DFG::JITCompiler::compileBody (this=0x7fff555ecae0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:111 #7 0x00007f8c0e7f263d in JSC::DFG::JITCompiler::compileFunction (this=0x7fff555ecae0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:336 #8 0x00007f8c0e84388e in JSC::DFG::Plan::compileInThreadImpl (this=0x1df46c0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:251 #9 0x00007f8c0e84319d in JSC::DFG::Plan::compileInThread (this=0x1df46c0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:125 #10 0x00007f8c0e7c773e in JSC::DFG::compileImpl (vm=..., codeBlock=0x1df42f0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=..., worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108 #11 0x00007f8c0e7c77e1 in JSC::DFG::compile (vm=..., codeBlock=0x1df42f0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=..., worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:127 #12 0x00007f8c0e973184 in JSC::operationOptimize (exec=0x7f8bac6b4638, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1148 #13 0x00007f8bb6da5089 in ?? () #14 0x00007f8bb6d21920 in ?? () #15 0x00000000012ce070 in ?? () #16 0xffff000000000002 in ?? () #17 0xffff000000000000 in ?? () #18 0x00007f8bac16fca0 in ?? () #19 0x0000000000000001 in ?? () #20 0x00007fff555edc90 in ?? () #21 0x00007f8c0e95e9e0 in JSC::JITCode::execute (this=0xffff000000000001, vm=0x7f8bac0dedf0, protoCallFrame=0x7f8ba00bfe30, topOfStack=0x0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:48 1051761 3 zan 2014-12-02 00:26:02 -0800 (In reply to comment #1) > And it looks like here's the fix: > > http://trac.webkit.org/changeset/167805 Was this merged into 2.4? 1051765 4 berto 2014-12-02 00:33:58 -0800 (In reply to comment #3) > Was this merged into 2.4? Not yet, but it's in the list of proposed fixes for 2.4.8: http://trac.webkit.org/wiki/WebKitGTK/2.4.x 1180179 5 berto 2016-04-03 08:06:12 -0700 This has already been fixed.