actually it's test 64 and 79 that can cause WebKitGtk to crash with segmentation fault

code that caused the segmentation fault in test 64: // non-existent attributes var test = document.createElement('p'); test.setAttribute('TWVvdywgbWV3Li4u', 'woof'); code that caused the segmentation fault in test 79: doc.documentElement.appendChild(e('font', { 'horiz-adv-x': '10000'}, [e('font-face', { 'font-family': 'HCl', 'units-per-em': '100', 'ascent': '1000', 'descent': '500'}), e('missing-glyph', null, [e('path', { 'd': 'M100,0 h800 v-100 h-800 z'})]), e('glyph', { 'unicode': 'A', 'd': 'M100,0 h100 v-100 h-100 z'}), e('glyph', { 'unicode': 'BC', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '200'}), e('glyph', { 'unicode': 'B', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '300'}), e('glyph', { 'unicode': 'C', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '500'}), e('glyph', { 'unicode': 'BD', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '700'}), e('glyph', { 'unicode': 'D', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '1100'}), e('glyph', { 'unicode': 'EE', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '1300', 'glyph-name': 'grapefruit'}), e('glyph', { 'unicode': 'U+0046', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '1700'}), e('glyph', { 'unicode': 'F', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '1900'}), e('glyph', { 'unicode': 'G', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '2300', 'glyph-name': 'gee'}), e('glyph', { 'unicode': '\uD800\uDC85', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '2900', 'id': 'astral'}), e('glyph', { 'unicode': 'H', 'horiz-adv-x': '3100'}, [e('path', { 'd': 'M100,0 h100 v-100 h-100 z'})]), e('glyph', { 'unicode': 'I', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '4100', 'lang': 'zh'}), e('glyph', { 'unicode': 'I', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '4300'}), e('glyph', { 'unicode': 'J', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '4700'}), e('glyph', { 'unicode': 'K', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '5300', 'orientation': 'v'}), e('glyph', { 'unicode': 'K', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '5900'}), e('glyph', { 'unicode': ' ', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '6100', 'glyph-name': 'L'}), e('glyph', { 'unicode': 'L', 'd': 'M100,0 h100 v-100 h-100 z', 'horiz-adv-x': '6700', 'glyph-name': 'space'}), e('hkern', { 'u1': 'A', 'u2': 'EE', 'k': '1000'}), e('hkern', { 'u1': 'A', 'g2': 'grapefruit', 'k': '-200'}), e('hkern', { 'u1': 'U+0046', 'u2': 'U+0046', 'k': '-200'}), e('hkern', { 'u1': 'U+0047-0047', 'g2': 'gee', 'k': '-200'}), e('hkern', { 'u1': 'J', 'u2': 'A', 'k': '4700'})])); doc.documentElement.appendChild(e('text', { 'y': '100', 'font-family': 'HCl', 'font-size': '100px', 'letter-spacing': '0px', 'word-spacing': '0px'}, ['ABCBDAEEU+0046U+0046GGHI', e('tspan', { 'xml:lang': 'zh'}, ['I']), 'JAK L', e('altGlyph', { 'xlink:href': '#astral'}, ['A']), '\uD800\uDC85A']));

Created attachment 20523 [details] modified acid3 test Acid3 test with the parts that cause the segmentation faults commented out, still WebKitGtk and WebKitQt can't reach 100/100 though.

Which revision of WebKit? What CPU architecture? What compiler version?

> Which revision of WebKit? What CPU architecture? What compiler version? all the latest revisions, from as far back as 314xx (can't remember exactly) to (currently tested) 31860. I do recall 312xx from the end of March didn't have this problem. x86 CPU, gcc 4.3.0

I've tried the latest 31896 revision, and it's still the same segmentation fault probelms. Interestingly, WebKitQt only crashes at test 64, while unaffected by test 79, but only scores 88/100 at the modified Acid3. WebKitGtk crashes at both test 64 and test 79, but scores 90/100 at the modified Acid3.

Created attachment 20550 [details] part of test 64 that makes WebKitGtk and WebKitQt crash

Created attachment 20551 [details] part of test 79 that makes WebKitGtk crash

Created attachment 20552 [details] the svg.xml that's needed for test 79

My backtrace for segfault at 64% on acid3... (without fast-malloc, it still bombs after adopt() at the same place) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb567a8e0 (LWP 25866)] 0xb7eb4e4f in WTF::fastMalloc () from /usr/lib/libwebkit-1.0.so.1 (gdb) backtrace #0 0xb7eb4e4f in WTF::fastMalloc () from /usr/lib/libwebkit-1.0.so.1 #1 0xb7bd90d6 in WebCore::StringImpl::adopt () from /usr/lib/libwebkit-1.0.so.1 #2 0xb7bd97ab in WebCore::StringImpl::lower () from /usr/lib/libwebkit-1.0.so.1 #3 0xb7bd3d33 in WebCore::String::lower () from /usr/lib/libwebkit-1.0.so.1 #4 0xb7a3b945 in WebCore::Element::removeAttribute () from /usr/lib/libwebkit-1.0.so.1 #5 0xb7df4929 in WebCore::jsElementPrototypeFunctionRemoveAttribute () from /usr/lib/libwebkit-1.0.so.1 #6 0xb7ea779e in KJS::PrototypeFunction::callAsFunction () from /usr/lib/libwebkit-1.0.so.1 #7 0xb7ed42c2 in KJS::JSObject::call () from /usr/lib/libwebkit-1.0.so.1 #8 0xb7eedbd0 in KJS::FunctionCallDotNode::evaluate () from /usr/lib/libwebkit-1.0.so.1 #9 0xb7ee497b in KJS::ExprStatementNode::execute () from /usr/lib/libwebkit-1.0.so.1 #10 0xb7ea9115 in KJS::BlockNode::execute () from /usr/lib/libwebkit-1.0.so.1 #11 0xb7ef868c in KJS::FunctionImp::callAsFunction () from /usr/lib/libwebkit-1.0.so.1 #12 0xb7ed42c2 in KJS::JSObject::call () from /usr/lib/libwebkit-1.0.so.1 #13 0xb79b787e in WebCore::ScheduledAction::execute () from /usr/lib/libwebkit-1.0.so.1 #14 0xb799bd29 in WebCore::JSDOMWindowBase::timerFired () from /usr/lib/libwebkit-1.0.so.1 #15 0xb799bf14 in WebCore::DOMWindowTimer::fired () from /usr/lib/libwebkit-1.0.so.1 #16 0xb7bdea7c in WebCore::TimerBase::fireTimers () from /usr/lib/libwebkit-1.0.so.1 #17 0xb7bdeb38 in WebCore::TimerBase::sharedTimerFired () from /usr/lib/libwebkit-1.0.so.1 #18 0xb797f285 in WebCore::timeout_cb () from /usr/lib/libwebkit-1.0.so.1 #19 0xb6db06b6 in g_timeout_dispatch () from /usr/lib/libglib-2.0.so.0 #20 0xb6daff88 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #21 0xb6db34eb in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0 #22 0xb6db39ba in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #23 0xb718cb19 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #24 0x0807bdb8 in main ()

using: WebKit-r34153.tar.bz2 ''' ./autogen.sh --prefix=/usr --enable-svg-experimental --with-http-backend=soup --with-font-backend=pango --with-target=x11 --enable-svg-animation --enable-fast-malloc --enable-video --enable-debug ''' I have "segmentation fault" msg too when i run acid3 test around 60.

Created attachment 21431 [details] log of debug message Linux negresco 2.6.25-ARCH #1 SMP PREEMPT Fri May 16 14:52:43 CEST 2008 i686 AMD Sempron(tm) Processor 2500+ AuthenticAMD GNU/Linux. gcc 4.3.0-1 In my last test i run nightly build WebKit-r34153.tar.bz2 With some build options (every crash on test): ---------------------------------------------------------- ./autogen.sh --prefix=/usr \ --enable-offline-web-applications=no \ --enable-dom-storage=no \ --enable-database=no \ --enable-icon-database=no \ --enable-video=no \ --enable-xpath=no \ --enable-xslt=no \ --enable-svg=no \ --enable-fast-malloc=no \ --enable-dashboard-support=no \ --with-gnu-ld=yes --enable-debug ---------------------------------------------------------- ./autogen.sh --prefix=/usr \ --disable-debug \ --enable-dashboard-support \ --enable-offline-web-applications \ --enable-dom-storage \ --enable-database \ --enable-icon-database \ --enable-video \ --enable-xpath \ --enable-xslt \ --enable-svg \ --enable-svg-animation \ --enable-svg-filters \ --enable-svg-fonts \ --enable-svg-foreign-object \ --enable-svg-as-image \ --enable-svg-use-element \ --disable-coverage \ --enable-fast-malloc \ --with-target=x11 \ --without-hildon \ --with-http-backend=curl \ --with-font-backend=pango -------------------------------------------------------------- ./autogen.sh --prefix=/usr \ --enable-debug \ --disable-dashboard-support \ --disable-offline-web-applications \ --disable-dom-storage \ --disable-database \ --disable-icon-database \ --disable-video \ --enable-xpath \ --enable-xslt \ --enable-svg \ --disable-svg-animation \ --disable-svg-filters \ --disable-svg-fonts \ --disable-svg-foreign-object \ --disable-svg-as-image \ --disable-svg-use-element \ --disable-coverage \ --enable-fast-malloc \ --with-target=x11 \ --without-hildon \ --with-http-backend=curl \ --with-font-backend=pango

webkit passing acid3 now. I think bug is already fixed.

(In reply to comment #13) > webkit passing acid3 now. I think bug is already fixed. > Yes, I believe too. Now I see 100/100 without crash!

It works for me too and I haven't heard of crashes for a long time now. Please reopen the bug if someone still see a crash.

*** Bug 18696 has been marked as a duplicate of this bug. ***