[Webkit-unassigned] [Bug 201387] New: [GTK] Crash in WTF::Vector<Nicosia::CairoOperationRecorder::State, 32ul, WTF::CrashOnOverflow, 16ul>::expandCapacity

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Sep 1 05:21:06 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=201387

            Bug ID: 201387
           Summary: [GTK] Crash in
                    WTF::Vector<Nicosia::CairoOperationRecorder::State,
                    32ul, WTF::CrashOnOverflow, 16ul>::expandCapacity
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org

For once, a 100% reproducible crash!

Sadly, the backtrace isn't great and I have no idea what to do with it. But reproducible is nice. This occurs in Tech Preview wiht 2.25.4.

(gdb) bt full
#0  0x00007f29cdd364f8 in WTF::Vector<Nicosia::CairoOperationRecorder::State, 32ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long) (this=0x55dc2b6f4cf0, newMinCapacity=<optimized out>)
    at DerivedSources/ForwardingHeaders/wtf/Vector.h:286
#1  0xcf0a1a0f11977054 in  ()
#2  0xcea349636cd37054 in  ()
#3  0x00007f2900000000 in  ()
#4  0x00007f29c9ade573 in JSC::Heap::collectAsync(JSC::GCRequest) (request=..., this=0x7f29bf642e10)
    at ../Source/JavaScriptCore/heap/Heap.cpp:1123
        previousRequest = <optimized out>
        __for_range = 
              @0x7f29bf643270: {m_start = 0, m_end = 0, m_buffer = {<WTF::VectorBufferBase<JSC::GCRequest>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}}
        locker = {<WTF::AbstractLocker> = {<No data fields>}, m_lockable = 0x7f29cb7b0cf0 <_int_malloc+2112>}
        alreadyRequested = false
#5  0x00007f29c9ade573 in JSC::Heap::collectAsync(JSC::GCRequest) (this=0x7f29bf642e10, request=...)
    at ../Source/JavaScriptCore/heap/Heap.cpp:1112
#6  0x0000000000000000 in  ()

To reproduce;

 * Visit https://www.ksdk.com/article/news/local/galleria-shots-fired/63-c17a629f-85b3-4348-b8a5-8a3f52e6deaa
 * Scroll down to the Google Maps widget
 * Click on "View larger map"
 * A new related view will be created. The web process backing both the original view and the related view crash.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190901/d6f2a934/attachment.html>

More information about the webkit-unassigned mailing list