Bug 142671

Summary: [GTK] Crash due to empty drag image during drag-and-drop
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cgarcia, commit-queue, d-r, mcatanzaro, mrobinson, pnormand, svillar, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Speculative fix pnormand: review+

Michael Catanzaro
Reported 2015-03-13 06:54:10 PDT
ShareableBitmap::createShareable can return nullptr, but convertCairoSurfaceToShareableBitmap in WebDragClientGtk.cpp does not check for this case and attempts to use the pointer anyway. Should be easy to fix by just returning early. Writing a test might be hard, though, since I think it only happens if shared memory allocation fails. Backtrace from a downstream report: #0 0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=0x10) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/RefPtr.h:74 #1 0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/ShareableBitmap.h:107 #2 0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/ShareableBitmap.cpp:166 #3 0x00007f9fb549d46b in WebKit::ShareableBitmap::createCairoSurface() (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp:77 image = <optimized out> dataKey = {unused = 0} #4 0x00007f9fb549d4fa in WebKit::ShareableBitmap::createGraphicsContext() (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp:56 image = <optimized out> bitmapContext = <optimized out> #5 0x00007f9fb54fa754 in WebKit::WebDragClient::startDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (surface=0x4ca82f0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebCoreSupport/gtk/WebDragClientGtk.cpp:53 imageSize = {m_width = 0, m_height = 0} graphicsContext = std::unique_ptr<(anonymous namespace)::GraphicsContext> containing 0x442d800044a92000 bitmap = <optimized out> handle = {m_handle = {m_fileDescriptor = -1221722112, m_size = 140323949772856}, m_size = {m_width = -386593312, m_height = 32767}, m_flags = 3049402905} dataObject = <optimized out> dragData = {m_clientPosition = {m_x = 0, m_y = 0}, m_globalPosition = {m_x = -1245564347, m_y = 32671}, m_platformDragData = 0x7fffe8f50e00, m_draggingSourceOperationMask = 3049414897, m_applicationFlags = ((anonymous namespace)::DragApplicationIsModal | (anonymous namespace)::DragApplicationIsSource | (anonymous namespace)::DragApplicationHasAttachedSheet | (anonymous namespace)::DragApplicationIsCopyKeyDown | unknown: 32656)} #6 0x00007f9fb54fa754 in WebKit::WebDragClient::startDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (this=0x3152cc0, dragImage=dragImage@entry=0x4ca82f0, clientPosition=..., globalPosition=..., dataTransfer=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebCoreSupport/gtk/WebDragClientGtk.cpp:61 bitmap = <optimized out> handle = {m_handle = {m_fileDescriptor = -1221722112, m_size = 140323949772856}, m_size = {m_width = -386593312, m_height = 32767}, m_flags = 3049402905} dataObject = <optimized out> dragData = {m_clientPosition = {m_x = 0, m_y = 0}, m_globalPosition = {m_x = -1245564347, m_y = 32671}, m_platformDragData = 0x7fffe8f50e00, m_draggingSourceOperationMask = 3049414897, m_applicationFlags = ((anonymous namespace)::DragApplicationIsModal | (anonymous namespace)::DragApplicationIsSource | (anonymous namespace)::DragApplicationHasAttachedSheet | (anonymous namespace)::DragApplicationIsCopyKeyDown | unknown: 32656)} #7 0x00007f9fb5b7d426 in WebCore::DragController::doSystemDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (this=this@entry=0x7f9fb72d1880, image=image@entry=0x4ca82f0, dragLoc=..., eventPos=..., dataTransfer=..., frame=..., forLink=false) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/DragController.cpp:931 frameProtector = {m_ptr = 0x7f9fb72dc900} viewProtector = {m_ptr = 0x7f9fb72e0000} #8 0x00007f9fb5b7e32d in WebCore::DragController::startDrag(WebCore::Frame&, WebCore::DragState const&, WebCore::DragOperation, WebCore::PlatformMouseEvent const&, WebCore::IntPoint const&) (this=0x7f9fb72d1880, src=..., state=..., srcOp=srcOp@entry=(anonymous namespace)::DragOperationEvery, dragEvent=..., dragOrigin=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/DragController.cpp:856 mouseDraggedPoint = {m_x = 518, m_y = 3888} dragImage = 0x4ca82f0 dragImageOffset = {m_x = 0, m_y = 0} hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248384}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3881}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3881}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3881}, m_p2 = {m_x = 519, m_y = 3881}, m_p3 = {m_x = 519, m_y = 3882}, m_p4 = {m_x = 518, m_y = 3882}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9e40}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9e40}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248384}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 7488}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0} includeShadowDOM = <optimized out> imageURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_protocolIsInHTTPFamily = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0} sourceContainsHitNode = <optimized out> linkURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_protocolIsInHTTPFamily = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0} dragLoc = {m_x = 0, m_y = 0} startedDrag = true image = <optimized out> #9 0x00007f9fb5b8d078 in WebCore::EventHandler::handleDrag(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) (this=0x7f9fb71e0b80, event=..., checkDragHysteresis=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:3488 page = 0x7f9fb7307000 srcOp = (anonymous namespace)::DragOperationEvery event = @0x7fffe8f513b0: {m_event = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0}, m_hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0}} this = 0x7f9fb71e0b80 #10 0x00007f9fb5b8d60a in WebCore::EventHandler::handleMouseDraggedEvent(WebCore::MouseEventWithHitTestResults const&) (this=0x7f9fb71e0b80, event=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:809 #11 0x00007f9fb5b8dcb3 in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) (this=0x7f9fb71e0b80, platformMouseEvent=..., hoveredNode=<optimized out>, onlyUpdateScrollbars=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:1981 hitType = <optimized out> request = {m_requestType = 780} newSubframe = {m_ptr = 0x0} protector = {m_ptr = 0x7f9fb72e0000} mouseEvent = {m_event = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0}, m_hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0}} swallowEvent = <optimized out> #12 0x00007f9fb5b90752 in WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) (this=0x7f9fb71e0b80, event=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:1841 maxDurationTracker = {m_maxDuration = 0x7f9fb71e0e28, m_start = 10785.151017} hoveredNode = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0} protector = {m_ptr = 0x7f9fb72e0000} result = <optimized out> page = 0x7fffe8f515e0 #13 0x00007f9fb5f9e298 in WebCore::UserInputBridge::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::InputSource) (this=<optimized out>, mouseEvent=..., inputSource=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/replay/UserInputBridge.cpp:129 #14 0x00007f9fb5482365 in WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) (mouseEvent=..., page=page@entry=0x7f9fb7307800, onlyUpdateScrollbars=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1883 frame = <optimized out> platformMouseEvent = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0} #15 0x00007f9fb5487a3b in WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) (this=this@entry=0x7f9fb7307800, mouseEvent=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1919 currentEvent = {m_previousCurrentEvent = 0x0} handled = false mouseEvent = @0x7fffe8f51770: {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0} this = 0x7f9fb7307800 #16 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (args=<unknown type in /var/cache/abrt-di/usr/lib/debug/usr/lib64/libwebkit2gtk-4.0.so.37.2.6.debug, CU 0x6eb6d81, DIE 0x6f7e465>, function=<optimized out>, object=0x7f9fb7307800) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:16 arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}} #17 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (function=<optimized out>, object=0x7f9fb7307800, args=<unknown type in /var/cache/abrt-di/usr/lib/debug/usr/lib64/libwebkit2gtk-4.0.so.37.2.6.debug, CU 0x6eb6d81, DIE 0x6fa07af>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:22 arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}} #18 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (function=<optimized out>, object=0x7f9fb7307800, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:120 arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}} #19 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (this=0x7f9fb7307800, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/x86_64-redhat-linux-gnu/DerivedSources/WebKit2/WebPageMessageReceiver.cpp:172 #20 0x00007f9fb5316466 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection*, IPC::MessageDecoder&) (this=this@entry=0x2611b80, connection=connection@entry=0x7f9fb72dec00, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:87 messageReceiver = 0x0 #21 0x00007f9fb5406882 in WebKit::WebProcess::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) (this=0x2611a80, connection=0x7f9fb72dec00, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebProcess.cpp:599 #22 0x00007f9fb53108d4 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >) (this=this@entry=0x7f9fb72dec00, message=std::unique_ptr<IPC::MessageDecoder> containing 0x7f9f1dccc120) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/Connection.cpp:828 oldDidReceiveInvalidMessage = false #23 0x00007f9fb5310a55 in IPC::Connection::dispatchOneMessage() (this=0x7f9fb72dec00) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/Connection.cpp:856 message = std::unique_ptr<IPC::MessageDecoder> containing 0x0 #24 0x00007f9fb678ad3a in WTF::RunLoop::performWork() (this=0x7f9fb72d4d90) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/RunLoop.cpp:104 function = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44001c00, _M_const_object = 0x7f9f44001c00, _M_function_pointer = 0x7f9f44001c00, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44001c00}, _M_pod_data = "\000\034\000D\237\177\000\000\000\000\000\000\000\000\000"}, _M_manager = 0x7f9fb5313be0 <std::_Function_base::_Base_manager<WTF::Function<void ()> >::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x7f9fb5313af0 <std::_Function_handler<void (), WTF::Function<void ()> >::_M_invoke(std::_Any_data const&)>} functionsToHandle = <optimized out> #25 0x00007f9fb3f74041 in WTF::GMainLoopSource::voidCallback() (this=0x7f9f36c92580) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/gobject/GMainLoopSource.cpp:364 context = {source = {m_ptr = 0x7f9f44001100}, cancellable = {m_ptr = 0x0}, socketCancellable = {m_ptr = 0x0}, voidCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44001dd0, _M_const_object = 0x7f9f44001dd0, _M_function_pointer = 0x7f9f44001dd0, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44001dd0}, _M_pod_data = "\320\035\000D\237\177\000\000\000\000\000\000\000\000\000"}, _M_manager = 0x7f9fb6790500 <std::_Function_base::_Base_manager<WTF::RunLoop::wakeUp()::<lambda()> >::_M_manager(std::_Any_data &, const std::_Any_data &, std::_Manager_operation)>}, _M_invoker = 0x7f9fb67900f0 <std::_Function_handler<void(), WTF::RunLoop::wakeUp()::<lambda()> >::_M_invoke(const std::_Any_data &)>}, boolCallback = {<std::_Maybe_unary_or_binary_function<bool>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f4ddf4a40, _M_const_object = 0x7f9f4ddf4a40, _M_function_pointer = 0x7f9f4ddf4a40, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f4ddf4a40, this adjustment 140323850967806}, _M_pod_data = "@J\337M\237\177\000\000\376ZJ\261\237\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9f4ddf4a50}, socketCallback = {<std::_Maybe_unary_or_binary_function<bool, GIOCondition>> = {<std::unary_function<GIOCondition, bool>> = {<No data fields>}, <No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44000020, _M_const_object = 0x7f9f44000020, _M_function_pointer = 0x7f9f44000020, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44000020, this adjustment 8}, _M_pod_data = " \000\000D\237\177\000\000\b\000\000\000\000\000\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9fb3f6fd20 <WTF::GMainLoopSource::schedule(char const*, std::function<void ()>, int, std::function<void ()>, _GMainContext*)>}, destroyCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9ef7a8a2c0, _M_const_object = 0x7f9ef7a8a2c0, _M_function_pointer = 0x7f9ef7a8a2c0, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9ef7a8a2c0, this adjustment 140322017378336}, _M_pod_data = "\300\242\250\367\236\177\000\000 \000\000D\237\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9f4ddf4610}} #26 0x00007f9fb3f6f26a in WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*) (source=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/gobject/GMainLoopSource.cpp:454 #27 0x00007f9fb14a87fb in g_main_context_dispatch (context=0x2108620) at gmain.c:3111 dispatch = 0x7f9fb14a5340 <g_idle_dispatch> prev_source = 0x0 was_in_call = 0 user_data = 0x7f9f36c92580 callback = 0x7f9fb3f6f260 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)> cb_funcs = 0x7f9fb17968c0 <g_source_callback_funcs> cb_data = 0x7f9f44001190 need_destroy = <optimized out> source = 0x7f9f44001100 current = 0x20f24b0 i = 0 #28 0x00007f9fb14a87fb in g_main_context_dispatch (context=context@entry=0x2108620) at gmain.c:3710 #29 0x00007f9fb14a8b98 in g_main_context_iterate (context=0x2108620, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781 max_priority = 0 timeout = 0 some_ready = 1 nfds = <optimized out> allocated_nfds = 14 fds = 0x4968400 #30 0x00007f9fb14a8ec2 in g_main_loop_run (loop=0x223a570) at gmain.c:3975 __FUNCTION__ = "g_main_loop_run" #31 0x00007f9fb55051f9 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=2, argv=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/unix/ChildProcessMain.h:61 childMain = {<WebKit::ChildProcessMainBase> = {_vptr.ChildProcessMainBase = 0x7f9fb7014f10 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {m_impl = {m_ptr = 0x0}}, clientIdentifier = {m_impl = {m_ptr = 0x0}}, connectionIdentifier = 14, extraInitializationData = {m_impl = {static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}}}, <No data fields>} #32 0x00007f9fb42b1fe0 in __libc_start_main (main=0x400780 <main(int, char**)>, argc=2, argv=0x7fffe8f51d78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe8f51d68) at libc-start.c:289 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -6449711147121380725, 4196267, 140737101766000, 0, 0, 6449669822284558987, 6431541813330571915}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x4008b0 <__libc_csu_init>, 0x7fffe8f51d78}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4196528}}} not_first_call = <optimized out> #33 0x00000000004007d4 in _start ()
Attachments
Speculative fix (1.45 KB, patch)
2015-03-19 05:35 PDT, Carlos Garcia Campos 		pnormand: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1 2015-03-16 12:30:27 PDT
The thing is why we have a cairo surface for the drag image with a 0 size (imageSize = {m_width = 0, m_height = 0}). I think the cairo surface should be null in that case, and should be handled before.
Carlos Garcia Campos
Comment 2 2015-03-19 05:35:06 PDT
Created attachment 249035 [details] Speculative fix I can't reproduce this, but according to the backtrace, this patch could fix the problem
Carlos Garcia Campos
Comment 3 2015-03-20 01:05:22 PDT
Committed r181787: <http://trac.webkit.org/changeset/181787>
Note You need to log in before you can comment on or make changes to this bug.