[Webkit-unassigned] [Bug 135348] [GTK][2.4] WebkitWebProcess crashing navigating away from ogg video element

Fri Aug 8 08:06:35 PDT 2014

https://bugs.webkit.org/show_bug.cgi?id=135348


--- Comment #7 from Víctor M. Jáquez L. <vjaquez at igalia.com>  2014-08-08 08:06:45 PST ---
more debugging info:

Program received signal SIGSEGV, Segmentation fault.
0xf6268293 in WebCore::TextureMapperLayer::paintSelf (this=this at entry=0xf0594000, options=...) at ../../../opt/webkit/WebKit/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:157
157         m_contentsLayer->paintToTextureMapper(options.textureMapper, m_state.contentsRect, transform, options.opacity);
(gdb) p m_contentsLayer
$1 = (WebCore::TextureMapperPlatformLayer *) 0xf0518184
(gdb) p *m_contentsLayer
$2 = {_vptr.TextureMapperPlatformLayer = 0xbadbeefb, m_client = 0x493b0b1}


 0xbadbeefb is set by tcmalloc when unrefing:

#define POISON_DEALLOCATION_EXPLICIT(allocation, allocationSize, startPoison, endPoison) do { \
    ASSERT((allocationSize) >= 2 * sizeof(uint32_t)); \
    reinterpret_cast_ptr<uint32_t*>(allocation)[0] = 0xbadbeef9; \
    reinterpret_cast_ptr<uint32_t*>(allocation)[1] = 0xbadbeefb; \
    if ((allocationSize) < 4 * sizeof(uint32_t)) \
        break; \
    reinterpret_cast_ptr<uint32_t*>(allocation)[2] = (startPoison) ^ PTR_TO_UINT32(allocation); \
    reinterpret_cast_ptr<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] = (endPoison) ^ PTR_TO_UINT32(allocation); \
} while (false)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.