Bug 82605

Summary: segfault in pathForRenderer (GestureTapHighlighter) when tapping on an iframe.
Product: WebKit Reporter: alan <zalan>
Component: Layout and RenderingAssignee: alan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: kenneth, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 82604    
Attachments:
Description Flags
test case
none
Patch
none
Patch
none
Patch none

alan
Reported 2012-03-29 06:14:59 PDT
1 0x7f20118bc069 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN3WTF6VectorIN7WebCore7IntRectELm0EE2atEm+0x4b) [0x7f20118bc069] 2 0x7f2012139e35 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(+0x25bae35) [0x7f2012139e35] 3 0x7f201213a2b8 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7WebCore21GestureTapHighlighter20pathForNodeHighlightEPKNS_4NodeE+0x8e) [0x7f201213a2b8] 4 0x7f20118c009a /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit22TapHighlightController9highlightEPN7WebCore4NodeE+0x66) [0x7f20118c009a] 5 0x7f20118d561e /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit7WebPage28highlightPotentialActivationERKN7WebCore8IntPointERKNS1_7IntSizeE+0x178) [0x7f20118d561e] 6 0x7f2011919c9d /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7CoreIPC18callMemberFunctionIN6WebKit7WebPageEMS2_FvRKN7WebCore8IntPointERKNS3_7IntSizeEES4_S7_EEvRKNS_10Arguments2IT1_T2_EEPT_T0_+0x64) [0x7f2011919c9d] 7 0x7f2011917046 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7CoreIPC13handleMessageIN8Messages7WebPage28HighlightPotentialActivationEN6WebKit7WebPageEMS5_FvRKN7WebCore8IntPointERKNS6_7IntSizeEEEEvPNS_15ArgumentDecoderEPT0_T1_+0x59) [0x7f2011917046] 8 0x7f2011915362 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit7WebPage24didReceiveWebPageMessageEPN7CoreIPC10ConnectionENS1_9MessageIDEPNS1_15ArgumentDecoderE+0x374) [0x7f2011915362] 9 0x7f20118d933c /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit7WebPage17didReceiveMessageEPN7CoreIPC10ConnectionENS1_9MessageIDEPNS1_15ArgumentDecoderE+0x124) [0x7f20118d933c] 10 0x7f20118f1200 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit10WebProcess17didReceiveMessageEPN7CoreIPC10ConnectionENS1_9MessageIDEPNS1_15ArgumentDecoderE+0x2b0) [0x7f20118f1200] 11 0x7f20118eecd9 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit24WebConnectionToUIProcess17didReceiveMessageEPN7CoreIPC10ConnectionENS1_9MessageIDEPNS1_15ArgumentDecoderE+0x11b) [0x7f20118eecd9] 12 0x7f20116c1ed1 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7CoreIPC10Connection15dispatchMessageERNS0_7MessageINS_15ArgumentDecoderEEE+0x14b) [0x7f20116c1ed1] 13 0x7f20116c20ab /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7CoreIPC10Connection16dispatchMessagesEv+0xaf) [0x7f20116c20ab] 14 0x7f20116cc056 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN3WTF15FunctionWrapperIMN7CoreIPC10ConnectionEFvvEEclEPS2_+0x58) [0x7f20116cc056] 15 0x7f20116cbe14 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN3WTF17BoundFunctionImplINS_15FunctionWrapperIMN7CoreIPC10ConnectionEFvvEEEFvPS3_EEclEv+0x32) [0x7f20116cbe14] 16 0x7f20117915fa /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZNK3WTF8FunctionIFvvEEclEv+0x72) [0x7f20117915fa] 17 0x7f201220d640 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7WebCore7RunLoop11performWorkEv+0x74) [0x7f201220d640] 18 0x7f20124aaf85 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7WebCore7RunLoop11TimerObject11performWorkEv+0x3b) [0x7f20124aaf85] 19 0x7f20124abab3 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(+0x292cab3) [0x7f20124abab3] 20 0x7f200f06b637 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN14QMetaCallEvent13placeMetaCallEP7QObject+0xc3) [0x7f200f06b637] 21 0x7f200f06c4b0 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN7QObject5eventEP6QEvent+0x124) [0x7f200f06c4b0] 22 0x7f200f48993c /home/zbujtas/qt5/qtbase/lib/libQtWidgets.so.5(_ZN19QApplicationPrivate13notify_helperEP7QObjectP6QEvent+0x17c) [0x7f200f48993c] 23 0x7f200f486fec /home/zbujtas/qt5/qtbase/lib/libQtWidgets.so.5(_ZN12QApplication6notifyEP7QObjectP6QEvent+0x3f8) [0x7f200f486fec] 24 0x7f200f039362 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0x9e) [0x7f200f039362] 25 0x7f200f03d0b3 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN16QCoreApplication9sendEventEP7QObjectP6QEvent+0x51) [0x7f200f03d0b3] 26 0x7f200f03a3f6 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN23QCoreApplicationPrivate16sendPostedEventsEP7QObjectiP11QThreadData+0x452) [0x7f200f03a3f6] 27 0x7f200f039fa1 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN16QCoreApplication16sendPostedEventsEP7QObjecti+0x2d) [0x7f200f039fa1] 28 0x7f200f0a0428 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(+0x25f428) [0x7f200f0a0428] 29 0x7f200c352a5d /lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x1dd) [0x7f200c352a5d] 30 0x7f200c353258 /lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x45258) [0x7f200c353258] 31 0x7f200c353429 /lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_iteration+0x69) [0x7f200c353429] WARNING: The web process experienced a crash on 'file:///home/zbujtas/Documents/in.html'.
Attachments
test case (441 bytes, text/html)
2012-03-29 06:17 PDT, alan 		no flags
Details
Patch (3.13 KB, patch)
2012-03-29 06:53 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (3.42 KB, patch)
2012-03-29 14:20 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (3.51 KB, patch)
2012-03-30 07:37 PDT, alan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
alan
Comment 1 2012-03-29 06:17:18 PDT
Created attachment 134559 [details] test case
alan
Comment 2 2012-03-29 06:53:27 PDT
Created attachment 134569 [details] Patch
alan
Comment 3 2012-03-29 06:55:42 PDT
Comment on attachment 134569 [details] Patch Alternatively, we could 1, do ASSERT(!rects.empty()) instead of the early return, though the function at other place checks for rects.size(), so presumably the functions expects empty rects. 2, try to leave out the first and the last items of the vector differently. (do the for loop differently)
alan
Comment 4 2012-03-29 09:16:23 PDT
Comment on attachment 134569 [details] Patch as per Kenneth's comment, i'll be using end = size(); instead of the explicit cast.
alan
Comment 5 2012-03-29 14:20:37 PDT
Created attachment 134664 [details] Patch
Kenneth Rohde Christiansen
Comment 6 2012-03-30 02:13:50 PDT
Comment on attachment 134664 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=134664&action=review > ManualTests/tap-gesture-in-iframe-with-tap-highlight.html:1 > +<html> Maybe -crash in the name would be good (file name)
alan
Comment 7 2012-03-30 07:37:52 PDT
Created attachment 134813 [details] Patch
WebKit Review Bot
Comment 8 2012-03-30 13:56:08 PDT
Comment on attachment 134813 [details] Patch Clearing flags on attachment: 134813 Committed r112723: <http://trac.webkit.org/changeset/112723>
WebKit Review Bot
Comment 9 2012-03-30 13:56:12 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.