16967 – Reproducible crash when navigating back to a page using SVG fonts

Bug 16967 - Reproducible crash when navigating back to a page using SVG fonts

Summary: Reproducible crash when navigating back to a page using SVG fonts

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.4

Importance:	P1 Normal
Assignee:	mitz

URL:
Keywords:	InRadar, NeedsReduction

Depends on:
Blocks:

Reported:	2008-01-21 23:07 PST by mitz
Modified:	2008-01-22 03:24 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Avoid calling platformDestroy() if platformInit() has not been called (4.14 KB, patch) 2008-01-22 00:08 PST, mitz	eric: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mitz 2008-01-21 23:07:19 PST

Steps to reproduce:
1) Open svg/text/text-text-06-t.svg
2) Go to about:blank
3) Choose History > Back

Backtrace:
#0  0x95b666de in LLCStyleInfoClear ()
#1  0x95c6fc98 in ATSUDisposeStyleGroup ()
#2  0x003882fe in WKReleaseStyleGroup (group=0x46453541)
#3  0x01b9a476 in WebCore::SimpleFontData::platformDestroy (this=0x3dcac00) at WebCore/platform/graphics/mac/SimpleFontDataMac.mm:213
#4  0x01b99982 in WebCore::SimpleFontData::~SimpleFontData (this=0x3dcac00) at WebCore/platform/graphics/SimpleFontData.cpp:116
#5  0x01a4027d in WTF::deleteAllPairSeconds<WebCore::SimpleFontData*, WTF::HashMap<int, WebCore::SimpleFontData*, WTF::IntHash<unsigned int>, WTF::HashTraits<int>, WTF::HashTraits<WebCore::SimpleFontData*> > const> (collection=@0x17a8a550) at HashMap.h:371
#6  0x01a402c7 in WTF::deleteAllValues<int, WebCore::SimpleFontData*, WTF::IntHash<unsigned int>, WTF::HashTraits<int>, WTF::HashTraits<WebCore::SimpleFontData*> > (collection=@0x17a8a550) at HashMap.h:377
#7  0x01a3f4b6 in WebCore::CSSFontFaceSource::pruneTable (this=0x17a8a540) at WebCore/css/CSSFontFaceSource.cpp:65
#8  0x01a3f97b in WebCore::CSSFontFaceSource::~CSSFontFaceSource (this=0x17a8a540) at WebCore/css/CSSFontFaceSource.cpp:58
#9  0x01a3eccd in WTF::deleteAllValues<WebCore::CSSFontFaceSource*, 0ul> (collection=@0x1b1427b0) at Vector.h:799
#10 0x01a3e979 in WebCore::CSSFontFace::~CSSFontFace (this=0x1b1427a0) at WebCore/css/CSSFontFace.cpp:38
#11 0x01a4278b in WTF::RefCounted<WebCore::CSSFontFace>::deref (this=0x1b1427a4) at RefCounted.h:52
#12 0x0200f5ae in WTF::RefPtr<WebCore::CSSFontFace>::~RefPtr (this=0x17aa6708) at RefPtr.h:45
#13 0x0200f5c1 in WTF::RefPtr<WebCore::CSSFontFace>::~RefPtr (this=0x17aa6708) at RefPtr.h:45
#14 0x0200f62e in WebCore::FontFaceRange::~FontFaceRange (this=0x17aa6700) at CSSSegmentedFontFace.h:43
#15 0x0200f641 in WebCore::FontFaceRange::~FontFaceRange (this=0x17aa6700) at CSSSegmentedFontFace.h:43
#16 0x0201009d in WTF::VectorDestructor<true, WebCore::FontFaceRange>::destruct (begin=0x17aa6700, end=0x17aa670c) at Vector.h:53
#17 0x020100c6 in WTF::VectorTypeOperations<WebCore::FontFaceRange>::destruct (begin=0x17aa6700, end=0x17aa670c) at Vector.h:208
#18 0x0201014a in WTF::Vector<WebCore::FontFaceRange, 1ul>::shrink (this=0x17aa66f4, size=0) at Vector.h:634
#19 0x0201017c in WTF::Vector<WebCore::FontFaceRange, 1ul>::clear (this=0x17aa66f4) at Vector.h:458
#20 0x0201018f in WTF::Vector<WebCore::FontFaceRange, 1ul>::~Vector (this=0x17aa66f4) at Vector.h:411
#21 0x020101b1 in WTF::Vector<WebCore::FontFaceRange, 1ul>::~Vector (this=0x17aa66f4) at Vector.h:411
#22 0x0200eeb1 in WebCore::CSSSegmentedFontFace::~CSSSegmentedFontFace (this=0x17aa66d0) at WebCore/css/CSSSegmentedFontFace.cpp:45
#23 0x0200eedd in WebCore::CSSSegmentedFontFace::~CSSSegmentedFontFace (this=0x17aa66d0) at WebCore/css/CSSSegmentedFontFace.cpp:45
#24 0x01a436bf in WTF::RefCounted<WebCore::CSSSegmentedFontFace>::deref (this=0x17aa66d0) at RefCounted.h:52
#25 0x01a43777 in WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> >::deref (s=@0x38183f4) at HashTraits.h:158
#26 0x01a43b3b in WTF::RefCounterBase<true, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> >, WTF::HashTraits<int> >::deref (v=@0x38183f4) at HashTable.h:1145
#27 0x01a43b5d in WTF::RefCounter<WTF::PairBaseHashTraits<WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > >, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> > >::deref (v=@0x38183f0) at HashTable.h:1174
#28 0x01a43ba5 in WTF::HashTableRefCounterBase<true, WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WebCore::StringHash, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >, WTF::PairBaseHashTraits<WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > > >::derefAll (table=@0x195201d0) at HashTable.h:1209
#29 0x01a43bef in WTF::HashTableRefCounter<WTF::HashTable<WebCore::StringImpl*, std::pair<WebCore::StringImpl*, int>, WTF::PairFirstExtractor<std::pair<WebCore::StringImpl*, int> >, WebCore::StringHash, WTF::PairHashTraits<WTF::HashTraits<WebCore::StringImpl*>, WTF::HashTraits<int> >, WTF::HashTraits<WebCore::StringImpl*> >, WTF::PairBaseHashTraits<WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > > >::derefAll (table=@0x195201d0) at HashTable.h:1216
#30 0x01a43c03 in WTF::HashMap<WebCore::String, WTF::RefPtr<WebCore::CSSSegmentedFontFace>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > >::derefAll (this=0x195201d0) at HashMap.h:170
#31 0x01a43c17 in WTF::HashMap<WebCore::String, WTF::RefPtr<WebCore::CSSSegmentedFontFace>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > >::~HashMap (this=0x195201d0) at HashMap.h:202
#32 0x01a43c35 in WTF::HashMap<WebCore::String, WTF::RefPtr<WebCore::CSSSegmentedFontFace>, WebCore::StringHash, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::RefPtr<WebCore::CSSSegmentedFontFace> > >::~HashMap (this=0x195201d0) at HashMap.h:202
#33 0x01a42241 in WebCore::CSSFontSelector::~CSSFontSelector (this=0x195201c0) at WebCore/css/CSSFontSelector.cpp:67
#34 0x01a86139 in WTF::RefCounted<WebCore::FontSelector>::deref (this=0x195201c4) at RefCounted.h:52
#35 0x01b92c14 in WTF::RefPtr<WebCore::FontSelector>::~RefPtr (this=0x17aee7e4) at RefPtr.h:45
#36 0x01b92c27 in WTF::RefPtr<WebCore::FontSelector>::~RefPtr (this=0x17aee7e4) at RefPtr.h:45
#37 0x01b93d62 in WebCore::FontFallbackList::~FontFallbackList (this=0x17aee7c0) at FontFallbackList.h:42
#38 0x01b93d8f in WebCore::FontFallbackList::~FontFallbackList (this=0x17aee7c0) at FontFallbackList.h:42
#39 0x01b93e13 in WTF::RefCounted<WebCore::FontFallbackList>::deref (this=0x17aee7c0) at RefCounted.h:52
#40 0x01b93e87 in WTF::RefPtr<WebCore::FontFallbackList>::~RefPtr (this=0x1b2ef694) at RefPtr.h:45
#41 0x01b93e9b in WTF::RefPtr<WebCore::FontFallbackList>::~RefPtr (this=0x1b2ef694) at RefPtr.h:45
#42 0x01b91934 in WebCore::Font::~Font (this=0x1b2ef678) at WebCore/platform/graphics/Font.cpp:329
#43 0x01b91953 in WebCore::Font::~Font (this=0x1b2ef678) at WebCore/platform/graphics/Font.cpp:329
#44 0x01e391ec in WebCore::StyleInheritedData::~StyleInheritedData (this=0x1b2ef660) at WebCore/rendering/RenderStyle.cpp:836
#45 0x01e39219 in WebCore::StyleInheritedData::~StyleInheritedData (this=0x1b2ef660) at WebCore/rendering/RenderStyle.cpp:836
#46 0x01a14ca3 in WTF::RefCounted<WebCore::StyleInheritedData>::deref (this=0x1b2ef660) at RefCounted.h:52
#47 0x01e3ece8 in WebCore::DataRef<WebCore::StyleInheritedData>::~DataRef (this=0x17af5c18) at DataRef.h:48
#48 0x01e3ecfb in WebCore::DataRef<WebCore::StyleInheritedData>::~DataRef (this=0x17af5c18) at DataRef.h:48
#49 0x01e3a238 in WebCore::RenderStyle::~RenderStyle (this=0x17af5bf0) at WebCore/rendering/RenderStyle.cpp:1001
#50 0x01e3a29f in WebCore::RenderStyle::~RenderStyle (this=0x17af5bf0) at WebCore/rendering/RenderStyle.cpp:1001
#51 0x01a6ded7 in WebCore::CSSStyleSelector::~CSSStyleSelector (this=0x17a56a00) at WebCore/css/CSSStyleSelector.cpp:337
#52 0x01a6dfd5 in WebCore::CSSStyleSelector::~CSSStyleSelector (this=0x17a56a00) at WebCore/css/CSSStyleSelector.cpp:341
#53 0x01b44e06 in WebCore::Document::recalcStyleSelector (this=0x3d85200) at WebCore/dom/Document.cpp:2185
#54 0x01b450aa in WebCore::Document::updateStyleSelector (this=0x3d85200) at WebCore/dom/Document.cpp:2038
#55 0x01baacd7 in WebCore::Frame::reapplyStyles (this=0x3546820) at WebCore/page/Frame.cpp:797
#56 0x01f9dbca in -[WebCoreFrameBridge reapplyStylesForDeviceType:] (self=0x3543e70, _cmd=0x3b4948, deviceType=WebCoreDeviceScreen) at WebCore/page/mac/WebCoreFrameBridge.mm:397
#57 0x00322b5f in -[WebHTMLView reapplyStyles] (self=0x17aad3f0, _cmd=0x3b6928) at WebKit/mac/WebView/WebHTMLView.mm:2622
#58 0x00322b9b in -[WebHTMLView layoutToMinimumPageWidth:maximumPageWidth:adjustingViewSize:] (self=0x17aad3f0, _cmd=0x3b6938, minPageWidth=0, maxPageWidth=0, adjustViewSize=0 '\0') at WebKit/mac/WebView/WebHTMLView.mm:2636
#59 0x00322d6a in -[WebHTMLView layout] (self=0x17aad3f0, _cmd=0x900854f0) at WebKit/mac/WebView/WebHTMLView.mm:2665
#60 0x0030aa96 in WebFrameLoaderClient::forceLayout (this=0x35462c0) at WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm:169
#61 0x01bba5ae in WebCore::FrameLoader::opened (this=0x3855e00) at WebCore/loader/FrameLoader.cpp:3444
#62 0x01bbfee3 in WebCore::FrameLoader::commitProvisionalLoad (this=0x3855e00, prpCachedPage=@0xbfffe65c) at WebCore/loader/FrameLoader.cpp:2561
#63 0x01b54c70 in WebCore::DocumentLoader::loadFromCachedPage (this=0x3d81600, cachedPage=@0xbfffe69c) at WebCore/loader/DocumentLoader.cpp:558
#64 0x01bb1fbf in WebCore::FrameLoader::loadProvisionalItemFromCachedPage (this=0x3855e00) at WebCore/loader/FrameLoader.cpp:3774
#65 0x01bb77ff in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x3855e00, request=@0x3d818e4, formState=@0xbfffe748, shouldContinue=true) at WebCore/loader/FrameLoader.cpp:3616
#66 0x01bb78f6 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x3855e00, request=@0x3d818e4, formState=@0xbfffe854, shouldContinue=true) at WebCore/loader/FrameLoader.cpp:3569
#67 0x01bb897a in WebCore::FrameLoader::checkNavigationPolicy (this=0x3855e00, request=@0x3d818e4, loader=0x3d81600, formState=@0xbfffe8a8, function=0x1bb78b0 <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x3855e00) at WebCore/loader/FrameLoader.cpp:3511
#68 0x01bb8d18 in WebCore::FrameLoader::load (this=0x3855e00, loader=0x3d81600, type=WebCore::FrameLoadTypeForward, formState=@0xbfffebb0) at WebCore/loader/FrameLoader.cpp:2135
#69 0x01bbd842 in WebCore::FrameLoader::loadItem (this=0x3855e00, item=0x1b2075e0, loadType=WebCore::FrameLoadTypeForward) at WebCore/loader/FrameLoader.cpp:4043
#70 0x01bbe0d0 in WebCore::FrameLoader::recursiveGoToItem (this=0x3855e00, item=0x1b2075e0, fromItem=0x1b1bde90, type=WebCore::FrameLoadTypeForward) at WebCore/loader/FrameLoader.cpp:4205
#71 0x01bbe1d9 in WebCore::FrameLoader::goToItem (this=0x3855e00, targetItem=0x1b2075e0, type=WebCore::FrameLoadTypeForward) at WebCore/loader/FrameLoader.cpp:4147
#72 0x01d9d22c in WebCore::Page::goToItem (this=0x3524d00, item=0x1b2075e0, type=WebCore::FrameLoadTypeForward) at WebCore/page/Page.cpp:159
#73 0x01d9d26d in WebCore::Page::goForward (this=0x3524d00) at WebCore/page/Page.cpp:149
#74 0x00371867 in -[WebView goForward] (self=0x352fc20, _cmd=0x9012f744) at WebKit/mac/WebView/WebView.mm:2199
#75 0x00373254 in -[WebView(WebIBActions) goForward:] (self=0x352fc20, _cmd=0x90116b40, sender=0x353c350) at WebKit/mac/WebView/WebView.mm:2701

In the debugger I saw that the SimpleFontData instance being destroyed contained invalid values, suggesting that it had already been deleted.

Comment 1 Oliver Hunt 2008-01-21 23:12:31 PST

<rdar://problem/5699344>

Comment 2 mitz 2008-01-21 23:21:20 PST

My diagnosis was wrong. The values that were invalid were simply never initialized due to the early return before platformInit() in SimpleFontData::SimpleFontData() in the SVG font case. It should probably be matched by not calling platformDestroy() under the same conditions.

Comment 3 Oliver Hunt 2008-01-21 23:43:35 PST

Seems sane to at least zero those uninitialised values anyway -- thus preventing the insanity

Comment 4 mitz 2008-01-22 00:08:07 PST

Created attachment 18599 [details]
Avoid calling platformDestroy() if platformInit() has not been called

Comment 5 Eric Seidel (no email) 2008-01-22 01:17:49 PST

Comment on attachment 18599 [details]
Avoid calling platformDestroy() if platformInit() has not been called

Looks fine.  I'd prefer a message "PASSED if did not crash" or "SUCCESS" or something in addition to your "1" and the bug URL.

Comment 6 Nikolas Zimmermann 2008-01-22 03:24:30 PST

Landed in r29717.