RESOLVED WONTFIX Bug 154905
WebKit assert in WebCore::VisiblePosition::previous() displaying youtube video 
https://bugs.webkit.org/show_bug.cgi?id=154905
Summary WebKit assert in WebCore::VisiblePosition::previous() displaying youtube video
Rich Coe
Reported 2016-03-01 21:21:07 PST
I've been facing core dumps in the application liferea for a long time (months) that was always in WebKit javascript library, but because debug was not available I did not have more information. WebKit version 2.4.9 Linux x86_64 It reproduces fairly often, so I finally got around to compiling a debug version to get a proper traceback to the issue. This is my first results with debug. When I view video's from youtube embedded in a displayed web page, I get a crash. Sometimes it happens after viewing 3 or 4 videos, sometimes after viewing only one. In this instance, I had just started the application and had finished watching a short video. I restarted the video from the beginning and then clicked on video itself. ASSERTION FAILED: prev != *this ../../Source/WebCore/editing/VisiblePosition.cpp(89) : WebCore::VisiblePosition WebCore::VisiblePosition::previous(WebCore::EditingBoundaryCrossingRule) const #0 0x00007fae13530f47 in WTFCrash() () at ../../Source/WTF/wtf/Assertions.cpp:333 #1 0x00007fae15ece33b in WebCore::VisiblePosition::previous(WebCore::EditingBoundaryCrossingRule) const (this=0x7fff3dd371b0, rule=WebCore::CanCrossEditingBoundary) at ../../Source/WebCore/editing/VisiblePosition.cpp:89 #2 0x00007fae15edb0d4 in WebCore::isStartOfDocument(WebCore::VisiblePosition const&) (p=...) at ../../Source/WebCore/editing/VisibleUnits.cpp:1411 #3 0x00007fae15e846ef in WebCore::FrameSelection::selectFrameElementInParentIfFullySelected() (this=0x336b580) at ../../Source/WebCore/editing/FrameSelection.cpp:1638 #4 0x00007fae15e7dbad in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, unsigned int, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (this=0x336b580, newSelection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:322 #5 0x00007fae162d0c46 in WebCore::DOMSelection::addRange(WebCore::Range*) (this=0x49ddfb0, r=0x3d6d170) at ../../Source/WebCore/page/DOMSelection.cpp:395 #6 0x00007fae167c7e68 in WebCore::jsDOMSelectionPrototypeFunctionAddRange(JSC::ExecState*) (exec=0x7fad9c5d6e10) at DerivedSources/WebCore/JSDOMSelection.cpp:476 #7 0x00007fadabfff0e5 in () #8 0x00007fad9c5d6e60 in () #9 0x00007fae13327981 in llint_op_call () at /usr/local/lib64/libjavascriptcoregtk-3.0.so.0 #10 0x00007fadabfff920 in () #11 0x000000000261b4f0 in () Python Exception <type 'exceptions.OverflowError'> long too big to convert: Python Exception <type 'exceptions.OverflowError'> long too big to convert: #12 0xffffffffffffffff in () #13 0xffffffffffffffff in () #14 0x0000000001a19e10 in () #15 0x0000000000000000 in () (gdb) up #1 0x00007fae15ece33b in WebCore::VisiblePosition::previous (this=0x7fff3dd371b0, rule=WebCore::CanCrossEditingBoundary) at ../../Source/WebCore/editing/VisiblePosition.cpp:89 89 ASSERT(prev != *this); (gdb) p prev $1 = {m_deepPosition = {m_anchorNode = {m_ptr = 0x3fb7220}, m_offset = 0, m_anchorType = 0, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM} (gdb) print this $2 = (const WebCore::VisiblePosition * const) 0x7fff3dd371b0 (gdb) p &prev $3 = (WebCore::VisiblePosition *) 0x7fff3dd37080 (gdb) p *this $4 = {m_deepPosition = {m_anchorNode = {m_ptr = 0x3fb7220}, m_offset = 0, m_anchorType = 0, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM} (gdb) p pos $5 = {m_anchorNode = {m_ptr = 0x2114740}, m_offset = 0, m_anchorType = 0, m_isLegacyEditingPosition = true}
Attachments
Add attachment proposed patch, testcase, etc.
Rich Coe
Comment 1 2016-03-01 21:22:13 PST
Bug 131018 trips a similar issue, but has a different traceback.
Rich Coe
Comment 2 2016-03-01 21:42:53 PST
I reproduced it again by pressing the right mouse button within the video to bring up the menu.
Rich Coe
Comment 3 2016-03-02 06:38:31 PST
The assert does not seem correct. I've bypassed it and on to trying to reproduce my crash.
Rich Coe
Comment 4 2016-03-04 20:08:30 PST
(gdb) where #0 0x00007fa70a4bec76 in JSC::WriteBarrierBase<JSC::Structure>::operator->() const (this=0x0) at ../../Source/JavaScriptCore/runtime/WriteBarrier.h:123 #1 0x00007fa70a4d7dbe in JSC::JSCell::isString() const (this=0x0) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:124 #2 0x00007fa70a90da16 in JSC::JSCell::getPrimitiveNumber(JSC::ExecState*, double&, JSC::JSValue&) const (this=0x0, exec=0x7fa688ff8ae8, number=@0x7ffc6b7b1710: 6.9343542557821197e-310, value=...) at ../../Source/JavaScriptCore/runtime/JSCell.cpp:135 #3 0x00007fa70a7a02dd in JSC::JSValue::getPrimitiveNumber(JSC::ExecState*, double&, JSC::JSValue&) (this=0x7ffc6b7b1730, exec=0x7fa688ff8ae8, number=@0x7ffc6b7b1710: 6.9343542557821197e-310, value=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:600 #4 0x00007fa70a79abf9 in JSC::operationCompareLess(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue) (v2=..., v1=..., callFrame=0x7fa688ff8ae8) at ../../Source/JavaScriptCore/runtime/Operations.h:136 #5 0x00007fa70a79abf9 in JSC::operationCompareLess(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue) (exec=0x7fa688ff8ae8, encodedOp1=-281474976710655, encodedOp2=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:829 #6 0x00007fa6a42fcb37 in () #7 0x00007fa6a43f1240 in () #8 0x00007fa6f82ca2d0 in () #9 0x00007ffc6b7b2350 in () #10 0x00007ffc6b7b23b0 in () #11 0x0000000000000000 in ()
Rich Coe
Comment 5 2016-03-04 20:10:13 PST
I think this is an issue in the 2.4.9 javascript implementation. It seems to be fixed in a later webkit release, but later releases only support webkit2 api.
Note You need to log in before you can comment on or make changes to this bug.