[Webkit-unassigned] [Bug 138468] New: Missing null-check in EventHandler::dragSourceEndedAt()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 6 10:24:07 PST 2014


            Bug ID: 138468
           Summary: Missing null-check in
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mario at webkit.org
                CC: mrobinson at webkit.org

We recently hit a crash in WebCore::Clipboard::setDestinationOperation() when trying to move around (dragging and dropping) links very quickly inside a WebKitGTK+ (2.4.6) based application using WebKit 1.

At a first glance I thought it might be an issue on how dragSourceEndedAt() is being called from the WebKitGTK+ API, perhaps it does not make sense to do it when the GdkDragAction returned by gdk_drag_context_get_selected_action() is GDK_ACTION_DEFAULT. However, looking at how the same function is being called from other ports I haven't found such an idiom anywhere, and looking at the implementation of EventHandler::dragSourceEndedAt() I see that dragState().clipboard is the only pointer being dereferenced there, which is the source of the crash in this case, as it's null in this specific scenario.

So, I wonder if a null-check is missing there, or whether it might be a deeper issue which we are only seeing the tip of the iceberg of.

See the backtrace below (replace Clipboard with DataTransfer to match the current code in WebCore, as this stack trace is from WebKitGTK+ 2.4.6):

#0  WebCore::Clipboard::setDestinationOperation (this=0x0, 
    operation=operation at entry=WebCore::DragOperationNone)
    at ../Source/WebCore/dom/Clipboard.cpp:382
#1  0xb2d7c797 in WebCore::EventHandler::dragSourceEndedAt (this=0x82ae030, 
    event=..., operation=WebCore::DragOperationNone)
    at ../Source/WebCore/page/EventHandler.cpp:3148
#2  0xb26851b9 in webkit_web_view_drag_end (widget=0x82851a0, 
    context=0x80c2de0) at ../Source/WebKit/gtk/webkit/webkitwebview.cpp:1545
#3  0xb7f75f7c in g_cclosure_marshal_VOID__OBJECTv ()
   from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#4  0xb7f71807 in ?? () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#5  0xb7f73161 in ?? () from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#6  0xb7f8d4ab in g_signal_emit_valist ()
   from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#7  0xb7f8e4d5 in g_signal_emit_by_name ()
   from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#8  0xb799d64b in ?? () from /usr/lib/i386-linux-gnu/libgtk-3.so.0
#9  0xb799d8e1 in ?? () from /usr/lib/i386-linux-gnu/libgtk-3.so.0
#10 0xb6c3ed4d in ?? () from /usr/lib/i386-linux-gnu/libgdk-3.so.0
#11 0xb7e9fd4e in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#12 0xb7ea03ef in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#13 0xb7ea3192 in g_main_context_dispatch ()
   from /lib/i386-linux-gnu/libglib-2.0.so.0
#14 0xb7ea34b0 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#15 0xb7ea3591 in g_main_context_iteration ()
   from /lib/i386-linux-gnu/libglib-2.0.so.0
#16 0xb73ead64 in g_application_run ()
   from /usr/lib/i386-linux-gnu/libgio-2.0.so.0
#17 0xb7c1e48e in ffi_call_SYSV () from /usr/lib/i386-linux-gnu/libffi.so.6
#18 0xb7c1e1ef in ffi_call () from /usr/lib/i386-linux-gnu/libffi.so.6
#19 0xb7dfdce8 in ?? () from /usr/lib/libgjs.so.0
#20 0xb7dff5ff in ?? () from /usr/lib/libgjs.so.0
#21 0xb6e7a440 in ?? () from /usr/lib/i386-linux-gnu/libmozjs-24.so.0
#22 0xb6e869ea in ?? () from /usr/lib/i386-linux-gnu/libmozjs-24.so.0
#23 0xb6e876b6 in ?? () from /usr/lib/i386-linux-gnu/libmozjs-24.so.0
#24 0xb6e88865 in ?? () from /usr/lib/i386-linux-gnu/libmozjs-24.so.0
#25 0xb6f29d33 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned int, JS::Value*) ()
   from /usr/lib/i386-linux-gnu/libmozjs-24.so.0
#26 0xb6f2a348 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned int, JS::Value*) ()
   from /usr/lib/i386-linux-gnu/libmozjs-24.so.0
#27 0xb7def9eb in gjs_eval_with_scope () from /usr/lib/libgjs.so.0
#28 0xb7de91d2 in gjs_context_eval () from /usr/lib/libgjs.so.0
#29 0x08048d65 in main ()

For what is worth, I added the null check locally and re-run the layout tests, and I could not spot any regression after that.

PS: Martin, I'm adding you to CC as I believe you have experience in the drag'n'drop stuff (specifically in the GTK+ port), but please feel free to ignore (or add someone else) if my assumption is wrong. Thanks!

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141106/df802278/attachment-0002.html>

More information about the webkit-unassigned mailing list