NEW168292
REGRESSION(r212239): Crash in DragImage::operator=(WebCore::DragImage&&) when DragImageRef is the same 
https://bugs.webkit.org/show_bug.cgi?id=168292
Summary REGRESSION(r212239): Crash in DragImage::operator=(WebCore::DragImage&&) when...
Carlos Garcia Campos
Reported 2017-02-14 00:11:09 PST
This happens at least in the GTK+ port where DragImageRef is a pointer (we should definitely change that). It caused several crashes in the bots: Thread 1 (Thread 0x2b4ba8e96940 (LWP 11637)): #0 0x00002b4ba28b3067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00002b4ba28b4448 in __GI_abort () at abort.c:89 #2 0x00002b4ba28ac266 in __assert_fail_base (fmt=0x2b4ba29e5238 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x2b4b9ba8ce08 "((*&(&surface->ref_count)->ref_count) > 0)", file=file@entry=0x2b4b9ba8cd38 "/home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c", line=line@entry=953, function=function@entry=0x2b4b9ba9d9f0 <__PRETTY_FUNCTION__.11168> "cairo_surface_destroy") at assert.c:92 #3 0x00002b4ba28ac312 in __GI___assert_fail (assertion=0x2b4b9ba8ce08 "((*&(&surface->ref_count)->ref_count) > 0)", file=0x2b4b9ba8cd38 "/home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c", line=953, function=0x2b4b9ba9d9f0 <__PRETTY_FUNCTION__.11168> "cairo_surface_destroy") at assert.c:101 #4 0x00002b4b9ba1a7c2 in cairo_surface_destroy () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c:953 #5 0x00002b4b9968b7f9 in WebCore::DragImage::operator=(WebCore::DragImage&&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #6 0x00002b4b995d7e8b in WebCore::DragController::doImageDrag(WebCore::Element&, WebCore::IntPoint const&, WebCore::IntRect const&, WebCore::DataTransfer&, WebCore::Frame&, WebCore::IntPoint&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #7 0x00002b4b995dbcc2 in WebCore::DragController::startDrag(WebCore::Frame&, WebCore::DragState const&, WebCore::DragOperation, WebCore::PlatformMouseEvent const&, WebCore::IntPoint const&) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #8 0x00002b4b995e3994 in WebCore::EventHandler::handleDrag(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #9 0x00002b4b995e3eb8 in WebCore::EventHandler::handleMouseDraggedEvent(WebCore::MouseEventWithHitTestResults const&, WebCore::CheckDragHysteresis) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #10 0x00002b4b995eab67 in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 When m_dragImageRef is the same as other.m_dragImageRef we end up deleting twice.
Attachments
Patch (1.34 KB, patch)
2017-02-14 00:14 PST, Carlos Garcia Campos 		andersca: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1 2017-02-14 00:14:30 PST
Created attachment 301472 [details] Patch
Anders Carlsson
Comment 2 2017-02-14 10:06:02 PST
Comment on attachment 301472 [details] Patch This isn't right. Just self-move a no-op.
Carlos Garcia Campos
Comment 3 2017-02-14 22:52:20 PST
(In reply to comment #2) > Comment on attachment 301472 [details] > Patch > > This isn't right. Just self-move a no-op. I'm not sure this is actually a self-move, this and other are not the same but both wrap the same pointer. This is no longer a problem for us, though, because I changed our DragImageRef to be a RefPtr too, and I don't think there are any other ports using raw pointers now.
Note You need to log in before you can comment on or make changes to this bug.