RESOLVED FIXED 49314
[gtk] The revision r71528 causes crashes in GObjectEventListener
https://bugs.webkit.org/show_bug.cgi?id=49314
Summary [gtk] The revision r71528 causes crashes in GObjectEventListener
Alejandro G. Castro
Reported 2010-11-10 03:23:52 PST
The patch fixing bug 49136 is causing crashes, you can check it in the bots cores log or it can also be reproduced with epiphany opening the browser and loading a webpage: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56658fb in WTF::RefCountedBase::ref (this=0x171c408) at ../../../JavaScriptCore/wtf/RefCounted.h:37 37 ASSERT(!m_adoptionIsRequired); Missing separate debuginfos, use: debuginfo-install nss-3.12.8-2.fc13.x86_64 nss-util-3.12.8-1.fc13.x86_64 (gdb) bt #0 0x00007ffff56658fb in WTF::RefCountedBase::ref (this=0x171c408) at ../../../JavaScriptCore/wtf/RefCounted.h:37 #1 0x00007ffff569b4f7 in WTF::refIfNotNull<WebCore::EventListener> (ptr=0x171c400) at ../../../JavaScriptCore/wtf/PassRefPtr.h:53 #2 0x00007ffff569b49b in WTF::PassRefPtr<WebCore::EventListener>::PassRefPtr (this=0x7fffffffb640, ptr=0x171c400) at ../../../JavaScriptCore/wtf/PassRefPtr.h:67 #3 0x00007ffff569af3c in WebCore::GObjectEventListener::GObjectEventListener (this=0x171c400, object=0x1807200, window=0x0, node=0x173cbd0, domEventName=0x7ffff74620f8 "focus", signalName=0x7ffff74620ec "focus-event") at ../../../WebCore/bindings/gobject/GObjectEventListener.cpp:46 #4 0x00007ffff639736e in WebCore::GObjectEventListener::addEventListener (object=0x1807200, node=0x173cbd0, domEventName=0x7ffff74620f8 "focus", signalName=0x7ffff74620ec "focus-event") at ../../../WebCore/bindings/gobject/GObjectEventListener.h:44 #5 0x00007ffff6394dd2 in webkit_dom_node_constructed (object=0x1807200) at DerivedSources/webkit/WebKitDOMNode.cpp:775 #6 0x00007ffff632d2cc in webkit_dom_document_constructed (object=0x1807200) at DerivedSources/webkit/WebKitDOMDocument.cpp:1461 #7 0x00007ffff131ee56 in g_object_newv (object_type=25016448, n_parameters=1, parameters=0x18b7270) at gobject.c:1495 #8 0x00007ffff131f4a4 in g_object_new_valist (object_type=25016448, first_property_name=0x7ffff739a900 "core-object", var_args=0x7fffffffb910) at gobject.c:1583 #9 0x00007ffff131e670 in g_object_new (object_type=25016448, first_property_name=0x7ffff739a900 "core-object") at gobject.c:1301 #10 0x00007ffff632da98 in WebKit::wrapDocument (coreObject=0x173cbd0) at DerivedSources/webkit/WebKitDOMDocument.cpp:1701 #11 0x00007ffff632737a in WebKit::kit (obj=0x173cbd0) at DerivedSources/webkit/WebKitDOMDocument.cpp:122 #12 0x00007ffff60831f1 in webkit_web_view_get_dom_document (webView=0x1648160) at ../../../WebKit/gtk/webkit/webkitwebview.cpp:4791 #13 0x00000000004876c5 in _ephy_web_view_hook_into_forms (web_view=0x1648160) at ephy-web-view.c:935 #14 0x0000000000489578 in load_status_cb (web_view=0x1648160, pspec=0x8046a0, user_data=0x0) at ephy-web-view.c:1969 #15 0x00007ffff1336380 in g_cclosure_marshal_VOID__PARAM (closure=0x16b1190, return_value=0x0, n_param_values=2, param_values=0x1788e30, invocation_hint=0x7fffffffbd50, marshal_data=0x0) at gmarshal.c:533 #16 0x00007ffff131a61f in g_closure_invoke (closure=0x16b1190, return_value=0x0, n_param_values=2, param_values=0x1788e30, invocation_hint=0x7fffffffbd50) at gclosure.c:766 #17 0x00007ffff133504c in signal_emit_unlocked_R (node=0x711650, detail=2153, instance=0x1648160, emission_return=0x0, instance_and_params=0x1788e30) at gsignal.c:3252 #18 0x00007ffff1333ee1 in g_signal_emit_valist (instance=0x1648160, signal_id=1, detail=2153, var_args=0x7fffffffbfd0) at gsignal.c:2983 #19 0x00007ffff133445f in g_signal_emit (instance=0x1648160, signal_id=1, detail=2153) at gsignal.c:3040 #20 0x00007ffff131d977 in g_object_dispatch_properties_changed (object=0x1648160, n_pspecs=1, pspecs=0x7fffffffc160) at gobject.c:919 #21 0x00007ffff131c4d4 in g_object_notify_dispatcher (object=0x1648160, n_pspecs=1, pspecs=0x7fffffffc160) at gobject.c:327 #22 0x00007ffff131bf7d in g_object_notify_queue_thaw (object=0x1648160, nqueue=0x1723f00) at gobjectnotifyqueue.c:132 #23 0x00007ffff131db8a in g_object_notify_by_spec_internal (object=0x1648160, pspec=0x8046a0) at gobject.c:977 #24 0x00007ffff131dced in g_object_notify (object=0x1648160, property_name=0x7ffff6db8361 "load-status") at gobject.c:1018 #25 0x00007ffff6055715 in WebKit::notifyStatus (frame=0x164a060, loadStatus=WEBKIT_LOAD_FINISHED) at ../../../WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:218 #26 0x00007ffff6055755 in WebKit::loadDone (frame=0x164a060, didSucceed=true) at ../../../WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:226 #27 0x00007ffff6057b87 in WebKit::FrameLoaderClient::dispatchDidFinishLoad (this=0x16872f0) at ../../../WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:716 #28 0x00007ffff5b64562 in WebCore::FrameLoader::checkLoadCompleteForThisFrame (this=0x1687498) at ../../../WebCore/loader/FrameLoader.cpp:2427 #29 0x00007ffff5b64c30 in WebCore::FrameLoader::recursiveCheckLoadComplete (this=0x1687498) at ../../../WebCore/loader/FrameLoader.cpp:2538 #30 0x00007ffff5b64ce2 in WebCore::FrameLoader::checkLoadComplete (this=0x1687498) at ../../../WebCore/loader/FrameLoader.cpp:2551 #31 0x00007ffff5b4f061 in WebCore::DocumentLoader::removeSubresourceLoader (this=0x16f4e00, loader=0x172b400) at ../../../WebCore/loader/DocumentLoader.cpp:720 #32 0x00007ffff5baa9c6 in WebCore::SubresourceLoader::didFinishLoading (this=0x172b400, finishTime=0) at ../../../WebCore/loader/SubresourceLoader.cpp:187 #33 0x00007ffff5ba1a09 in WebCore::ResourceLoader::didFinishLoading (this=0x172b400, finishTime=0) at ../../../WebCore/loader/ResourceLoader.cpp:437 #34 0x00007ffff602c8bb in WebCore::closeCallback (source=0x735cf0, res=0x17fd400) at ../../../WebCore/platform/network/soup/ResourceHandleSoup.cpp:779 #35 0x00007ffff15bd792 in async_ready_close_callback_wrapper (source_object=0x735cf0, res=0x17fd400, user_data=0x0) at ginputstream.c:484 #36 0x00007ffff15d3366 in g_simple_async_result_complete (simple=0x17fd400) at gsimpleasyncresult.c:692 #37 0x00007ffff15d33a2 in complete_in_idle_cb (data=0x17fd400) at gsimpleasyncresult.c:702 #38 0x00007ffff0c262ed in g_idle_dispatch (source=0x1881a90, callback=0x7ffff15d336f <complete_in_idle_cb>, user_data=0x17fd400) at gmain.c:4254 #39 0x00007ffff0c224b0 in g_main_dispatch (context=0x735490) at gmain.c:2149 #40 0x00007ffff0c239ba in g_main_context_dispatch (context=0x735490) at gmain.c:2702 #41 0x00007ffff0c23e80 in g_main_context_iterate (context=0x735490, block=1, dispatch=1, self=0x6f3890) at gmain.c:2780 #42 0x00007ffff0c24617 in g_main_loop_run (loop=0x763e90) at gmain.c:2988 #43 0x00007ffff430a380 in gtk_main () at gtkmain.c:1321 #44 0x000000000042fd59 in main (argc=1, argv=0x7fffffffda08) at ephy-main.c:732
Attachments
Proposed patch (4.14 KB, patch)
2010-11-10 04:52 PST, Alejandro G. Castro
mrobinson: review+
Alejandro G. Castro
Comment 1 2010-11-10 04:00:42 PST
(In reply to comment #0) > The patch fixing bug 49136 is causing crashes, you can check it in the bots cores log or it can also be reproduced with epiphany opening the browser and loading a webpage: > > Program received signal SIGSEGV, Segmentation fault. > 0x00007ffff56658fb in WTF::RefCountedBase::ref (this=0x171c408) at ../../../JavaScriptCore/wtf/RefCounted.h:37 > 37 ASSERT(!m_adoptionIsRequired); It seems we are using the listener pointer in the constructor as a PassRefPtr before even adopting the reference, I guess the best option would be to move that code to the addEventListener in the .h. Trying the solution.
Alejandro G. Castro
Comment 2 2010-11-10 04:52:07 PST
Created attachment 73486 [details] Proposed patch
Martin Robinson
Comment 3 2010-11-10 08:40:37 PST
Comment on attachment 73486 [details] Proposed patch Thanks!
Alejandro G. Castro
Comment 4 2010-11-10 10:05:40 PST
Note You need to log in before you can comment on or make changes to this bug.