
<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - REGRESSION(r212239): Crash in DragImage::operator=(WebCore::DragImage&amp;&amp;) when DragImageRef is the same"

   href="https://bugs.webkit.org/show_bug.cgi?id=168292">168292</a>

          </td>

        </tr>


        <tr>

          <th>Summary</th>

          <td>REGRESSION(r212239): Crash in DragImage::operator=(WebCore::DragImage&amp;&amp;) when DragImageRef is the same

          </td>

        </tr>


        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>


        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>


        <tr>

          <th>Version</th>

          <td>WebKit Local Build

          </td>

        </tr>


        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>


        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>


        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>


        <tr>

          <th>Keywords</th>

          <td>LayoutTestFailure, Regression

          </td>

        </tr>


        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>


        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>


        <tr>

          <th>Component</th>

          <td>Platform

          </td>

        </tr>


        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>


        <tr>

          <th>Reporter</th>

          <td>cgarcia&#64;igalia.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>This happens at least in the GTK+ port where DragImageRef is a pointer (we should definitely change that). It caused several crashes in the bots:


Thread 1 (Thread 0x2b4ba8e96940 (LWP 11637)):

#0  0x00002b4ba28b3067 in __GI_raise (sig=sig&#64;entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56

#1  0x00002b4ba28b4448 in __GI_abort () at abort.c:89

#2  0x00002b4ba28ac266 in __assert_fail_base (fmt=0x2b4ba29e5238 &quot;%s%s%s:%u: %s%sAssertion `%s' failed.\n%n&quot;, assertion=assertion&#64;entry=0x2b4b9ba8ce08 &quot;((*&amp;(&amp;surface-&gt;ref_count)-&gt;ref_count) &gt; 0)&quot;, file=file&#64;entry=0x2b4b9ba8cd38 &quot;/home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c&quot;, line=line&#64;entry=953, function=function&#64;entry=0x2b4b9ba9d9f0 &lt;__PRETTY_FUNCTION__.11168&gt; &quot;cairo_surface_destroy&quot;) at assert.c:92

#3  0x00002b4ba28ac312 in __GI___assert_fail (assertion=0x2b4b9ba8ce08 &quot;((*&amp;(&amp;surface-&gt;ref_count)-&gt;ref_count) &gt; 0)&quot;, file=0x2b4b9ba8cd38 &quot;/home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c&quot;, line=953, function=0x2b4b9ba9d9f0 &lt;__PRETTY_FUNCTION__.11168&gt; &quot;cairo_surface_destroy&quot;) at assert.c:101

#4  0x00002b4b9ba1a7c2 in cairo_surface_destroy () at /home/slave/webkitgtk/gtk-linux-64-release-tests/build/WebKitBuild/DependenciesGTK/Source/cairo-1.14.2/src/cairo-surface.c:953

#5  0x00002b4b9968b7f9 in WebCore::DragImage::operator=(WebCore::DragImage&amp;&amp;) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37

#6  0x00002b4b995d7e8b in WebCore::DragController::doImageDrag(WebCore::Element&amp;, WebCore::IntPoint const&amp;, WebCore::IntRect const&amp;, WebCore::DataTransfer&amp;, WebCore::Frame&amp;, WebCore::IntPoint&amp;) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37

#7  0x00002b4b995dbcc2 in WebCore::DragController::startDrag(WebCore::Frame&amp;, WebCore::DragState const&amp;, WebCore::DragOperation, WebCore::PlatformMouseEvent const&amp;, WebCore::IntPoint const&amp;) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37

#8  0x00002b4b995e3994 in WebCore::EventHandler::handleDrag(WebCore::MouseEventWithHitTestResults const&amp;, WebCore::CheckDragHysteresis) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37

#9  0x00002b4b995e3eb8 in WebCore::EventHandler::handleMouseDraggedEvent(WebCore::MouseEventWithHitTestResults const&amp;, WebCore::CheckDragHysteresis) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37

#10 0x00002b4b995eab67 in WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&amp;, WebCore::HitTestResult*, bool) () from /home/slave/webkitgtk/gtk-linux-64-release/build/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37


When m_dragImageRef is the same as other.m_dragImageRef we end up deleting twice.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      
      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>