Bug 138211

Summary: [GTK] [Stable] Crash in EventPath::updateTouchLists()
Product: WebKit Reporter: Alberto Garcia <berto>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cgarcia, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Alberto Garcia 2014-10-30 02:55:46 PDT 
This happens while browsing http://www.ekinops.net/ with WebKitGTK+ 2.4.7. The 2.6 series does not seem to be affected.

Here's a backtrace from the debug build:

(gdb) bt
#0  0x00007ffff38ddc7e in WTF::Vector<WTF::RefPtr<WebCore::Touch>, 0ul, WTF::CrashOnOverflow>::size (this=0x8) at ../../Source/WTF/wtf/Vector.h:576
#1  0x00007ffff3bb36f8 in WebCore::TouchList::length (this=0x0) at ../../Source/WebCore/dom/TouchList.h:46
#2  0x00007ffff3bb4f86 in WebCore::EventPath::updateTouchLists (this=0x7fffffffbd10, touchEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:438
#3  0x00007ffff3bb45f2 in WebCore::EventDispatcher::dispatchEvent (origin=0x7f3b80, prpEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:316
#4  0x00007ffff3be92ed in WebCore::Node::dispatchTouchEvent (this=0x7f3b80, event=...) at ../../Source/WebCore/dom/Node.cpp:2068
#5  0x00007ffff3be8f71 in WebCore::Node::dispatchEvent (this=0x7f3b80, event=...) at ../../Source/WebCore/dom/Node.cpp:2035
#6  0x00007ffff3bbd9df in WebCore::EventTarget::dispatchEvent (this=0x7f3b80, event=..., ec=@0x7fffffffbfcc: 0) at ../../Source/WebCore/dom/EventTarget.cpp:152
#7  0x00007ffff4760e3a in WebCore::jsNodePrototypeFunctionDispatchEvent (exec=0x7fff8c7f8ec8) at DerivedSources/WebCore/JSNode.cpp:768
#8  0x00007fff97fff0e5 in ?? ()
#9  0x00007fff8c7f8f48 in ?? ()
#10 0x00007ffff15dc601 in llint_op_call () from WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0
#11 0x00007fff97fff8e0 in ?? ()
#12 0x00000000008a5e20 in ?? ()
#13 0x00000000008bcb70 in ?? ()
#14 0x00007fffec5bbbc0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x0000000000961380 in ?? ()
#16 0x00007ffff38d24fa in WebCore::JSDOMWindowBase::supportsProfiling (object=0x7fff97fff8e0) at ../../Source/WebCore/bindings/js/JSDOMWindowBase.cpp:121
#17 0x00007fffffffc0d0 in ?? ()
#18 0x00007ffff15939e0 in JSC::JITCode::execute (this=0xf0458b4832eb0000, vm=0xb8077500f07d, protoCallFrame=0x8348f04589480000, topOfStack=0xd90e8c7894860c0)
    at ../../Source/JavaScriptCore/jit/JITCode.cpp:48
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

#2  0x00007ffff3bb4f86 in WebCore::EventPath::updateTouchLists (this=0x7fffffffbd10, touchEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:438
438	    const size_t touchNodeCount = touchEvent.touches()->length() + touchEvent.targetTouches()->length() + touchEvent.changedTouches()->length();
(gdb) print touchEvent.touches()
$6 = (WebCore::TouchList *) 0x0
(gdb) print touchEvent.targetTouches()
$7 = (WebCore::TouchList *) 0x0
(gdb) print touchEvent.changedTouches()
$8 = (WebCore::TouchList *) 0x0
Comment 1 Alberto Garcia 2014-10-30 02:59:00 PDT 
And it looks like here's the fix:

http://trac.webkit.org/changeset/167805
Comment 2 Alberto Garcia 2014-10-30 03:16:38 PDT 
Ok, the aforementioned fix is enough to solve this problem in release builds.

In debug builds it asserts here, though:

ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit

#0  0x00007f8c0ebb0b5f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333
#1  0x00007f8c0e87e7d5 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x1ea2b00, kind=JSC::Uncountable, jsValueSource=..., node=0x0, jumpToFail=...)
    at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:113
#2  0x00007f8c0e88b55e in JSC::DFG::SpeculativeJIT::compileMakeRope (this=0x1ea2b00, node=0x7f8ba109f000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2753
#3  0x00007f8c0e853666 in JSC::DFG::SpeculativeJIT::compile (this=0x1ea2b00, node=0x7f8ba109f000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2427
#4  0x00007f8c0e884977 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x1ea2b00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1431
#5  0x00007f8c0e884fbc in JSC::DFG::SpeculativeJIT::compile (this=0x1ea2b00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1543
#6  0x00007f8c0e7f0e16 in JSC::DFG::JITCompiler::compileBody (this=0x7fff555ecae0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:111
#7  0x00007f8c0e7f263d in JSC::DFG::JITCompiler::compileFunction (this=0x7fff555ecae0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:336
#8  0x00007f8c0e84388e in JSC::DFG::Plan::compileInThreadImpl (this=0x1df46c0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:251
#9  0x00007f8c0e84319d in JSC::DFG::Plan::compileInThread (this=0x1df46c0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:125
#10 0x00007f8c0e7c773e in JSC::DFG::compileImpl (vm=..., codeBlock=0x1df42f0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=..., 
    worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108
#11 0x00007f8c0e7c77e1 in JSC::DFG::compile (vm=..., codeBlock=0x1df42f0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=..., 
    worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:127
#12 0x00007f8c0e973184 in JSC::operationOptimize (exec=0x7f8bac6b4638, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1148
#13 0x00007f8bb6da5089 in ?? ()
#14 0x00007f8bb6d21920 in ?? ()
#15 0x00000000012ce070 in ?? ()
#16 0xffff000000000002 in ?? ()
#17 0xffff000000000000 in ?? ()
#18 0x00007f8bac16fca0 in ?? ()
#19 0x0000000000000001 in ?? ()
#20 0x00007fff555edc90 in ?? ()
#21 0x00007f8c0e95e9e0 in JSC::JITCode::execute (this=0xffff000000000001, vm=0x7f8bac0dedf0, protoCallFrame=0x7f8ba00bfe30, topOfStack=0x0)
    at ../../Source/JavaScriptCore/jit/JITCode.cpp:48
Comment 3 Zan Dobersek 2014-12-02 00:26:02 PST 
(In reply to comment #1)
> And it looks like here's the fix:
> 
> http://trac.webkit.org/changeset/167805

Was this merged into 2.4?
Comment 4 Alberto Garcia 2014-12-02 00:33:58 PST 
(In reply to comment #3)
> Was this merged into 2.4?

Not yet, but it's in the list of proposed fixes for 2.4.8:

http://trac.webkit.org/wiki/WebKitGTK/2.4.x
Comment 5 Alberto Garcia 2016-04-03 08:06:12 PDT 
This has already been fixed.