Bug 30121

Summary:

[GTK] Segfault while testing fast/events/keydown-keypress-preventDefault.html

Product:

WebKit

Reporter:

Philippe Normand <pnormand>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, mrobinson, xan.lopez

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

Attachments:

Description	Flags
Fix for this issue	none

Description Philippe Normand 2009-10-06 05:46:14 PDT

Thread 2 (Thread 0xf4120b90 (LWP 16702)):
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf55f4292 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:179
#2  0xf4fcb06d in g_cond_timed_wait_posix_impl (cond=0x80fbc58, entered_mutex=0x80, abs_time=0x9)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gthread/gthread-posix.c:242
#3  0xf4e00b19 in g_async_queue_pop_intern_unlocked (queue=0x80fa478, try=<value optimized out>, end_time=0xf41202e4)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gasyncqueue.c:365
#4  0xf4e537a8 in g_thread_pool_wait_for_new_task (data=0x80fa440) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gthreadpool.c:220
#5  g_thread_pool_thread_proxy (data=0x80fa440) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gthreadpool.c:254
#6  0xf4e5211f in g_thread_create_proxy (data=0x80fa4b8) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gthread.c:635
#7  0xf55f04b5 in start_thread (arg=0xf4120b90) at pthread_create.c:300
#8  0xf4c38a5e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

Thread 1 (Thread 0xf42e4760 (LWP 16690)):
#0  0xf695cc7e in imContextCommitted (context=0x80a4040, str=0x81892f0 "A", client=0x80ae098) at ../../WebKit/gtk/WebCoreSupport/EditorClientGtk.cpp:64
#1  0xf4ebfc5c in IA__g_cclosure_marshal_VOID__STRING (closure=0x80ae0d0, return_value=0x0, n_param_values=2, param_values=0x8097400, invocation_hint=0xffffb78c, 
    marshal_data=0xf695cc33) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gmarshal.c:496
#2  0xf4eb2e43 in IA__g_closure_invoke (closure=0x80ae0d0, return_value=0x0, n_param_values=2, param_values=0x8097400, invocation_hint=0xffffb78c)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gclosure.c:767
#3  0xf4ec6e5f in signal_emit_unlocked_R (node=0x80ad168, detail=0, instance=0x80a4040, emission_return=0x0, instance_and_params=0x8097400)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:3247
#4  0xf4ec82a9 in IA__g_signal_emit_valist (instance=0x80a4040, signal_id=146, detail=0, 
    var_args=0xffffb96c "\4\344\22\b\231m4\365\230F\356\364\250\271\377\377\\\374\353\364Xi\24\b\360\232\30\b@@\n\b\2")
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:2980
#5  0xf4ec85a5 in IA__g_signal_emit_by_name (instance=0x80a4040, detailed_signal=0xf5517f03 "commit")
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:3074
#6  0xf5346dbe in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#7  0xf4ebfc5c in IA__g_cclosure_marshal_VOID__STRING (closure=0x81810a8, return_value=0x0, n_param_values=2, param_values=0x8097428, invocation_hint=0xffffbb0c, 
    marshal_data=0xf5346d90) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gmarshal.c:496
#8  0xf4eb2e43 in IA__g_closure_invoke (closure=0x81810a8, return_value=0x0, n_param_values=2, param_values=0x8097428, invocation_hint=0xffffbb0c)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gclosure.c:767
#9  0xf4ec6e5f in signal_emit_unlocked_R (node=0x80ad168, detail=0, instance=0x8146958, emission_return=0x0, instance_and_params=0x8097428)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:3247
#10 0xf4ec82a9 in IA__g_signal_emit_valist (instance=0x8146958, signal_id=146, detail=0, var_args=0xffffbcec "n\347\36\365")
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:2980
#11 0xf4ec85a5 in IA__g_signal_emit_by_name (instance=0x8146958, detailed_signal=0xf5517f03 "commit")
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:3074
#12 0xf53446ed in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#13 0xf5345437 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#14 0xf5343b9c in gtk_im_context_filter_keypress () from /usr/lib/libgtk-x11-2.0.so.0
#15 0xf5343b9c in gtk_im_context_filter_keypress () from /usr/lib/libgtk-x11-2.0.so.0
#16 0xf695b97a in WebKit::EditorClient::handleInputMethodKeydown (this=0x80ae098, event=0x814fe68) at ../../WebKit/gtk/WebCoreSupport/EditorClientGtk.cpp:578
#17 0xf6d3371f in WebCore::Editor::handleInputMethodKeydown (this=0x80c93d8, event=0x814fe68) at ../../WebCore/editing/Editor.cpp:114
#18 0xf6ed614f in WebCore::EventHandler::keyEvent (this=0x80c9404, initialKeyEvent=...) at ../../WebCore/page/EventHandler.cpp:2058
#19 0xf6989673 in webkit_web_view_key_press_event (widget=0x80c5000, event=0xffffc35c) at ../../WebKit/gtk/webkit/webkitwebview.cpp:464
#20 0xf5364ef6 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#21 0xf4eb15c9 in g_type_class_meta_marshal (closure=0x41, return_value=0xffffc170, n_param_values=2, param_values=0xf69895e1, invocation_hint=0xffffc15c, marshal_data=0xcc)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gclosure.c:878
#22 0xf4eb2e43 in IA__g_closure_invoke (closure=0x80b02b8, return_value=0xffffc170, n_param_values=2, param_values=0x8097450, invocation_hint=0xffffc15c)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gclosure.c:767
#23 0xf4ec6b07 in signal_emit_unlocked_R (node=0x80b0230, detail=0, instance=0x80c5000, emission_return=0xffffc2a8, instance_and_params=0x8097450)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:3285
#24 0xf4ec813f in IA__g_signal_emit_valist (instance=0x80c5000, signal_id=42, detail=0, 
    var_args=0xffffc33c "\240\303\377\377\300+L\363\332Q\231\366h\303\377\377\300+L\363\376\377\377\377\310\62\375\367h\303\377\377\b")
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:2990
#25 0xf4ec85a5 in IA__g_signal_emit_by_name (instance=0x80c5000, detailed_signal=0x805c549 "key-press-event")
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gobject/gsignal.c:3074
#26 0x08056e7a in keyDownCallback (context=0xf351c100, function=0xf34c3280, thisObject=0xf34c2b80, argumentCount=1, arguments=0xffffc3fc, exception=0xffffc444)
    at ../../WebKitTools/DumpRenderTree/gtk/EventSender.cpp:439
#27 0xf699219c in JSC::JSCallbackFunction::call (exec=0xf351c100, functionObject=0xf34c3280, thisValue=..., args=...) at ../../JavaScriptCore/API/JSCallbackFunction.cpp:65
#28 0xf69d8531 in cti_op_call_NotJSFunction (args=0x81309f0) at ../../JavaScriptCore/jit/JITStubs.cpp:1607
#29 0xf69cf4fa in doubleHash (key=4086415888) at ../../JavaScriptCore/wtf/HashTable.h:437
#30 0xf6a08787 in JSC::JITCode::execute (this=0x80ff100, registerFile=0x8107a64, callFrame=0xf351c050, globalData=0x81054e0, exception=0x8105f0c)
    at ../../JavaScriptCore/jit/JITCode.h:79
#31 0xf69f6af8 in JSC::Interpreter::execute (this=0x8107a58, functionExecutable=0x80ff0f0, callFrame=0x8107e3c, function=0xf34c2d80, thisObj=0xf34c0000, args=..., 
    scopeChain=0x810ca90, exception=0x8105f0c) at ../../JavaScriptCore/interpreter/Interpreter.cpp:724
#32 0xf6ac5a99 in JSC::JSFunction::call (this=0xf34c2d80, exec=0x8107e3c, thisValue=..., args=...) at ../../JavaScriptCore/runtime/JSFunction.cpp:120
#33 0xf6aa8152 in JSC::call (exec=0x8107e3c, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...)
    at ../../JavaScriptCore/runtime/CallData.cpp:39
#34 0xf6b5da6b in WebCore::JSEventListener::handleEvent (this=0x8130bd8, scriptExecutionContext=0x81007f0, event=0x80feb90)
    at ../../WebCore/bindings/js/JSEventListener.cpp:112
#35 0xf6cb6e3a in WebCore::EventTarget::fireEventListeners (this=0x80e4ea0, event=0x80feb90) at ../../WebCore/dom/EventTarget.cpp:272
#36 0xf6ec7a3d in WebCore::DOMWindow::dispatchEvent (this=0x80e4ea0, prpEvent=..., prpTarget=...) at ../../WebCore/page/DOMWindow.cpp:1318
#37 0xf6ec86f3 in WebCore::DOMWindow::dispatchLoadEvent (this=0x80e4ea0) at ../../WebCore/page/DOMWindow.cpp:1288
#38 0xf6c7e458 in WebCore::Document::dispatchWindowLoadEvent (this=0x81007c0) at ../../WebCore/dom/Document.cpp:2892
#39 0xf6c7fbf6 in WebCore::Document::implicitClose (this=0x81007c0) at ../../WebCore/dom/Document.cpp:1715
#40 0xf6e8ca92 in WebCore::FrameLoader::checkCallImplicitClose (this=0x80c8ff4) at ../../WebCore/loader/FrameLoader.cpp:1258
#41 0xf6e914b5 in WebCore::FrameLoader::checkCompleted (this=0x80c8ff4) at ../../WebCore/loader/FrameLoader.cpp:1206
#42 0xf6e92ace in WebCore::FrameLoader::finishedParsing (this=0x80c8ff4) at ../../WebCore/loader/FrameLoader.cpp:1144
#43 0xf6c80ffb in WebCore::Document::finishedParsing (this=0x81007c0) at ../../WebCore/dom/Document.cpp:4020
#44 0xf6de7a45 in WebCore::HTMLParser::finished (this=0x80e0430) at ../../WebCore/html/HTMLParser.cpp:1635
#45 0xf6dfdb62 in WebCore::HTMLTokenizer::end (this=0x80e6020) at ../../WebCore/html/HTMLTokenizer.cpp:1859
#46 0xf6dfdf64 in WebCore::HTMLTokenizer::finish (this=0x80e6020) at ../../WebCore/html/HTMLTokenizer.cpp:1899
#47 0xf6c76ee5 in WebCore::Document::finishParsing (this=0x81007c0) at ../../WebCore/dom/Document.cpp:1860
#48 0xf6e8d7f6 in WebCore::FrameLoader::endIfNotLoadingMainResource (this=0x80c8ff4) at ../../WebCore/loader/FrameLoader.cpp:986
#49 0xf6e8d82f in WebCore::FrameLoader::end (this=0x80c8ff4) at ../../WebCore/loader/FrameLoader.cpp:971
#50 0xf6e6f736 in WebCore::DocumentLoader::finishedLoading (this=0x80f5880) at ../../WebCore/loader/DocumentLoader.cpp:330
#51 0xf6e87d2c in WebCore::FrameLoader::finishedLoading (this=0x80c8ff4) at ../../WebCore/loader/FrameLoader.cpp:2875
#52 0xf6e9d5e8 in WebCore::MainResourceLoader::didFinishLoading (this=0x80f8e00) at ../../WebCore/loader/MainResourceLoader.cpp:375
#53 0xf6ea6ab2 in WebCore::ResourceLoader::didFinishLoading (this=0x80f8e00) at ../../WebCore/loader/ResourceLoader.cpp:403
#54 0xf72cdd15 in closeCallback (source=0x80dfac0, res=0x80f8790) at ../../WebCore/platform/network/soup/ResourceHandleSoup.cpp:689
#55 0xf4f22572 in async_ready_close_callback_wrapper (source_object=0x80dfac0, res=0x80f8790, user_data=0x0)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gio/ginputstream.c:485
---Type <return> to continue, or q <return> to quit---
#56 0xf4f30cd9 in IA__g_simple_async_result_complete (simple=0x80f8790) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gio/gsimpleasyncresult.c:588
#57 0xf4f3100e in complete_in_idle_cb_for_thread (_data=0x80f0db0) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/gio/gsimpleasyncresult.c:650
#58 0xf4e260b1 in g_idle_dispatch (source=0x80fbb80, callback=0xbbadbeef, user_data=0x80f0db0) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gmain.c:4065
#59 0xf4e27e98 in g_main_dispatch (context=0x8095da0) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gmain.c:1960
#60 IA__g_main_context_dispatch (context=0x8095da0) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gmain.c:2513
#61 0xf4e2b623 in g_main_context_iterate (context=0x8095da0, block=1, dispatch=1, self=0x8073060)
    at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gmain.c:2591
#62 0xf4e2b7a8 in IA__g_main_context_iteration (context=0x8095da0, may_block=1) at /build/buildd-glib2.0_2.22.1-1-i386-tx7y62/glib2.0-2.22.1/glib/gmain.c:2654
#63 0x08055f17 in runTest (testPathOrURL=...) at ../../WebKitTools/DumpRenderTree/gtk/DumpRenderTree.cpp:484
#64 0x08056424 in main (argc=2, argv=0xffffd7a4) at ../../WebKitTools/DumpRenderTree/gtk/DumpRenderTree.cpp:807
(gdb)

Comment 1 Xan Lopez 2009-10-06 06:10:54 PDT

So basically it seems imContextCommitted can and will be called when there's an existing pendingComposition...

Comment 2 Martin Robinson 2009-10-06 10:29:03 PDT

Philippe, do you happen to know what GTK+ input method you are using? It's listed when you right click on an input field in GTK+.

Comment 3 Philippe Normand 2009-10-06 23:57:47 PDT

(In reply to comment #2)
> Philippe, do you happen to know what GTK+ input method you are using? It's
> listed when you right click on an input field in GTK+.

This test is failing on our buildbot, I don't have access to the X server, we use XvFB

Comment 4 Martin Robinson 2009-10-07 01:08:56 PDT

Created attachment 40769 [details]
Fix for this issue

In this case it appears as though preventDefault() was preventing the creation of a keypress events. Preedit and completed composition data is processed during keypress events. Thus, in this test, the unused data was still lingering during the next keydown event. The attached patch handles this situation by first clearing the previous data, if any exists during keydown events.

Comment 5 Xan Lopez 2009-10-07 01:12:20 PDT

Comment on attachment 40769 [details]
Fix for this issue

r=me

Comment 6 WebKit Commit Bot 2009-10-07 01:23:40 PDT

Comment on attachment 40769 [details]
Fix for this issue

Clearing flags on attachment: 40769

Committed r49233: <http://trac.webkit.org/changeset/49233>

Comment 7 WebKit Commit Bot 2009-10-07 01:23:44 PDT

All reviewed patches have been landed.  Closing bug.