82605 – segfault in pathForRenderer (GestureTapHighlighter) when tapping on an iframe.

RESOLVED FIXED 82605

segfault in pathForRenderer (GestureTapHighlighter) when tapping on an iframe.

https://bugs.webkit.org/show_bug.cgi?id=82605

Summary segfault in pathForRenderer (GestureTapHighlighter) when tapping on an iframe.

zalan

Reported 2012-03-29 06:14:59 PDT

1 0x7f20118bc069 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN3WTF6VectorIN7WebCore7IntRectELm0EE2atEm+0x4b) [0x7f20118bc069] 2 0x7f2012139e35 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(+0x25bae35) [0x7f2012139e35] 3 0x7f201213a2b8 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7WebCore21GestureTapHighlighter20pathForNodeHighlightEPKNS_4NodeE+0x8e) [0x7f201213a2b8] 4 0x7f20118c009a /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit22TapHighlightController9highlightEPN7WebCore4NodeE+0x66) [0x7f20118c009a] 5 0x7f20118d561e /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit7WebPage28highlightPotentialActivationERKN7WebCore8IntPointERKNS1_7IntSizeE+0x178) [0x7f20118d561e] 6 0x7f2011919c9d /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7CoreIPC18callMemberFunctionIN6WebKit7WebPageEMS2_FvRKN7WebCore8IntPointERKNS3_7IntSizeEES4_S7_EEvRKNS_10Arguments2IT1_T2_EEPT_T0_+0x64) [0x7f2011919c9d] 7 0x7f2011917046 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7CoreIPC13handleMessageIN8Messages7WebPage28HighlightPotentialActivationEN6WebKit7WebPageEMS5_FvRKN7WebCore8IntPointERKNS6_7IntSizeEEEEvPNS_15ArgumentDecoderEPT0_T1_+0x59) [0x7f2011917046] 8 0x7f2011915362 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit7WebPage24didReceiveWebPageMessageEPN7CoreIPC10ConnectionENS1_9MessageIDEPNS1_15ArgumentDecoderE+0x374) [0x7f2011915362] 9 0x7f20118d933c /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit7WebPage17didReceiveMessageEPN7CoreIPC10ConnectionENS1_9MessageIDEPNS1_15ArgumentDecoderE+0x124) [0x7f20118d933c] 10 0x7f20118f1200 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit10WebProcess17didReceiveMessageEPN7CoreIPC10ConnectionENS1_9MessageIDEPNS1_15ArgumentDecoderE+0x2b0) [0x7f20118f1200] 11 0x7f20118eecd9 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN6WebKit24WebConnectionToUIProcess17didReceiveMessageEPN7CoreIPC10ConnectionENS1_9MessageIDEPNS1_15ArgumentDecoderE+0x11b) [0x7f20118eecd9] 12 0x7f20116c1ed1 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7CoreIPC10Connection15dispatchMessageERNS0_7MessageINS_15ArgumentDecoderEEE+0x14b) [0x7f20116c1ed1] 13 0x7f20116c20ab /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7CoreIPC10Connection16dispatchMessagesEv+0xaf) [0x7f20116c20ab] 14 0x7f20116cc056 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN3WTF15FunctionWrapperIMN7CoreIPC10ConnectionEFvvEEclEPS2_+0x58) [0x7f20116cc056] 15 0x7f20116cbe14 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN3WTF17BoundFunctionImplINS_15FunctionWrapperIMN7CoreIPC10ConnectionEFvvEEEFvPS3_EEclEv+0x32) [0x7f20116cbe14] 16 0x7f20117915fa /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZNK3WTF8FunctionIFvvEEclEv+0x72) [0x7f20117915fa] 17 0x7f201220d640 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7WebCore7RunLoop11performWorkEv+0x74) [0x7f201220d640] 18 0x7f20124aaf85 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(_ZN7WebCore7RunLoop11TimerObject11performWorkEv+0x3b) [0x7f20124aaf85] 19 0x7f20124abab3 /home/zbujtas/WebKit/WebKitBuild/Debug/lib/libQtWebKit.so.5(+0x292cab3) [0x7f20124abab3] 20 0x7f200f06b637 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN14QMetaCallEvent13placeMetaCallEP7QObject+0xc3) [0x7f200f06b637] 21 0x7f200f06c4b0 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN7QObject5eventEP6QEvent+0x124) [0x7f200f06c4b0] 22 0x7f200f48993c /home/zbujtas/qt5/qtbase/lib/libQtWidgets.so.5(_ZN19QApplicationPrivate13notify_helperEP7QObjectP6QEvent+0x17c) [0x7f200f48993c] 23 0x7f200f486fec /home/zbujtas/qt5/qtbase/lib/libQtWidgets.so.5(_ZN12QApplication6notifyEP7QObjectP6QEvent+0x3f8) [0x7f200f486fec] 24 0x7f200f039362 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0x9e) [0x7f200f039362] 25 0x7f200f03d0b3 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN16QCoreApplication9sendEventEP7QObjectP6QEvent+0x51) [0x7f200f03d0b3] 26 0x7f200f03a3f6 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN23QCoreApplicationPrivate16sendPostedEventsEP7QObjectiP11QThreadData+0x452) [0x7f200f03a3f6] 27 0x7f200f039fa1 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(_ZN16QCoreApplication16sendPostedEventsEP7QObjecti+0x2d) [0x7f200f039fa1] 28 0x7f200f0a0428 /home/zbujtas/qt5/qtbase/lib/libQtCore.so.5(+0x25f428) [0x7f200f0a0428] 29 0x7f200c352a5d /lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x1dd) [0x7f200c352a5d] 30 0x7f200c353258 /lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x45258) [0x7f200c353258] 31 0x7f200c353429 /lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_iteration+0x69) [0x7f200c353429] WARNING: The web process experienced a crash on 'file:///home/zbujtas/Documents/in.html'.

Attachments
test case (441 bytes, text/html) 2012-03-29 06:17 PDT, zalan	no flags	Details
Patch (3.13 KB, patch) 2012-03-29 06:53 PDT, zalan	no flags	Details Formatted Diff Diff
Patch (3.42 KB, patch) 2012-03-29 14:20 PDT, zalan	no flags	Details Formatted Diff Diff
Patch (3.51 KB, patch) 2012-03-30 07:37 PDT, zalan	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

zalan

Comment 1 2012-03-29 06:17:18 PDT

Created attachment 134559 [details] test case

zalan

Comment 2 2012-03-29 06:53:27 PDT

Created attachment 134569 [details] Patch

zalan

Comment 3 2012-03-29 06:55:42 PDT

Comment on attachment 134569 [details] Patch Alternatively, we could 1, do ASSERT(!rects.empty()) instead of the early return, though the function at other place checks for rects.size(), so presumably the functions expects empty rects. 2, try to leave out the first and the last items of the vector differently. (do the for loop differently)

zalan

Comment 4 2012-03-29 09:16:23 PDT

Comment on attachment 134569 [details] Patch as per Kenneth's comment, i'll be using end = size(); instead of the explicit cast.

zalan

Comment 5 2012-03-29 14:20:37 PDT

Created attachment 134664 [details] Patch

Kenneth Rohde Christiansen

Comment 6 2012-03-30 02:13:50 PDT

Comment on attachment 134664 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=134664&action=review > ManualTests/tap-gesture-in-iframe-with-tap-highlight.html:1 > +<html> Maybe -crash in the name would be good (file name)

zalan

Comment 7 2012-03-30 07:37:52 PDT

Created attachment 134813 [details] Patch

WebKit Review Bot

Comment 8 2012-03-30 13:56:08 PDT

Comment on attachment 134813 [details] Patch Clearing flags on attachment: 134813 Committed r112723: <http://trac.webkit.org/changeset/112723>

WebKit Review Bot

Comment 9 2012-03-30 13:56:12 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

zalan

Reported

2012-03-29 06:14 PDT

Modified

2012-03-30 13:56 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks

82604

Dependencies

tree graph