142671 2015-03-13 06:54:10 -0700 [GTK] Crash due to empty drag image during drag-and-drop 2015-03-20 01:05:22 -0700 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) PC Linux RESOLVED FIXED P2 Normal --- 1 mcatanzaro webkit-unassigned cgarcia commit-queue d-r mcatanzaro mrobinson pnormand svillar zan oldest_to_newest 1076938 0 mcatanzaro 2015-03-13 06:54:10 -0700 ShareableBitmap::createShareable can return nullptr, but convertCairoSurfaceToShareableBitmap in WebDragClientGtk.cpp does not check for this case and attempts to use the pointer anyway. Should be easy to fix by just returning early. Writing a test might be hard, though, since I think it only happens if shared memory allocation fails. Backtrace from a downstream report: #0 0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=0x10) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/RefPtr.h:74 #1 0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/ShareableBitmap.h:107 #2 0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/ShareableBitmap.cpp:166 #3 0x00007f9fb549d46b in WebKit::ShareableBitmap::createCairoSurface() (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp:77 image = <optimized out> dataKey = {unused = 0} #4 0x00007f9fb549d4fa in WebKit::ShareableBitmap::createGraphicsContext() (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp:56 image = <optimized out> bitmapContext = <optimized out> #5 0x00007f9fb54fa754 in WebKit::WebDragClient::startDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (surface=0x4ca82f0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebCoreSupport/gtk/WebDragClientGtk.cpp:53 imageSize = {m_width = 0, m_height = 0} graphicsContext = std::unique_ptr<(anonymous namespace)::GraphicsContext> containing 0x442d800044a92000 bitmap = <optimized out> handle = {m_handle = {m_fileDescriptor = -1221722112, m_size = 140323949772856}, m_size = {m_width = -386593312, m_height = 32767}, m_flags = 3049402905} dataObject = <optimized out> dragData = {m_clientPosition = {m_x = 0, m_y = 0}, m_globalPosition = {m_x = -1245564347, m_y = 32671}, m_platformDragData = 0x7fffe8f50e00, m_draggingSourceOperationMask = 3049414897, m_applicationFlags = ((anonymous namespace)::DragApplicationIsModal | (anonymous namespace)::DragApplicationIsSource | (anonymous namespace)::DragApplicationHasAttachedSheet | (anonymous namespace)::DragApplicationIsCopyKeyDown | unknown: 32656)} #6 0x00007f9fb54fa754 in WebKit::WebDragClient::startDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (this=0x3152cc0, dragImage=dragImage@entry=0x4ca82f0, clientPosition=..., globalPosition=..., dataTransfer=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebCoreSupport/gtk/WebDragClientGtk.cpp:61 bitmap = <optimized out> handle = {m_handle = {m_fileDescriptor = -1221722112, m_size = 140323949772856}, m_size = {m_width = -386593312, m_height = 32767}, m_flags = 3049402905} dataObject = <optimized out> dragData = {m_clientPosition = {m_x = 0, m_y = 0}, m_globalPosition = {m_x = -1245564347, m_y = 32671}, m_platformDragData = 0x7fffe8f50e00, m_draggingSourceOperationMask = 3049414897, m_applicationFlags = ((anonymous namespace)::DragApplicationIsModal | (anonymous namespace)::DragApplicationIsSource | (anonymous namespace)::DragApplicationHasAttachedSheet | (anonymous namespace)::DragApplicationIsCopyKeyDown | unknown: 32656)} #7 0x00007f9fb5b7d426 in WebCore::DragController::doSystemDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (this=this@entry=0x7f9fb72d1880, image=image@entry=0x4ca82f0, dragLoc=..., eventPos=..., dataTransfer=..., frame=..., forLink=false) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/DragController.cpp:931 frameProtector = {m_ptr = 0x7f9fb72dc900} viewProtector = {m_ptr = 0x7f9fb72e0000} #8 0x00007f9fb5b7e32d in WebCore::DragController::startDrag(WebCore::Frame&, WebCore::DragState const&, WebCore::DragOperation, WebCore::PlatformMouseEvent const&, WebCore::IntPoint const&) (this=0x7f9fb72d1880, src=..., state=..., srcOp=srcOp@entry=(anonymous namespace)::DragOperationEvery, dragEvent=..., dragOrigin=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/DragController.cpp:856 mouseDraggedPoint = {m_x = 518, m_y = 3888} dragImage = 0x4ca82f0 dragImageOffset = {m_x = 0, m_y = 0} hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248384}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3881}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3881}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3881}, m_p2 = {m_x = 519, m_y = 3881}, m_p3 = {m_x = 519, m_y = 3882}, m_p4 = {m_x = 518, m_y = 3882}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9e40}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9e40}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248384}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 7488}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0} includeShadowDOM = <optimized out> imageURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_protocolIsInHTTPFamily = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0} sourceContainsHitNode = <optimized out> linkURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_protocolIsInHTTPFamily = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0} dragLoc = {m_x = 0, m_y = 0} startedDrag = true image = <optimized out> #9 0x00007f9fb5b8d078 in WebCore::EventHandler::handleDrag(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) (this=0x7f9fb71e0b80, event=..., checkDragHysteresis=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:3488 page = 0x7f9fb7307000 srcOp = (anonymous namespace)::DragOperationEvery event = @0x7fffe8f513b0: {m_event = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0}, m_hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0}} this = 0x7f9fb71e0b80 #10 0x00007f9fb5b8d60a in WebCore::EventHandler::handleMouseDraggedEvent(WebCore::MouseEventWithHitTestResults const&) (this=0x7f9fb71e0b80, event=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:809 #11 0x00007f9fb5b8dcb3 in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) (this=0x7f9fb71e0b80, platformMouseEvent=..., hoveredNode=<optimized out>, onlyUpdateScrollbars=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:1981 hitType = <optimized out> request = {m_requestType = 780} newSubframe = {m_ptr = 0x0} protector = {m_ptr = 0x7f9fb72e0000} mouseEvent = {m_event = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0}, m_hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0}} swallowEvent = <optimized out> #12 0x00007f9fb5b90752 in WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) (this=0x7f9fb71e0b80, event=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:1841 maxDurationTracker = {m_maxDuration = 0x7f9fb71e0e28, m_start = 10785.151017} hoveredNode = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0} protector = {m_ptr = 0x7f9fb72e0000} result = <optimized out> page = 0x7fffe8f515e0 #13 0x00007f9fb5f9e298 in WebCore::UserInputBridge::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::InputSource) (this=<optimized out>, mouseEvent=..., inputSource=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/replay/UserInputBridge.cpp:129 #14 0x00007f9fb5482365 in WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) (mouseEvent=..., page=page@entry=0x7f9fb7307800, onlyUpdateScrollbars=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1883 frame = <optimized out> platformMouseEvent = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0} #15 0x00007f9fb5487a3b in WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) (this=this@entry=0x7f9fb7307800, mouseEvent=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1919 currentEvent = {m_previousCurrentEvent = 0x0} handled = false mouseEvent = @0x7fffe8f51770: {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0} this = 0x7f9fb7307800 #16 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (args=<unknown type in /var/cache/abrt-di/usr/lib/debug/usr/lib64/libwebkit2gtk-4.0.so.37.2.6.debug, CU 0x6eb6d81, DIE 0x6f7e465>, function=<optimized out>, object=0x7f9fb7307800) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:16 arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}} #17 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (function=<optimized out>, object=0x7f9fb7307800, args=<unknown type in /var/cache/abrt-di/usr/lib/debug/usr/lib64/libwebkit2gtk-4.0.so.37.2.6.debug, CU 0x6eb6d81, DIE 0x6fa07af>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:22 arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}} #18 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (function=<optimized out>, object=0x7f9fb7307800, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:120 arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}} #19 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (this=0x7f9fb7307800, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/x86_64-redhat-linux-gnu/DerivedSources/WebKit2/WebPageMessageReceiver.cpp:172 #20 0x00007f9fb5316466 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection*, IPC::MessageDecoder&) (this=this@entry=0x2611b80, connection=connection@entry=0x7f9fb72dec00, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:87 messageReceiver = 0x0 #21 0x00007f9fb5406882 in WebKit::WebProcess::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) (this=0x2611a80, connection=0x7f9fb72dec00, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebProcess.cpp:599 #22 0x00007f9fb53108d4 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >) (this=this@entry=0x7f9fb72dec00, message=std::unique_ptr<IPC::MessageDecoder> containing 0x7f9f1dccc120) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/Connection.cpp:828 oldDidReceiveInvalidMessage = false #23 0x00007f9fb5310a55 in IPC::Connection::dispatchOneMessage() (this=0x7f9fb72dec00) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/Connection.cpp:856 message = std::unique_ptr<IPC::MessageDecoder> containing 0x0 #24 0x00007f9fb678ad3a in WTF::RunLoop::performWork() (this=0x7f9fb72d4d90) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/RunLoop.cpp:104 function = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44001c00, _M_const_object = 0x7f9f44001c00, _M_function_pointer = 0x7f9f44001c00, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44001c00}, _M_pod_data = "\000\034\000D\237\177\000\000\000\000\000\000\000\000\000"}, _M_manager = 0x7f9fb5313be0 <std::_Function_base::_Base_manager<WTF::Function<void ()> >::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x7f9fb5313af0 <std::_Function_handler<void (), WTF::Function<void ()> >::_M_invoke(std::_Any_data const&)>} functionsToHandle = <optimized out> #25 0x00007f9fb3f74041 in WTF::GMainLoopSource::voidCallback() (this=0x7f9f36c92580) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/gobject/GMainLoopSource.cpp:364 context = {source = {m_ptr = 0x7f9f44001100}, cancellable = {m_ptr = 0x0}, socketCancellable = {m_ptr = 0x0}, voidCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44001dd0, _M_const_object = 0x7f9f44001dd0, _M_function_pointer = 0x7f9f44001dd0, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44001dd0}, _M_pod_data = "\320\035\000D\237\177\000\000\000\000\000\000\000\000\000"}, _M_manager = 0x7f9fb6790500 <std::_Function_base::_Base_manager<WTF::RunLoop::wakeUp()::<lambda()> >::_M_manager(std::_Any_data &, const std::_Any_data &, std::_Manager_operation)>}, _M_invoker = 0x7f9fb67900f0 <std::_Function_handler<void(), WTF::RunLoop::wakeUp()::<lambda()> >::_M_invoke(const std::_Any_data &)>}, boolCallback = {<std::_Maybe_unary_or_binary_function<bool>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f4ddf4a40, _M_const_object = 0x7f9f4ddf4a40, _M_function_pointer = 0x7f9f4ddf4a40, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f4ddf4a40, this adjustment 140323850967806}, _M_pod_data = "@J\337M\237\177\000\000\376ZJ\261\237\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9f4ddf4a50}, socketCallback = {<std::_Maybe_unary_or_binary_function<bool, GIOCondition>> = {<std::unary_function<GIOCondition, bool>> = {<No data fields>}, <No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44000020, _M_const_object = 0x7f9f44000020, _M_function_pointer = 0x7f9f44000020, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44000020, this adjustment 8}, _M_pod_data = " \000\000D\237\177\000\000\b\000\000\000\000\000\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9fb3f6fd20 <WTF::GMainLoopSource::schedule(char const*, std::function<void ()>, int, std::function<void ()>, _GMainContext*)>}, destroyCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9ef7a8a2c0, _M_const_object = 0x7f9ef7a8a2c0, _M_function_pointer = 0x7f9ef7a8a2c0, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9ef7a8a2c0, this adjustment 140322017378336}, _M_pod_data = "\300\242\250\367\236\177\000\000 \000\000D\237\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9f4ddf4610}} #26 0x00007f9fb3f6f26a in WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*) (source=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/gobject/GMainLoopSource.cpp:454 #27 0x00007f9fb14a87fb in g_main_context_dispatch (context=0x2108620) at gmain.c:3111 dispatch = 0x7f9fb14a5340 <g_idle_dispatch> prev_source = 0x0 was_in_call = 0 user_data = 0x7f9f36c92580 callback = 0x7f9fb3f6f260 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)> cb_funcs = 0x7f9fb17968c0 <g_source_callback_funcs> cb_data = 0x7f9f44001190 need_destroy = <optimized out> source = 0x7f9f44001100 current = 0x20f24b0 i = 0 #28 0x00007f9fb14a87fb in g_main_context_dispatch (context=context@entry=0x2108620) at gmain.c:3710 #29 0x00007f9fb14a8b98 in g_main_context_iterate (context=0x2108620, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781 max_priority = 0 timeout = 0 some_ready = 1 nfds = <optimized out> allocated_nfds = 14 fds = 0x4968400 #30 0x00007f9fb14a8ec2 in g_main_loop_run (loop=0x223a570) at gmain.c:3975 __FUNCTION__ = "g_main_loop_run" #31 0x00007f9fb55051f9 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=2, argv=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/unix/ChildProcessMain.h:61 childMain = {<WebKit::ChildProcessMainBase> = {_vptr.ChildProcessMainBase = 0x7f9fb7014f10 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {m_impl = {m_ptr = 0x0}}, clientIdentifier = {m_impl = {m_ptr = 0x0}}, connectionIdentifier = 14, extraInitializationData = {m_impl = {static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}}}, <No data fields>} #32 0x00007f9fb42b1fe0 in __libc_start_main (main=0x400780 <main(int, char**)>, argc=2, argv=0x7fffe8f51d78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe8f51d68) at libc-start.c:289 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -6449711147121380725, 4196267, 140737101766000, 0, 0, 6449669822284558987, 6431541813330571915}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x4008b0 <__libc_csu_init>, 0x7fffe8f51d78}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4196528}}} not_first_call = <optimized out> #33 0x00000000004007d4 in _start () 1077529 1 cgarcia 2015-03-16 12:30:27 -0700 The thing is why we have a cairo surface for the drag image with a 0 size (imageSize = {m_width = 0, m_height = 0}). I think the cairo surface should be null in that case, and should be handled before. 1078522 2 249035 cgarcia 2015-03-19 05:35:06 -0700 Created attachment 249035 Speculative fix I can't reproduce this, but according to the backtrace, this patch could fix the problem 1078784 3 cgarcia 2015-03-20 01:05:22 -0700 Committed r181787: <http://trac.webkit.org/changeset/181787> 249035 2015-03-19 05:35:06 -0700 2015-03-20 00:58:01 -0700 Speculative fix wk-image-buffer-empty.diff text/plain 1487 cgarcia ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCAxNjhiZmM1Li5hZTAzYWZmIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDUgKzEsMTkg QEAKIDIwMTUtMDMtMTkgIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2FsaWEuY29t PgogCisgICAgICAgIFtHVEtdIENyYXNoIGR1ZSB0byBlbXB0eSBkcmFnIGltYWdlIGR1cmluZyBk cmFnLWFuZC1kcm9wCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD0xNDI2NzEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAg ICAgICBSZXR1cm4gZWFybHkgZnJvbSBJbWFnZUJ1ZmZlciBjb25zdHJ1Y3RvciBpZiBhbiBlbXB0 eSBzaXplIGlzCisgICAgICAgIGdpdmVuLiBUaGlzIGlzIGEgc3BlY3VsYXRpdmUgZml4IGZvciBh IGNyYXNoIHdoaWxlIHN0YXJ0aW5nIGEgZHJhZworICAgICAgICBhbmQgZHJvcCBvcGVyYXRpb24s IHRoYXQgSSBoYXZlbid0IGJlZW4gYWJsZSB0byByZXByb2R1Y2UuCisKKyAgICAgICAgKiBwbGF0 Zm9ybS9ncmFwaGljcy9jYWlyby9JbWFnZUJ1ZmZlckNhaXJvLmNwcDoKKyAgICAgICAgKFdlYkNv cmU6OkltYWdlQnVmZmVyOjpJbWFnZUJ1ZmZlcik6CisKKzIwMTUtMDMtMTkgIENhcmxvcyBHYXJj aWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2FsaWEuY29tPgorCiAgICAgICAgIFtHVEtdIFNjcm9sbGJh cnMgbG9vayBiYWQgd2l0aCBHVEsrIDMuMTYKICAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTE0MDgwMAogCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9w bGF0Zm9ybS9ncmFwaGljcy9jYWlyby9JbWFnZUJ1ZmZlckNhaXJvLmNwcCBiL1NvdXJjZS9XZWJD b3JlL3BsYXRmb3JtL2dyYXBoaWNzL2NhaXJvL0ltYWdlQnVmZmVyQ2Fpcm8uY3BwCmluZGV4IDhk Y2ZlMzcuLmQ0YmM2NmEgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBo aWNzL2NhaXJvL0ltYWdlQnVmZmVyQ2Fpcm8uY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3BsYXRm b3JtL2dyYXBoaWNzL2NhaXJvL0ltYWdlQnVmZmVyQ2Fpcm8uY3BwCkBAIC0xMDEsNiArMTAxLDgg QEAgSW1hZ2VCdWZmZXI6OkltYWdlQnVmZmVyKGNvbnN0IEZsb2F0U2l6ZSYgc2l6ZSwgZmxvYXQg LyogcmVzb2x1dGlvblNjYWxlICovLCBDb2wKICAgICAsIG1fbG9naWNhbFNpemUoc2l6ZSkKIHsK ICAgICBzdWNjZXNzID0gZmFsc2U7ICAvLyBNYWtlIGVhcmx5IHJldHVybiBtZWFuIGVycm9yLgor ICAgIGlmIChtX3NpemUuaXNFbXB0eSgpKQorICAgICAgICByZXR1cm47CiAKICNpZiBFTkFCTEUo QUNDRUxFUkFURURfMkRfQ0FOVkFTKQogICAgIGlmIChyZW5kZXJpbmdNb2RlID09IEFjY2VsZXJh dGVkKQo=