Bug 142671

Summary: [GTK] Crash due to empty drag image during drag-and-drop
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cgarcia, commit-queue, d-r, mcatanzaro, mrobinson, pnormand, svillar, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Speculative fix pnormand: review+

Description Michael Catanzaro 2015-03-13 06:54:10 PDT 
ShareableBitmap::createShareable can return nullptr, but convertCairoSurfaceToShareableBitmap in WebDragClientGtk.cpp does not check for this case and attempts to use the pointer anyway. Should be easy to fix by just returning early. Writing a test might be hard, though, since I think it only happens if shared memory allocation fails.

Backtrace from a downstream report:

#0  0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=0x10) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/RefPtr.h:74
#1  0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/ShareableBitmap.h:107
#2  0x00007f9fb532a5a0 in WebKit::ShareableBitmap::data() const (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/ShareableBitmap.cpp:166
#3  0x00007f9fb549d46b in WebKit::ShareableBitmap::createCairoSurface() (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp:77
        image = <optimized out>
        dataKey = {unused = 0}
#4  0x00007f9fb549d4fa in WebKit::ShareableBitmap::createGraphicsContext() (this=this@entry=0x0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/cairo/ShareableBitmapCairo.cpp:56
        image = <optimized out>
        bitmapContext = <optimized out>
#5  0x00007f9fb54fa754 in WebKit::WebDragClient::startDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (surface=0x4ca82f0) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebCoreSupport/gtk/WebDragClientGtk.cpp:53
        imageSize = {m_width = 0, m_height = 0}
        graphicsContext = std::unique_ptr<(anonymous namespace)::GraphicsContext> containing 0x442d800044a92000
        bitmap = <optimized out>
        handle = {m_handle = {m_fileDescriptor = -1221722112, m_size = 140323949772856}, m_size = {m_width = -386593312, m_height = 32767}, m_flags = 3049402905}
        dataObject = <optimized out>
        dragData = {m_clientPosition = {m_x = 0, m_y = 0}, m_globalPosition = {m_x = -1245564347, m_y = 32671}, m_platformDragData = 0x7fffe8f50e00, m_draggingSourceOperationMask = 3049414897, m_applicationFlags = ((anonymous namespace)::DragApplicationIsModal | (anonymous namespace)::DragApplicationIsSource | (anonymous namespace)::DragApplicationHasAttachedSheet | (anonymous namespace)::DragApplicationIsCopyKeyDown | unknown: 32656)}
#6  0x00007f9fb54fa754 in WebKit::WebDragClient::startDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (this=0x3152cc0, dragImage=dragImage@entry=0x4ca82f0, clientPosition=..., globalPosition=..., dataTransfer=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebCoreSupport/gtk/WebDragClientGtk.cpp:61
        bitmap = <optimized out>
        handle = {m_handle = {m_fileDescriptor = -1221722112, m_size = 140323949772856}, m_size = {m_width = -386593312, m_height = 32767}, m_flags = 3049402905}
        dataObject = <optimized out>
        dragData = {m_clientPosition = {m_x = 0, m_y = 0}, m_globalPosition = {m_x = -1245564347, m_y = 32671}, m_platformDragData = 0x7fffe8f50e00, m_draggingSourceOperationMask = 3049414897, m_applicationFlags = ((anonymous namespace)::DragApplicationIsModal | (anonymous namespace)::DragApplicationIsSource | (anonymous namespace)::DragApplicationHasAttachedSheet | (anonymous namespace)::DragApplicationIsCopyKeyDown | unknown: 32656)}
#7  0x00007f9fb5b7d426 in WebCore::DragController::doSystemDrag(_cairo_surface*, WebCore::IntPoint const&, WebCore::IntPoint const&, WebCore::DataTransfer&, WebCore::Frame&, bool) (this=this@entry=0x7f9fb72d1880, image=image@entry=0x4ca82f0, dragLoc=..., eventPos=..., dataTransfer=..., frame=..., forLink=false) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/DragController.cpp:931
        frameProtector = {m_ptr = 0x7f9fb72dc900}
        viewProtector = {m_ptr = 0x7f9fb72e0000}
#8  0x00007f9fb5b7e32d in WebCore::DragController::startDrag(WebCore::Frame&, WebCore::DragState const&, WebCore::DragOperation, WebCore::PlatformMouseEvent const&, WebCore::IntPoint const&) (this=0x7f9fb72d1880, src=..., state=..., srcOp=srcOp@entry=(anonymous namespace)::DragOperationEvery, dragEvent=..., dragOrigin=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/DragController.cpp:856
        mouseDraggedPoint = {m_x = 518, m_y = 3888}
        dragImage = 0x4ca82f0
        dragImageOffset = {m_x = 0, m_y = 0}
        hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248384}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3881}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3881}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3881}, m_p2 = {m_x = 519, m_y = 3881}, m_p3 = {m_x = 519, m_y = 3882}, m_p4 = {m_x = 518, m_y = 3882}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9e40}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9e40}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248384}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 7488}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0}
        includeShadowDOM = <optimized out>
        imageURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_protocolIsInHTTPFamily = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0}
        sourceContainsHitNode = <optimized out>
        linkURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_protocolIsInHTTPFamily = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0}
        dragLoc = {m_x = 0, m_y = 0}
        startedDrag = true
        image = <optimized out>
#9  0x00007f9fb5b8d078 in WebCore::EventHandler::handleDrag(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) (this=0x7f9fb71e0b80, event=..., checkDragHysteresis=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:3488
        page = 0x7f9fb7307000
        srcOp = (anonymous namespace)::DragOperationEvery
        event = @0x7fffe8f513b0: {m_event = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0}, m_hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0}}
        this = 0x7f9fb71e0b80
#10 0x00007f9fb5b8d60a in WebCore::EventHandler::handleMouseDraggedEvent(WebCore::MouseEventWithHitTestResults const&) (this=0x7f9fb71e0b80, event=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:809
#11 0x00007f9fb5b8dcb3 in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) (this=0x7f9fb71e0b80, platformMouseEvent=..., hoveredNode=<optimized out>, onlyUpdateScrollbars=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:1981
        hitType = <optimized out>
        request = {m_requestType = 780}
        newSubframe = {m_ptr = 0x0}
        protector = {m_ptr = 0x7f9fb72e0000}
        mouseEvent = {m_event = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0}, m_hitTestResult = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0}}
        swallowEvent = <optimized out>
#12 0x00007f9fb5b90752 in WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) (this=0x7f9fb71e0b80, event=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/page/EventHandler.cpp:1841
        maxDurationTracker = {m_maxDuration = 0x7f9fb71e0e28, m_start = 10785.151017}
        hoveredNode = {m_hitTestLocation = {m_point = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_boundingBox = {m_location = {m_x = 518, m_y = 3888}, m_size = {m_width = 1, m_height = 1}}, m_transformedPoint = {m_x = 518, m_y = 3888}, m_transformedRect = {m_p1 = {m_x = 518, m_y = 3888}, m_p2 = {m_x = 519, m_y = 3888}, m_p3 = {m_x = 519, m_y = 3889}, m_p4 = {m_x = 518, m_y = 3889}}, m_isRectBased = false, m_isRectilinear = true}, m_innerNode = {m_ptr = 0x7f9f00bc9d80}, m_innerNonSharedNode = {m_ptr = 0x7f9f00bc9d80}, m_pointInInnerNodeFrame = {m_x = {m_value = 33152}, m_y = {m_value = 248832}}, m_localPoint = {m_x = {m_value = 15104}, m_y = {m_value = 256}}, m_innerURLElement = {m_ptr = 0x0}, m_scrollbar = {m_ptr = 0x0}, m_isOverWidget = false, m_rectBasedTestResult = std::unique_ptr<WTF::ListHashSet<WTF::RefPtr<WebCore::Node>, 256ul, WTF::PtrHash<WTF::RefPtr<WebCore::Node> > >> containing 0x0}
        protector = {m_ptr = 0x7f9fb72e0000}
        result = <optimized out>
        page = 0x7fffe8f515e0
#13 0x00007f9fb5f9e298 in WebCore::UserInputBridge::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::InputSource) (this=<optimized out>, mouseEvent=..., inputSource=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebCore/replay/UserInputBridge.cpp:129
#14 0x00007f9fb5482365 in WebKit::handleMouseEvent(WebKit::WebMouseEvent const&, WebKit::WebPage*, bool) (mouseEvent=..., page=page@entry=0x7f9fb7307800, onlyUpdateScrollbars=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1883
        frame = <optimized out>
        platformMouseEvent = {<(anonymous namespace)::PlatformEvent> = {m_type = 5, m_modifiers = 0, m_timestamp = 10785141}, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_button = (anonymous namespace)::LeftButton, m_clickCount = 0, m_modifierFlags = 0}
#15 0x00007f9fb5487a3b in WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&) (this=this@entry=0x7f9fb7307800, mouseEvent=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1919
        currentEvent = {m_previousCurrentEvent = 0x0}
        handled = false
        mouseEvent = @0x7fffe8f51770: {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}
        this = 0x7f9fb7307800
#16 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (args=<unknown type in /var/cache/abrt-di/usr/lib/debug/usr/lib64/libwebkit2gtk-4.0.so.37.2.6.debug, CU 0x6eb6d81, DIE 0x6f7e465>, function=<optimized out>, object=0x7f9fb7307800) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:16
        arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}}
#17 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (function=<optimized out>, object=0x7f9fb7307800, args=<unknown type in /var/cache/abrt-di/usr/lib/debug/usr/lib64/libwebkit2gtk-4.0.so.37.2.6.debug, CU 0x6eb6d81, DIE 0x6fa07af>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:22
        arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}}
#18 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (function=<optimized out>, object=0x7f9fb7307800, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/HandleMessage.h:120
        arguments = std::tuple containing = {[1] = {<WebKit::WebEvent> = {m_type = 2, m_modifiers = 0, m_timestamp = 10785141}, m_button = 0, m_position = {m_x = 518, m_y = 528}, m_globalPosition = {m_x = 518, m_y = 602}, m_deltaX = 0, m_deltaY = 0, m_deltaZ = 0, m_clickCount = 0}}
#19 0x00007f9fb552d596 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) (this=0x7f9fb7307800, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/x86_64-redhat-linux-gnu/DerivedSources/WebKit2/WebPageMessageReceiver.cpp:172
#20 0x00007f9fb5316466 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection*, IPC::MessageDecoder&) (this=this@entry=0x2611b80, connection=connection@entry=0x7f9fb72dec00, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/MessageReceiverMap.cpp:87
        messageReceiver = 0x0
#21 0x00007f9fb5406882 in WebKit::WebProcess::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) (this=0x2611a80, connection=0x7f9fb72dec00, decoder=...) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/WebProcess/WebProcess.cpp:599
#22 0x00007f9fb53108d4 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >) (this=this@entry=0x7f9fb72dec00, message=std::unique_ptr<IPC::MessageDecoder> containing 0x7f9f1dccc120) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/Connection.cpp:828
        oldDidReceiveInvalidMessage = false
#23 0x00007f9fb5310a55 in IPC::Connection::dispatchOneMessage() (this=0x7f9fb72dec00) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Platform/IPC/Connection.cpp:856
        message = std::unique_ptr<IPC::MessageDecoder> containing 0x0
#24 0x00007f9fb678ad3a in WTF::RunLoop::performWork() (this=0x7f9fb72d4d90) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/RunLoop.cpp:104
        function = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44001c00, _M_const_object = 0x7f9f44001c00, _M_function_pointer = 0x7f9f44001c00, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44001c00}, _M_pod_data = "\000\034\000D\237\177\000\000\000\000\000\000\000\000\000"}, _M_manager = 0x7f9fb5313be0 <std::_Function_base::_Base_manager<WTF::Function<void ()> >::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x7f9fb5313af0 <std::_Function_handler<void (), WTF::Function<void ()> >::_M_invoke(std::_Any_data const&)>}
        functionsToHandle = <optimized out>
#25 0x00007f9fb3f74041 in WTF::GMainLoopSource::voidCallback() (this=0x7f9f36c92580) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/gobject/GMainLoopSource.cpp:364
        context = {source = {m_ptr = 0x7f9f44001100}, cancellable = {m_ptr = 0x0}, socketCancellable = {m_ptr = 0x0}, voidCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44001dd0, _M_const_object = 0x7f9f44001dd0, _M_function_pointer = 0x7f9f44001dd0, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44001dd0}, _M_pod_data = "\320\035\000D\237\177\000\000\000\000\000\000\000\000\000"}, _M_manager = 0x7f9fb6790500 <std::_Function_base::_Base_manager<WTF::RunLoop::wakeUp()::<lambda()> >::_M_manager(std::_Any_data &, const std::_Any_data &, std::_Manager_operation)>}, _M_invoker = 0x7f9fb67900f0 <std::_Function_handler<void(), WTF::RunLoop::wakeUp()::<lambda()> >::_M_invoke(const std::_Any_data &)>}, boolCallback = {<std::_Maybe_unary_or_binary_function<bool>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f4ddf4a40, _M_const_object = 0x7f9f4ddf4a40, _M_function_pointer = 0x7f9f4ddf4a40, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f4ddf4a40, this adjustment 140323850967806}, _M_pod_data = "@J\337M\237\177\000\000\376ZJ\261\237\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9f4ddf4a50}, socketCallback = {<std::_Maybe_unary_or_binary_function<bool, GIOCondition>> = {<std::unary_function<GIOCondition, bool>> = {<No data fields>}, <No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9f44000020, _M_const_object = 0x7f9f44000020, _M_function_pointer = 0x7f9f44000020, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9f44000020, this adjustment 8}, _M_pod_data = " \000\000D\237\177\000\000\b\000\000\000\000\000\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9fb3f6fd20 <WTF::GMainLoopSource::schedule(char const*, std::function<void ()>, int, std::function<void ()>, _GMainContext*)>}, destroyCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f9ef7a8a2c0, _M_const_object = 0x7f9ef7a8a2c0, _M_function_pointer = 0x7f9ef7a8a2c0, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f9ef7a8a2c0, this adjustment 140322017378336}, _M_pod_data = "\300\242\250\367\236\177\000\000 \000\000D\237\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f9f4ddf4610}}
#26 0x00007f9fb3f6f26a in WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*) (source=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WTF/wtf/gobject/GMainLoopSource.cpp:454
#27 0x00007f9fb14a87fb in g_main_context_dispatch (context=0x2108620) at gmain.c:3111
        dispatch = 0x7f9fb14a5340 <g_idle_dispatch>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x7f9f36c92580
        callback = 0x7f9fb3f6f260 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)>
        cb_funcs = 0x7f9fb17968c0 <g_source_callback_funcs>
        cb_data = 0x7f9f44001190
        need_destroy = <optimized out>
        source = 0x7f9f44001100
        current = 0x20f24b0
        i = 0
#28 0x00007f9fb14a87fb in g_main_context_dispatch (context=context@entry=0x2108620) at gmain.c:3710
#29 0x00007f9fb14a8b98 in g_main_context_iterate (context=0x2108620, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = 14
        fds = 0x4968400
#30 0x00007f9fb14a8ec2 in g_main_loop_run (loop=0x223a570) at gmain.c:3975
        __FUNCTION__ = "g_main_loop_run"
#31 0x00007f9fb55051f9 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=2, argv=<optimized out>) at /usr/src/debug/webkitgtk-2.6.5/Source/WebKit2/Shared/unix/ChildProcessMain.h:61
        childMain = {<WebKit::ChildProcessMainBase> = {_vptr.ChildProcessMainBase = 0x7f9fb7014f10 <vtable for WebKit::WebProcessMain+16>, m_parameters = {uiProcessName = {m_impl = {m_ptr = 0x0}}, clientIdentifier = {m_impl = {m_ptr = 0x0}}, connectionIdentifier = 14, extraInitializationData = {m_impl = {static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}}}, <No data fields>}
#32 0x00007f9fb42b1fe0 in __libc_start_main (main=0x400780 <main(int, char**)>, argc=2, argv=0x7fffe8f51d78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe8f51d68) at libc-start.c:289
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -6449711147121380725, 4196267, 140737101766000, 0, 0, 6449669822284558987, 6431541813330571915}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x4008b0 <__libc_csu_init>, 0x7fffe8f51d78}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4196528}}}
        not_first_call = <optimized out>
#33 0x00000000004007d4 in _start ()
Comment 1 Carlos Garcia Campos 2015-03-16 12:30:27 PDT 
The thing is why we have a cairo surface for the drag image with a 0 size (imageSize = {m_width = 0, m_height = 0}). I think the cairo surface should be null in that case, and should be handled before.
Comment 2 Carlos Garcia Campos 2015-03-19 05:35:06 PDT 
Created attachment 249035 [details]
Speculative fix

I can't reproduce this, but according to the backtrace, this patch could fix the problem
Comment 3 Carlos Garcia Campos 2015-03-20 01:05:22 PDT 
Committed r181787: <http://trac.webkit.org/changeset/181787>