RESOLVED FIXED 87744
[GTK] [WK2] Reproducible crash in performDragControllerAction 
https://bugs.webkit.org/show_bug.cgi?id=87744
Summary [GTK] [WK2] Reproducible crash in performDragControllerAction
Sudarsana Nagineni (babu)
Reported 2012-05-29 07:05:14 PDT
Steps to reproduce: 1. Open ./MiniBrowser http://www.google.com 2. Drag and drop the image on the page. #0 0x00007f5ebea95d71 in WTF::RefCountedBase::~RefCountedBase (this=0x2eaafb0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefCounted.h:122 122 ASSERT(m_deletionHasBegun); (gdb) bt #0 0x00007f5ebea95d71 in WTF::RefCountedBase::~RefCountedBase (this=0x2eaafb0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefCounted.h:122 #1 0x00007f5ebeac7834 in WTF::RefCounted<WebCore::DataObjectGtk>::~RefCounted (this=0x2eaafb0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefCounted.h:197 #2 0x00007f5ebeac8464 in WebCore::DataObjectGtk::~DataObjectGtk (this=0x2eaafb0, __in_chrg=<optimized out>) at ../../Source/WebCore/platform/gtk/DataObjectGtk.h:32 #3 0x00007f5ebecb0c8a in WebKit::WebPage::performDragControllerAction (this=0x23e9da0, action=0, dragData=...) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:2183 #4 0x00007f5ebeceedaf in CoreIPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long, WebCore::DragData), unsigned long, WebCore::DragData> (args=..., object=0x23e9da0, function= (void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long, WebCore::DragData)) 0x7f5ebecb0a26 <WebKit::WebPage::performDragControllerAction(unsigned long, WebCore::DragData)>) at ../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:25 #5 0x00007f5ebeced447 in CoreIPC::handleMessage<Messages::WebPage::PerformDragControllerAction, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long, WebCore::DragData)> (argumentDecoder= 0x7f5ea4001e90, object=0x23e9da0, function= (void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long, WebCore::DragData)) 0x7f5ebecb0a26 <WebKit::WebPage::performDragControllerAction(unsigned long, WebCore::DragData)>) at ../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:302 #6 0x00007f5ebeceb210 in WebKit::WebPage::didReceiveWebPageMessage (this=0x23e9da0, messageID=..., arguments=0x7f5ea4001e90) at DerivedSources/WebKit2/WebPageMessageReceiver.cpp:324 #7 0x00007f5ebecb1b88 in WebKit::WebPage::didReceiveMessage (this=0x23e9da0, connection=0x20fc550, messageID=..., arguments=0x7f5ea4001e90) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:2581 #8 0x00007f5ebecc1a92 in WebKit::WebProcess::didReceiveMessage (this=0x20fc030, connection=0x20fc550, messageID=..., arguments=0x7f5ea4001e90) at ../../Source/WebKit2/WebProcess/WebProcess.cpp:683 #9 0x00007f5ebecbfb56 in WebKit::WebConnectionToUIProcess::didReceiveMessage (this=0x20fc500, connection=0x20fc550, messageID=..., arguments=0x7f5ea4001e90) at ../../Source/WebKit2/WebProcess/WebConnectionToUIProcess.cpp:87 #10 0x00007f5ebea9bdcb in CoreIPC::Connection::dispatchMessage (this=0x20fc550, message=...) at ../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:691 #11 0x00007f5ebea9bf69 in CoreIPC::Connection::dispatchOneMessage (this=0x20fc550) at ../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:717 #12 0x00007f5ebeaa6106 in WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator() (this=0x7f5ea40011d0, c=0x20fc550) at ../../Source/WTF/wtf/Functional.h:173 #13 0x00007f5ebeaa5f0c in WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() (this=0x7f5ea40011c0) at ../../Source/WTF/wtf/Functional.h:405 #14 0x00007f5ebeaaaf4e in WTF::Function<void ()>::operator()() const (this=0x7f5ea4001ef0) at ../../Source/WTF/wtf/Functional.h:613 #15 0x00007f5ebf591ec5 in WebCore::RunLoop::performWork (this=0x20fbef0) at ../../Source/WebCore/platform/RunLoop.cpp:67 #16 0x00007f5ebff943b6 in WebCore::RunLoop::queueWork (runLoop=0x20fbef0) at ../../Source/WebCore/platform/gtk/RunLoopGtk.cpp:102 #17 0x00007f5eb818ac9a in g_main_dispatch (context=0x1fed470) at /build/buildd/glib2.0-2.32.1/./glib/gmain.c:2515 #18 g_main_context_dispatch (context=0x1fed470) at /build/buildd/glib2.0-2.32.1/./glib/gmain.c:3052 #19 0x00007f5eb818b060 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x1fed470, self=<optimized out>) at /build/buildd/glib2.0-2.32.1/./glib/gmain.c:3123 #20 g_main_context_iterate (context=0x1fed470, block=<optimized out>, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.32.1/./glib/gmain.c:3060 #21 0x00007f5eb818b45a in g_main_loop_run (loop=0x20fbf80) at /build/buildd/glib2.0-2.32.1/./glib/gmain.c:3317 #22 0x00007f5ebff94120 in WebCore::RunLoop::run () at ../../Source/WebCore/platform/gtk/RunLoopGtk.cpp:59 #23 0x00007f5ebec0487e in WebKit::WebProcessMainGtk (argc=2, argv=0x7fff5b919088) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 #24 0x0000000000400784 in main (argc=2, argv=0x7fff5b919088) at ../../Source/WebKit2/gtk/MainGtk.cpp:31 (gdb)
Attachments
patch (1.90 KB, patch)
2012-05-29 09:02 PDT, Sudarsana Nagineni (babu) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Sudarsana Nagineni (babu)
Comment 1 2012-05-29 08:02:04 PDT
I think we should use deref() instead of delete to destroy the platformData since the DataObjectGtk is inherited from RefCounted. http://trac.webkit.org/browser/trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp#L2183
Sudarsana Nagineni (babu)
Comment 2 2012-05-29 09:02:13 PDT
Created attachment 144569 [details] patch Use deref() instead of delete to release refcounted DataObjectGtk.
WebKit Review Bot
Comment 3 2012-05-29 09:49:09 PDT
Comment on attachment 144569 [details] patch Clearing flags on attachment: 144569 Committed r118796: <http://trac.webkit.org/changeset/118796>
WebKit Review Bot
Comment 4 2012-05-29 09:49:13 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.