WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
138211
[GTK] [Stable] Crash in EventPath::updateTouchLists()
https://bugs.webkit.org/show_bug.cgi?id=138211
Summary
[GTK] [Stable] Crash in EventPath::updateTouchLists()
Alberto Garcia
Reported
2014-10-30 02:55:46 PDT
This happens while browsing
http://www.ekinops.net/
with WebKitGTK+ 2.4.7. The 2.6 series does not seem to be affected. Here's a backtrace from the debug build: (gdb) bt #0 0x00007ffff38ddc7e in WTF::Vector<WTF::RefPtr<WebCore::Touch>, 0ul, WTF::CrashOnOverflow>::size (this=0x8) at ../../Source/WTF/wtf/Vector.h:576 #1 0x00007ffff3bb36f8 in WebCore::TouchList::length (this=0x0) at ../../Source/WebCore/dom/TouchList.h:46 #2 0x00007ffff3bb4f86 in WebCore::EventPath::updateTouchLists (this=0x7fffffffbd10, touchEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:438 #3 0x00007ffff3bb45f2 in WebCore::EventDispatcher::dispatchEvent (origin=0x7f3b80, prpEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:316 #4 0x00007ffff3be92ed in WebCore::Node::dispatchTouchEvent (this=0x7f3b80, event=...) at ../../Source/WebCore/dom/Node.cpp:2068 #5 0x00007ffff3be8f71 in WebCore::Node::dispatchEvent (this=0x7f3b80, event=...) at ../../Source/WebCore/dom/Node.cpp:2035 #6 0x00007ffff3bbd9df in WebCore::EventTarget::dispatchEvent (this=0x7f3b80, event=..., ec=@0x7fffffffbfcc: 0) at ../../Source/WebCore/dom/EventTarget.cpp:152 #7 0x00007ffff4760e3a in WebCore::jsNodePrototypeFunctionDispatchEvent (exec=0x7fff8c7f8ec8) at DerivedSources/WebCore/JSNode.cpp:768 #8 0x00007fff97fff0e5 in ?? () #9 0x00007fff8c7f8f48 in ?? () #10 0x00007ffff15dc601 in llint_op_call () from WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #11 0x00007fff97fff8e0 in ?? () #12 0x00000000008a5e20 in ?? () #13 0x00000000008bcb70 in ?? () #14 0x00007fffec5bbbc0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #15 0x0000000000961380 in ?? () #16 0x00007ffff38d24fa in WebCore::JSDOMWindowBase::supportsProfiling (object=0x7fff97fff8e0) at ../../Source/WebCore/bindings/js/JSDOMWindowBase.cpp:121 #17 0x00007fffffffc0d0 in ?? () #18 0x00007ffff15939e0 in JSC::JITCode::execute (this=0xf0458b4832eb0000, vm=0xb8077500f07d, protoCallFrame=0x8348f04589480000, topOfStack=0xd90e8c7894860c0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:48 Backtrace stopped: previous frame inner to this frame (corrupt stack?) #2 0x00007ffff3bb4f86 in WebCore::EventPath::updateTouchLists (this=0x7fffffffbd10, touchEvent=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:438 438 const size_t touchNodeCount = touchEvent.touches()->length() + touchEvent.targetTouches()->length() + touchEvent.changedTouches()->length(); (gdb) print touchEvent.touches() $6 = (WebCore::TouchList *) 0x0 (gdb) print touchEvent.targetTouches() $7 = (WebCore::TouchList *) 0x0 (gdb) print touchEvent.changedTouches() $8 = (WebCore::TouchList *) 0x0
Attachments
Add attachment
proposed patch, testcase, etc.
Alberto Garcia
Comment 1
2014-10-30 02:59:00 PDT
And it looks like here's the fix:
http://trac.webkit.org/changeset/167805
Alberto Garcia
Comment 2
2014-10-30 03:16:38 PDT
Ok, the aforementioned fix is enough to solve this problem in release builds. In debug builds it asserts here, though: ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit #0 0x00007f8c0ebb0b5f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333 #1 0x00007f8c0e87e7d5 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x1ea2b00, kind=JSC::Uncountable, jsValueSource=..., node=0x0, jumpToFail=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:113 #2 0x00007f8c0e88b55e in JSC::DFG::SpeculativeJIT::compileMakeRope (this=0x1ea2b00, node=0x7f8ba109f000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2753 #3 0x00007f8c0e853666 in JSC::DFG::SpeculativeJIT::compile (this=0x1ea2b00, node=0x7f8ba109f000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2427 #4 0x00007f8c0e884977 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x1ea2b00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1431 #5 0x00007f8c0e884fbc in JSC::DFG::SpeculativeJIT::compile (this=0x1ea2b00) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1543 #6 0x00007f8c0e7f0e16 in JSC::DFG::JITCompiler::compileBody (this=0x7fff555ecae0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:111 #7 0x00007f8c0e7f263d in JSC::DFG::JITCompiler::compileFunction (this=0x7fff555ecae0) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:336 #8 0x00007f8c0e84388e in JSC::DFG::Plan::compileInThreadImpl (this=0x1df46c0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:251 #9 0x00007f8c0e84319d in JSC::DFG::Plan::compileInThread (this=0x1df46c0, longLivedState=...) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:125 #10 0x00007f8c0e7c773e in JSC::DFG::compileImpl (vm=..., codeBlock=0x1df42f0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., callback=..., worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:108 #11 0x00007f8c0e7c77e1 in JSC::DFG::compile (vm=..., codeBlock=0x1df42f0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=0, mustHandleValues=..., passedCallback=..., worklist=0x0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:127 #12 0x00007f8c0e973184 in JSC::operationOptimize (exec=0x7f8bac6b4638, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1148 #13 0x00007f8bb6da5089 in ?? () #14 0x00007f8bb6d21920 in ?? () #15 0x00000000012ce070 in ?? () #16 0xffff000000000002 in ?? () #17 0xffff000000000000 in ?? () #18 0x00007f8bac16fca0 in ?? () #19 0x0000000000000001 in ?? () #20 0x00007fff555edc90 in ?? () #21 0x00007f8c0e95e9e0 in JSC::JITCode::execute (this=0xffff000000000001, vm=0x7f8bac0dedf0, protoCallFrame=0x7f8ba00bfe30, topOfStack=0x0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:48
Zan Dobersek
Comment 3
2014-12-02 00:26:02 PST
(In reply to
comment #1
)
> And it looks like here's the fix: > >
http://trac.webkit.org/changeset/167805
Was this merged into 2.4?
Alberto Garcia
Comment 4
2014-12-02 00:33:58 PST
(In reply to
comment #3
)
> Was this merged into 2.4?
Not yet, but it's in the list of proposed fixes for 2.4.8:
http://trac.webkit.org/wiki/WebKitGTK/2.4.x
Alberto Garcia
Comment 5
2016-04-03 08:06:12 PDT
This has already been fixed.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug