82992 2012-04-02 18:38:26 -0700 [Qt] Crash in ~GraphicsContext3D() when init failed 2012-04-03 18:44:31 -0700 1 1 1 Unclassified WebKit Platform 528+ (Nightly build) All Linux RESOLVED FIXED P2 Normal --- 0 srikumar.b webkit-unassigned luiz srikumar.b webkit.review.bot oldest_to_newest 594118 0 srikumar.b 2012-04-02 18:38:26 -0700 webkit crashes while destructing GraphicsContext3D object when the init failed in GraphicsContext3D constructor. We are trying to access and deallocate member variables which are never been allocated when constructor init failed in Source/WebCore/platform/graphics/qt/GraphicsContext3DQt.cpp Here is the backtrack for the crash #0 0xb62bcc76 in WTF::OwnPtr<WebCore::GraphicsContext3DPrivate>::operator-> (this=0x8e1bad8) at ../../../../Source/WTF/wtf/OwnPtr.h:64 #1 0xb62bc392 in WebCore::GraphicsContext3D::makeContextCurrent (this=0x8e1b9c8) at ../../../../Source/WebCore/platform/graphics/qt/GraphicsContext3DQt.cpp:390 #2 0xb62bc11e in WebCore::GraphicsContext3D::~GraphicsContext3D (this=0x8e1b9c8, __in_chrg=<value optimized out>) at ../../../../Source/WebCore/platform/graphics/qt/GraphicsContext3DQt.cpp:351 #3 0xb62ab55b in WTF::RefCounted<WebCore::GraphicsContext3D>::deref (this=0x8e1b9c8) at ../../../../Source/WTF/wtf/RefCounted.h:190 #4 0xb62a9657 in WTF::derefIfNotNull<WebCore::GraphicsContext3D> (ptr=0x8e1b9c8) at ../../../../Source/WTF/wtf/PassRefPtr.h:52 #5 0xb62a6f21 in WTF::RefPtr<WebCore::GraphicsContext3D>::~RefPtr (this=0xbfffd42c, __in_chrg=<value optimized out>) at ../../../../Source/WTF/wtf/RefPtr.h:58 #6 0xb62bba0e in WebCore::GraphicsContext3D::create (attrs=..., hostWindow=0x82a3d20, renderStyle=WebCore::GraphicsContext3D::RenderOffscreen) at ../../../../Source/WebCore/platform/graphics/qt/GraphicsContext3DQt.cpp:243 #7 0xb629032b in WebCore::WebGLRenderingContext::create (canvas=0x8e1df90, attrs=0x8e1b5a0) at ../../../../Source/WebCore/html/canvas/WebGLRenderingContext.cpp:409 #8 0xb5b5427d in WebCore::HTMLCanvasElement::getContext (this=0x8e1df90, type=..., attrs=0x8e1b5a0) at ../../../../Source/WebCore/html/HTMLCanvasElement.cpp:202 #9 0xb57463ea in WebCore::JSHTMLCanvasElement::getContext (this=0xa7a59e40, exec=0xa88672a8) at ../../../../Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp:75 #10 0xb647cbee in WebCore::jsHTMLCanvasElementPrototypeFunctionGetContext (exec=0xa88672a8) at generated/JSHTMLCanvasElement.cpp:208 #11 0xa7e7b309 in ?? () #12 0xb6789e29 in JSC::JITCode::execute (this=0xa7f210b0, registerFile=0x8497ba4, callFrame=0xa8867038, globalData=0x82f0258) at ../../../../Source/JavaScriptCore/jit/JITCode.h:127 #13 0xb6786a48 in JSC::Interpreter::execute (this=0x8497b98, program=0xa7f210a0, callFrame=0xa7fffcb4, scopeChain=0xa7fdffe0, thisObj=0xa803ffc0) at ../../../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1198 #14 0xb6845f44 in JSC::evaluate (exec=0xa7fffcb4, scopeChain=0xa7fdffe0, source=..., thisValue=..., returnedException=0xbfffe1b4) at ../../../../Source/JavaScriptCore/runtime/Completion.cpp:73 #15 0xb575012e in WebCore::JSMainThreadExecState::evaluate (exec=0xa7fffcb4, chain=0xa7fdffe0, source=..., thisValue=..., exception=0xbfffe1b4) at ../../../../Source/WebCore/bindings/js/JSMainThreadExecState.h:76 #16 0xb577e495 in WebCore::ScriptController::evaluateInWorld (this=0x82ee478, sourceCode=..., world=0x84980c8) at ../../../../Source/WebCore/bindings/js/ScriptController.cpp:145 #17 0xb577e5ca in WebCore::ScriptController::evaluate (this=0x82ee478, sourceCode=...) at ../../../../Source/WebCore/bindings/js/ScriptController.cpp:162 #18 0xb5a32933 in WebCore::ScriptElement::executeScript (this=0x870add8, sourceCode=...) at ../../../../Source/WebCore/dom/ScriptElement.cpp:290 #19 0xb5a322a5 in WebCore::ScriptElement::prepareScript (this=0x870add8, scriptStartPosition=..., supportLegacyTypes=WebCore::ScriptElement::DisallowLegacyTypeInTypeAttribute) at ../../../../Source/WebCore/dom/ScriptElement.cpp:235 #20 0xb5bf026d in WebCore::HTMLScriptRunner::runScript (this=0x82c6468, script=0x870ad98, scriptStartPosition=...) at ../../../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:296 594130 1 135255 srikumar.b 2012-04-02 18:57:58 -0700 Created attachment 135255 proposed patch to fix the crash in qt port The changes fix the crash issue when GraphicsContext3D init fails for Qt port 595119 2 135255 webkit.review.bot 2012-04-03 18:44:27 -0700 Comment on attachment 135255 proposed patch to fix the crash in qt port Clearing flags on attachment: 135255 Committed r113123: <http://trac.webkit.org/changeset/113123> 595120 3 webkit.review.bot 2012-04-03 18:44:31 -0700 All reviewed patches have been landed. Closing bug. 135255 2012-04-02 18:57:58 -0700 2012-04-03 18:44:27 -0700 proposed patch to fix the crash in qt port 82992.patch text/plain 1968 srikumar.b SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDExMjk3MikKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIyIEBACisyMDEyLTA0LTAyICBTcmlrdW1h ciBCb25kYSAgPHNyaWt1bWFyLmJAZ21haWwuY29tPgorCisgICAgICAgIFtRdF0gQ3Jhc2ggaW4g fkdyYXBoaWNzQ29udGV4dDNEKCkgd2hlbiBpbml0IGZhaWxlZAorICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9ODI5OTIKKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBXZWJLaXQgY3Jhc2hlcyBpbiB+R3JhcGhpY3ND b250ZXh0M0QoKSB3aGlsZSBmcmVlaW5nIHRoZSB2YXJpYWJsZXMgd2hpY2ggYXJlCisgICAgICAg IG5vdCBldmVuIGFsbG9jYXRlZCBiZWNhdXNlIG9mIHRoZSBpbml0IGZhaWx1cmUgaW4gR3JhcGhp Y3NDb250ZXh0M0QoKSBmb3IgUXQuCisgICAgICAgIEluIGFkZGl0aW9uLCBBZGRlZCBhIHNhZmV0 eSBjaGVjayBpbiBtYWtlQ29udGV4dEN1cnJlbnQoKSBiZWZvcmUgYWNjZXNzaW5nCisgICAgICAg IEdyYXBoaWNzQ29udGV4dDNEUHJpdmF0ZSBvYmplY3QuCisKKyAgICAgICAgTm8gbmV3IHRlc3Rz IGJlY2F1c2UgdGhlIGNoYW5nZSBpcyBhYm91dCBhZGRpbmcgbnVsbCBjaGVjaworICAgICAgICBi ZWZvcmUgYWNjZXNzaW5nIHRoZSB2YXJpYWJsZXMuCisKKyAgICAgICAgKiBwbGF0Zm9ybS9ncmFw aGljcy9xdC9HcmFwaGljc0NvbnRleHQzRFF0LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkdyYXBo aWNzQ29udGV4dDNEOjp+R3JhcGhpY3NDb250ZXh0M0QpOgorICAgICAgICAoV2ViQ29yZTo6R3Jh cGhpY3NDb250ZXh0M0Q6Om1ha2VDb250ZXh0Q3VycmVudCk6CisKIDIwMTItMDQtMDIgIE1hcmsg UGlsZ3JpbSAgPHBpbGdyaW1AY2hyb21pdW0ub3JnPgogCiAgICAgICAgIENhbGwgZGVjcmVtZW50 U3RhdHNDb3VudGVyIGRpcmVjdGx5CkluZGV4OiBTb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9ncmFw aGljcy9xdC9HcmFwaGljc0NvbnRleHQzRFF0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9wbGF0Zm9ybS9ncmFwaGljcy9xdC9HcmFwaGljc0NvbnRleHQzRFF0LmNwcAkocmV2aXNp b24gMTEyOTY5KQorKysgU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vZ3JhcGhpY3MvcXQvR3JhcGhp Y3NDb250ZXh0M0RRdC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTM0OCw2ICszNDgsOSBAQCBHcmFw aGljc0NvbnRleHQzRDo6R3JhcGhpY3NDb250ZXh0M0QoR3JhCiAKIEdyYXBoaWNzQ29udGV4dDNE Ojp+R3JhcGhpY3NDb250ZXh0M0QoKQogeworICAgIC8vIElmIEdyYXBoaWNzQ29udGV4dDNEIGlu aXQgZmFpbGVkIGluIGNvbnN0cnVjdG9yLCBtX3ByaXZhdGUgc2V0IHRvIG51bGxwdHIgYW5kIG5v IGJ1ZmZlcnMgYXJlIGFsbG9jYXRlZC4KKyAgICBpZiAoIW1fcHJpdmF0ZSkKKyAgICAgICAgcmV0 dXJuOwogICAgIG1ha2VDb250ZXh0Q3VycmVudCgpOwogICAgIGdsRGVsZXRlVGV4dHVyZXMoMSwg Jm1fdGV4dHVyZSk7CiAgICAgZ2xEZWxldGVGcmFtZWJ1ZmZlcnMoMSwgJm1fZmJvKTsKQEAgLTM4 Nyw2ICszOTAsOCBAQCBQbGF0Zm9ybUxheWVyKiBHcmFwaGljc0NvbnRleHQzRDo6cGxhdGZvCiAK IGJvb2wgR3JhcGhpY3NDb250ZXh0M0Q6Om1ha2VDb250ZXh0Q3VycmVudCgpCiB7CisgICAgaWYg KCFtX3ByaXZhdGUpCisgICAgICAgIHJldHVybiBmYWxzZTsKICAgICByZXR1cm4gbV9wcml2YXRl LT5tYWtlQ3VycmVudElmTmVlZGVkKCk7CiB9CiAK