1 0x431b17 bin/WebKitTestRunner(WTFCrash+0x17) [0x431b17] 2 0x430bed bin/WebKitTestRunner(_ZN3WTR16EventSenderProxy17releaseTouchPointEi+0x18d) [0x430bed] 3 0x424f08 bin/WebKitTestRunner(_ZN3WTR14TestController46didReceiveSynchronousMessageFromInjectedBundleEPK14OpaqueWKStringPKv+0x6d8) [0x424f08] 4 0x424fa9 bin/WebKitTestRunner(_ZN3WTR14TestController50didReceiveSynchronousPageMessageFromInjectedBundleEPK12OpaqueWKPagePK14OpaqueWKStringPKvPS8_S8_+0x19) [0x424fa9] 5 0x7f5ae50ed886 /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit27WebPageInjectedBundleClient46didReceiveSynchronousMessageFromInjectedBundleEPNS_12WebPageProxyERKN3WTF6StringEPN3API6ObjectERNS3_6RefPtrIS8_EE+0xb6) [0x7f5ae50ed886] 6 0x7f5ae50f3f5d /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit12WebPageProxy24handleSynchronousMessageERN3IPC10ConnectionERKN3WTF6StringERKNS_8UserDataERS8_+0x7d) [0x7f5ae50f3f5d] 7 0x7f5ae5302608 /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit12WebPageProxy21didReceiveSyncMessageERN3IPC10ConnectionERNS1_14MessageDecoderERSt10unique_ptrINS1_14MessageEncoderESt14default_deleteIS7_EE+0x12f8) [0x7f5ae5302608] 8 0x7f5ae506f5d1 /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC18MessageReceiverMap19dispatchSyncMessageERNS_10ConnectionERNS_14MessageDecoderERSt10unique_ptrINS_14MessageEncoderESt14default_deleteIS6_EE+0x2b1) [0x7f5ae506f5d1] 9 0x7f5ae512391b /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit15WebProcessProxy21didReceiveSyncMessageERN3IPC10ConnectionERNS1_14MessageDecoderERSt10unique_ptrINS1_14MessageEncoderESt14default_deleteIS7_EE+0x1b) [0x7f5ae512391b] 10 0x7f5ae506b5fb /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC10Connection19dispatchSyncMessageERNS_14MessageDecoderE+0x1cb) [0x7f5ae506b5fb] 11 0x7f5ae506b6ed /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC10Connection15dispatchMessageESt10unique_ptrINS_14MessageDecoderESt14default_deleteIS2_EE+0xdd) [0x7f5ae506b6ed] 12 0x7f5ae506c0d3 /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN3IPC10Connection18dispatchOneMessageEv+0xd3) [0x7f5ae506c0d3] 13 0x7f5ae67142cf /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF7RunLoop11performWorkEv+0x3ef) [0x7f5ae67142cf] 14 0x4735b5 bin/WebKitTestRunner(_ZN3WTF15GMainLoopSource12voidCallbackEv+0x295) [0x4735b5] 15 0x471b6a bin/WebKitTestRunner(_ZN3WTF15GMainLoopSource18voidSourceCallbackEPS0_+0xa) [0x471b6a] 16 0x7f5ae1f8abdd /home/cgarcia/gnome/lib/libglib-2.0.so.0(g_main_context_dispatch+0x13d) [0x7f5ae1f8abdd] 17 0x7f5ae1f8af78 /home/cgarcia/gnome/lib/libglib-2.0.so.0(+0x48f78) [0x7f5ae1f8af78] 18 0x7f5ae1f8b292 /home/cgarcia/gnome/lib/libglib-2.0.so.0(g_main_loop_run+0xc2) [0x7f5ae1f8b292] 19 0x7f5ae67193e0 /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF7RunLoop3runEv+0x120) [0x7f5ae67193e0] 20 0x42ee4f bin/WebKitTestRunner(_ZN3WTR14TestController16platformRunUntilERbd+0xbf) [0x42ee4f] 21 0x422db4 bin/WebKitTestRunner(_ZN3WTR14TestController28resetStateToConsistentValuesEv+0x2f4) [0x422db4] 22 0x42baa5 bin/WebKitTestRunner(_ZN3WTR14TestInvocation6invokeEv+0x375) [0x42baa5] 23 0x423b89 bin/WebKitTestRunner(_ZN3WTR14TestController7runTestEPKc+0xb9) [0x423b89] 24 0x4278b4 bin/WebKitTestRunner(_ZN3WTR14TestControllerC1EiPPKc+0x1f4) [0x4278b4] 25 0x41dee6 bin/WebKitTestRunner(main+0x56) [0x41dee6] 26 0x7f5ada630b45 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f5ada630b45] 27 0x41df68 bin/WebKitTestRunner() [0x41df68] This happens for example with fast/events/touch/inserted-fragment-touch-target.html because it does: eventSender.addTouchPoint(x, y); eventSender.touchStart(); eventSender.releaseTouchPoint(0); eventSender.touchEnd(); The test adds a listener to touchstart from which calls notifyDone(). Then the tests finishes and resetStateToConsistentValues() is called. This creates a new EventSenderProxy and then load about:blank. When loading abpout:blank the run loop starts again and it processes the injected bundle message for the js calls after the touchStart, releaseTouchPoint and touchEnd, but those are processed by the new EvenSenderProxy, and in this case releaseTouchPoint crashes because this new event sender doesn't have any touch event to process. I've added early returns when receiving injected bundle messages for the event sender when the test is not running and it fixes the crash, but I'm not sure if that's the right fix or just a workaround. This depends on bug #148528.