168292 2017-02-14 00:11:09 -0800 REGRESSION(r212239): Crash in DragImage::operator=(WebCore::DragImage&&) when DragImageRef is the same 2017-02-14 22:52:20 -0800 1 1 1 Unclassified WebKit Platform WebKit Local Build Unspecified Unspecified NEW https://bugs.webkit.org/show_bug.cgi?id=168131 LayoutTestFailure, Regression P2 Normal --- 1 cgarcia webkit-unassigned andersca bdakin bugs-noreply oldest_to_newest 1276632 0 cgarcia 2017-02-14 00:11:09 -0800 This happens at least in the GTK+ port where DragImageRef is a pointer (we should definitely change that). It caused several crashes in the bots: Thread 1 (Thread 0x2b4ba8e96940 (LWP 11637)): #0 0x00002b4ba28b3067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00002b4ba28b4448 in __GI_abort () at abort.c:89 #2 0x00002b4ba28ac266 in __assert_fail_base (fmt=0x2b4ba29e5238 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x2b4b9ba8ce08 "((*&(&surface->ref_count)->ref_count) > 0)", file=file@entry=0x2b4b9ba8cd38 "/home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c", line=line@entry=953, function=function@entry=0x2b4b9ba9d9f0 <__PRETTY_FUNCTION__.11168> "cairo_surface_destroy") at assert.c:92 #3 0x00002b4ba28ac312 in __GI___assert_fail (assertion=0x2b4b9ba8ce08 "((*&(&surface->ref_count)->ref_count) > 0)", file=0x2b4b9ba8cd38 "/home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c", line=953, function=0x2b4b9ba9d9f0 <__PRETTY_FUNCTION__.11168> "cairo_surface_destroy") at assert.c:101 #4 0x00002b4b9ba1a7c2 in cairo_surface_destroy () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c:953 #5 0x00002b4b9968b7f9 in WebCore::DragImage::operator=(WebCore::DragImage&&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #6 0x00002b4b995d7e8b in WebCore::DragController::doImageDrag(WebCore::Element&, WebCore::IntPoint const&, WebCore::IntRect const&, WebCore::DataTransfer&, WebCore::Frame&, WebCore::IntPoint&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #7 0x00002b4b995dbcc2 in WebCore::DragController::startDrag(WebCore::Frame&, WebCore::DragState const&, WebCore::DragOperation, WebCore::PlatformMouseEvent const&, WebCore::IntPoint const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #8 0x00002b4b995e3994 in WebCore::EventHandler::handleDrag(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #9 0x00002b4b995e3eb8 in WebCore::EventHandler::handleMouseDraggedEvent(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #10 0x00002b4b995eab67 in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 When m_dragImageRef is the same as other.m_dragImageRef we end up deleting twice. 1276634 1 301472 cgarcia 2017-02-14 00:14:30 -0800 Created attachment 301472 Patch 1276800 2 301472 andersca 2017-02-14 10:06:02 -0800 Comment on attachment 301472 Patch This isn't right. Just self-move a no-op. 1277074 3 cgarcia 2017-02-14 22:52:20 -0800 (In reply to comment #2) > Comment on attachment 301472 [details] > Patch > > This isn't right. Just self-move a no-op. I'm not sure this is actually a self-move, this and other are not the same but both wrap the same pointer. This is no longer a problem for us, though, because I changed our DragImageRef to be a RefPtr too, and I don't think there are any other ports using raw pointers now. 301472 2017-02-14 00:14:30 -0800 2017-02-14 10:06:02 -0800 Patch wk-drag-crash.diff text/plain 1377 cgarcia ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCA4ZTU1NzMwOWUyYi4uNDMyMTk1MTNjYTkgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxNyBAQAorMjAxNy0wMi0xNCAgQ2FybG9zIEdhcmNpYSBDYW1wb3MgIDxjZ2FyY2lhQGln YWxpYS5jb20+CisKKyAgICAgICAgUkVHUkVTU0lPTihyMjEyMjM5KTogQ3Jhc2ggaW4gRHJhZ0lt YWdlOjpvcGVyYXRvcj0oV2ViQ29yZTo6RHJhZ0ltYWdlJiYpIHdoZW4gRHJhZ0ltYWdlUmVmIGlz IHRoZSBzYW1lCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD0xNjgyOTIKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBXaGVuIG1fZHJhZ0ltYWdlUmVmIGlzIHRoZSBzYW1lIGFzIG90aGVyLm1fZHJhZ0ltYWdlUmVm IHdlIGVuZCB1cCBkZWxldGluZyB0d2ljZS4KKworICAgICAgICBGaXhlcyBzZXZlcmFsIGNyYXNo ZXMgaW4gdGhlIEdUSysgYm90cy4KKworICAgICAgICAqIHBsYXRmb3JtL0RyYWdJbWFnZS5jcHA6 CisgICAgICAgIChXZWJDb3JlOjpEcmFnSW1hZ2U6Om9wZXJhdG9yPSk6IEhhbmRsZSB0aGUgY2Fz ZSBvZiBtX2RyYWdJbWFnZVJlZiA9PSBvdGhlci5tX2RyYWdJbWFnZVJlZi4KKwogMjAxNy0wMi0x MyAgRGFuIEJlcm5zdGVpbiAgPG1pdHpAYXBwbGUuY29tPgogCiAgICAgICAgIFJldmVydGVkIHIy MTIyNzUuIEl0IHN0aWxsIGJyZWFrcyBzb21lIEFwcGxlLWludGVybmFsIGJ1aWxkcy4KZGlmZiAt LWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL0RyYWdJbWFnZS5jcHAgYi9Tb3VyY2UvV2Vi Q29yZS9wbGF0Zm9ybS9EcmFnSW1hZ2UuY3BwCmluZGV4IGJiNzE2YWFiODM1Li42ZWUyMjlkMTRl ZiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vRHJhZ0ltYWdlLmNwcAorKysg Yi9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9EcmFnSW1hZ2UuY3BwCkBAIC0yMzQsNiArMjM0LDEx IEBAIERyYWdJbWFnZTo6RHJhZ0ltYWdlKERyYWdJbWFnZSYmIG90aGVyKQogCiBEcmFnSW1hZ2Um IERyYWdJbWFnZTo6b3BlcmF0b3I9KERyYWdJbWFnZSYmIG90aGVyKQogeworICAgIGlmIChtX2Ry YWdJbWFnZVJlZiA9PSBvdGhlci5tX2RyYWdJbWFnZVJlZikgeworICAgICAgICBvdGhlci5tX2Ry YWdJbWFnZVJlZiA9IG51bGxwdHI7CisgICAgICAgIHJldHVybiAqdGhpczsKKyAgICB9CisKICAg ICBpZiAobV9kcmFnSW1hZ2VSZWYpCiAgICAgICAgIGRlbGV0ZURyYWdJbWFnZShtX2RyYWdJbWFn ZVJlZik7CiAK