RESOLVED FIXED 16967
Reproducible crash when navigating back to a page using SVG fonts 
https://bugs.webkit.org/show_bug.cgi?id=16967
Summary Reproducible crash when navigating back to a page using SVG fonts
mitz
Reported 2008-01-21 23:07:19 PST
Steps to reproduce: 1) Open svg/text/text-text-06-t.svg 2) Go to about:blank 3) Choose History > Back Backtrace: #0 0x95b666de in LLCStyleInfoClear () #1 0x95c6fc98 in ATSUDisposeStyleGroup () #2 0x003882fe in WKReleaseStyleGroup (group=0x46453541) #3 0x01b9a476 in WebCore::SimpleFontData::platformDestroy (this=0x3dcac00) at WebCore/platform/graphics/mac/SimpleFontDataMac.mm:213 #4 0x01b99982 in WebCore::SimpleFontData::~SimpleFontData (this=0x3dcac00) at WebCore/platform/graphics/SimpleFontData.cpp:116 #5 0x01a4027d in WTF::deleteAllPairSeconds<WebCore::SimpleFontData*, WTF::HashMap<int, WebCore::SimpleFontData*, WTF::IntHash<unsigned int>, WTF::HashTraits<int>, WTF::HashTraits<WebCore::SimpleFontData*> > const> (collection=@0x17a8a550) at HashMap.h:371 #6 0x01a402c7 in WTF::deleteAllValues<int, WebCore::SimpleFontData*, WTF::IntHash<unsigned int>, WTF::HashTraits<int>, WTF::HashTraits<WebCore::SimpleFontData*> > (collection=@0x17a8a550) at HashMap.h:377 #7 0x01a3f4b6 in WebCore::CSSFontFaceSource::pruneTable (this=0x17a8a540) at WebCore/css/CSSFontFaceSource.cpp:65 #8 0x01a3f97b in WebCore::CSSFontFaceSource::~CSSFontFaceSource (this=0x17a8a540) at WebCore/css/CSSFontFaceSource.cpp:58 #9 0x01a3eccd in WTF::deleteAllValues<WebCore::CSSFontFaceSource*, 0ul> (collection=@0x1b1427b0) at Vector.h:799 #10 0x01a3e979 in WebCore::CSSFontFace::~CSSFontFace (this=0x1b1427a0) at WebCore/css/CSSFontFace.cpp:38 #11 0x01a4278b in WTF::RefCounted<WebCore::CSSFontFace>::deref (this=0x1b1427a4) at RefCounted.h:52 #12 0x0200f5ae in WTF::RefPtr<WebCore::CSSFontFace>::~RefPtr (this=0x17aa6708) at RefPtr.h:45 #13 0x0200f5c1 in WTF::RefPtr<WebCore::CSSFontFace>::~RefPtr (this=0x17aa6708) at RefPtr.h:45 #14 0x0200f62e in WebCore::FontFaceRange::~FontFaceRange (this=0x17aa6700) at CSSSegmentedFontFace.h:43 #15 0x0200f641 in WebCore::FontFaceRange::~FontFaceRange (this=0x17aa6700) at CSSSegmentedFontFace.h:43 #16 0x0201009d in WTF::VectorDestructor<true, WebCore::FontFaceRange>::destruct (begin=0x17aa6700, end=0x17aa670c) at Vector.h:53 #17 0x020100c6 in WTF::VectorTypeOperations<WebCore::FontFaceRange>::destruct (begin=0x17aa6700, end=0x17aa670c) at Vector.h:208 #18 0x0201014a in WTF::Vector<WebCore::FontFaceRange, 1ul>::shrink (this=0x17aa66f4, size=0) at Vector.h:634 #19 0x0201017c in WTF::Vector<WebCore::FontFaceRange, 1ul>::clear (this=0x17aa66f4) at Vector.h:458 #20 0x0201018f in WTF::Vector<WebCore::FontFaceRange, 1ul>::~Vector (this=0x17aa66f4) at Vector.h:411 #21 0x020101b1 in WTF::Vector<WebCore::FontFaceRange, 1ul>::~Vector (this=0x17aa66f4) at Vector.h:411 #22 0x0200eeb1 in WebCore::CSSSegmentedFontFace::~CSSSegmentedFontFace (this=0x17aa66d0) at WebCore/css/CSSSegmentedFontFace.cpp:45 #23 0x0200eedd in WebCore::CSSSegmentedFontFace::~CSSSegmentedFontFace (this=0x17aa66d0) at WebCore/css/CSSSegmentedFontFace.cpp:45 #24 0x01a436bf in WTF::RefCounted<WebCore::CSSSegmentedFontFace>::deref (this=0x17aa66d0) at RefCounted.h:52 #25 0x01a43777 in WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> >::deref (s=@0x38183f4) at HashTraits.h:158 #26 0x01a43b3b in WTF::RefCounterBase<true, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> >, WTF::HashTraits<int> >::deref (v=@0x38183f4) at HashTable.h:1145 #27 0x01a43b5d in WTF::RefCounter<WTF::PairBaseHashTraits<WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > >, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> > >::deref (v=@0x38183f0) at HashTable.h:1174 #28 0x01a43ba5 in WTF::HashTableRefCounterBase<true, WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WebCore::StringHash, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >, WTF::PairBaseHashTraits<WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > > >::derefAll (table=@0x195201d0) at HashTable.h:1209 #29 0x01a43bef in WTF::HashTableRefCounter<WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WebCore::StringHash, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >, WTF::PairBaseHashTraits<WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > > >::derefAll (table=@0x195201d0) at HashTable.h:1216 #30 0x01a43c03 in WTF::HashMap<WebCore::String, WTF::RefPtr<WebCore::CSSSegmentedFontFace>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > >::derefAll (this=0x195201d0) at HashMap.h:170 #31 0x01a43c17 in WTF::HashMap<WebCore::String, WTF::RefPtr<WebCore::CSSSegmentedFontFace>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > >::~HashMap (this=0x195201d0) at HashMap.h:202 #32 0x01a43c35 in WTF::HashMap<WebCore::String, WTF::RefPtr<WebCore::CSSSegmentedFontFace>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > >::~HashMap (this=0x195201d0) at HashMap.h:202 #33 0x01a42241 in WebCore::CSSFontSelector::~CSSFontSelector (this=0x195201c0) at WebCore/css/CSSFontSelector.cpp:67 #34 0x01a86139 in WTF::RefCounted<WebCore::FontSelector>::deref (this=0x195201c4) at RefCounted.h:52 #35 0x01b92c14 in WTF::RefPtr<WebCore::FontSelector>::~RefPtr (this=0x17aee7e4) at RefPtr.h:45 #36 0x01b92c27 in WTF::RefPtr<WebCore::FontSelector>::~RefPtr (this=0x17aee7e4) at RefPtr.h:45 #37 0x01b93d62 in WebCore::FontFallbackList::~FontFallbackList (this=0x17aee7c0) at FontFallbackList.h:42 #38 0x01b93d8f in WebCore::FontFallbackList::~FontFallbackList (this=0x17aee7c0) at FontFallbackList.h:42 #39 0x01b93e13 in WTF::RefCounted<WebCore::FontFallbackList>::deref (this=0x17aee7c0) at RefCounted.h:52 #40 0x01b93e87 in WTF::RefPtr<WebCore::FontFallbackList>::~RefPtr (this=0x1b2ef694) at RefPtr.h:45 #41 0x01b93e9b in WTF::RefPtr<WebCore::FontFallbackList>::~RefPtr (this=0x1b2ef694) at RefPtr.h:45 #42 0x01b91934 in WebCore::Font::~Font (this=0x1b2ef678) at WebCore/platform/graphics/Font.cpp:329 #43 0x01b91953 in WebCore::Font::~Font (this=0x1b2ef678) at WebCore/platform/graphics/Font.cpp:329 #44 0x01e391ec in WebCore::StyleInheritedData::~StyleInheritedData (this=0x1b2ef660) at WebCore/rendering/RenderStyle.cpp:836 #45 0x01e39219 in WebCore::StyleInheritedData::~StyleInheritedData (this=0x1b2ef660) at WebCore/rendering/RenderStyle.cpp:836 #46 0x01a14ca3 in WTF::RefCounted<WebCore::StyleInheritedData>::deref (this=0x1b2ef660) at RefCounted.h:52 #47 0x01e3ece8 in WebCore::DataRef<WebCore::StyleInheritedData>::~DataRef (this=0x17af5c18) at DataRef.h:48 #48 0x01e3ecfb in WebCore::DataRef<WebCore::StyleInheritedData>::~DataRef (this=0x17af5c18) at DataRef.h:48 #49 0x01e3a238 in WebCore::RenderStyle::~RenderStyle (this=0x17af5bf0) at WebCore/rendering/RenderStyle.cpp:1001 #50 0x01e3a29f in WebCore::RenderStyle::~RenderStyle (this=0x17af5bf0) at WebCore/rendering/RenderStyle.cpp:1001 #51 0x01a6ded7 in WebCore::CSSStyleSelector::~CSSStyleSelector (this=0x17a56a00) at WebCore/css/CSSStyleSelector.cpp:337 #52 0x01a6dfd5 in WebCore::CSSStyleSelector::~CSSStyleSelector (this=0x17a56a00) at WebCore/css/CSSStyleSelector.cpp:341 #53 0x01b44e06 in WebCore::Document::recalcStyleSelector (this=0x3d85200) at WebCore/dom/Document.cpp:2185 #54 0x01b450aa in WebCore::Document::updateStyleSelector (this=0x3d85200) at WebCore/dom/Document.cpp:2038 #55 0x01baacd7 in WebCore::Frame::reapplyStyles (this=0x3546820) at WebCore/page/Frame.cpp:797 #56 0x01f9dbca in -[WebCoreFrameBridge reapplyStylesForDeviceType:] (self=0x3543e70, _cmd=0x3b4948, deviceType=WebCoreDeviceScreen) at WebCore/page/mac/WebCoreFrameBridge.mm:397 #57 0x00322b5f in -[WebHTMLView reapplyStyles] (self=0x17aad3f0, _cmd=0x3b6928) at WebKit/mac/WebView/WebHTMLView.mm:2622 #58 0x00322b9b in -[WebHTMLView layoutToMinimumPageWidth:maximumPageWidth:adjustingViewSize:] (self=0x17aad3f0, _cmd=0x3b6938, minPageWidth=0, maxPageWidth=0, adjustViewSize=0 '\0') at WebKit/mac/WebView/WebHTMLView.mm:2636 #59 0x00322d6a in -[WebHTMLView layout] (self=0x17aad3f0, _cmd=0x900854f0) at WebKit/mac/WebView/WebHTMLView.mm:2665 #60 0x0030aa96 in WebFrameLoaderClient::forceLayout (this=0x35462c0) at WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm:169 #61 0x01bba5ae in WebCore::FrameLoader::opened (this=0x3855e00) at WebCore/loader/FrameLoader.cpp:3444 #62 0x01bbfee3 in WebCore::FrameLoader::commitProvisionalLoad (this=0x3855e00, prpCachedPage=@0xbfffe65c) at WebCore/loader/FrameLoader.cpp:2561 #63 0x01b54c70 in WebCore::DocumentLoader::loadFromCachedPage (this=0x3d81600, cachedPage=@0xbfffe69c) at WebCore/loader/DocumentLoader.cpp:558 #64 0x01bb1fbf in WebCore::FrameLoader::loadProvisionalItemFromCachedPage (this=0x3855e00) at WebCore/loader/FrameLoader.cpp:3774 #65 0x01bb77ff in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x3855e00, request=@0x3d818e4, formState=@0xbfffe748, shouldContinue=true) at WebCore/loader/FrameLoader.cpp:3616 #66 0x01bb78f6 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x3855e00, request=@0x3d818e4, formState=@0xbfffe854, shouldContinue=true) at WebCore/loader/FrameLoader.cpp:3569 #67 0x01bb897a in WebCore::FrameLoader::checkNavigationPolicy (this=0x3855e00, request=@0x3d818e4, loader=0x3d81600, formState=@0xbfffe8a8, function=0x1bb78b0 <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x3855e00) at WebCore/loader/FrameLoader.cpp:3511 #68 0x01bb8d18 in WebCore::FrameLoader::load (this=0x3855e00, loader=0x3d81600, type=WebCore::FrameLoadTypeForward, formState=@0xbfffebb0) at WebCore/loader/FrameLoader.cpp:2135 #69 0x01bbd842 in WebCore::FrameLoader::loadItem (this=0x3855e00, item=0x1b2075e0, loadType=WebCore::FrameLoadTypeForward) at WebCore/loader/FrameLoader.cpp:4043 #70 0x01bbe0d0 in WebCore::FrameLoader::recursiveGoToItem (this=0x3855e00, item=0x1b2075e0, fromItem=0x1b1bde90, type=WebCore::FrameLoadTypeForward) at WebCore/loader/FrameLoader.cpp:4205 #71 0x01bbe1d9 in WebCore::FrameLoader::goToItem (this=0x3855e00, targetItem=0x1b2075e0, type=WebCore::FrameLoadTypeForward) at WebCore/loader/FrameLoader.cpp:4147 #72 0x01d9d22c in WebCore::Page::goToItem (this=0x3524d00, item=0x1b2075e0, type=WebCore::FrameLoadTypeForward) at WebCore/page/Page.cpp:159 #73 0x01d9d26d in WebCore::Page::goForward (this=0x3524d00) at WebCore/page/Page.cpp:149 #74 0x00371867 in -[WebView goForward] (self=0x352fc20, _cmd=0x9012f744) at WebKit/mac/WebView/WebView.mm:2199 #75 0x00373254 in -[WebView(WebIBActions) goForward:] (self=0x352fc20, _cmd=0x90116b40, sender=0x353c350) at WebKit/mac/WebView/WebView.mm:2701 In the debugger I saw that the SimpleFontData instance being destroyed contained invalid values, suggesting that it had already been deleted.
Attachments
Avoid calling platformDestroy() if platformInit() has not been called (4.14 KB, patch)
2008-01-22 00:08 PST, mitz 		eric: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2008-01-21 23:12:31 PST
<rdar://problem/5699344>
mitz
Comment 2 2008-01-21 23:21:20 PST
My diagnosis was wrong. The values that were invalid were simply never initialized due to the early return before platformInit() in SimpleFontData::SimpleFontData() in the SVG font case. It should probably be matched by not calling platformDestroy() under the same conditions.
Oliver Hunt
Comment 3 2008-01-21 23:43:35 PST
Seems sane to at least zero those uninitialised values anyway -- thus preventing the insanity
mitz
Comment 4 2008-01-22 00:08:07 PST
Created attachment 18599 [details] Avoid calling platformDestroy() if platformInit() has not been called
Eric Seidel (no email)
Comment 5 2008-01-22 01:17:49 PST
Comment on attachment 18599 [details] Avoid calling platformDestroy() if platformInit() has not been called Looks fine. I'd prefer a message "PASSED if did not crash" or "SUCCESS" or something in addition to your "1" and the bug URL.
Nikolas Zimmermann
Comment 6 2008-01-22 03:24:30 PST
Landed in r29717.
Note You need to log in before you can comment on or make changes to this bug.