141432 2015-02-10 07:50:30 -0800 [Gtk][EFL][Fontconfig] Segmentation fault in WebCore::FontCache::lastResortFallbackFont 2016-08-04 17:22:20 -0700 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 116980 1 rhodovan.u-szeged mcatanzaro bfulgham bugs-noreply commit-queue darin ethansherriff hyungwook.lee kling koivisto mcatanzaro mmaxfield oldest_to_newest 1068058 0 246324 rhodovan.u-szeged 2015-02-10 07:50:30 -0800 Created attachment 246324 Test case Load this test with debug/release WK: <!DOCTYPE html> <style> * { word-spacing: -2664ex; font-family: "Arial", "Monospace" !important; font: 4096em monospace; } </style> In release, it results in a segfault: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff92ffd700 (LWP 32215)] 0x00007ffff6e0776f in WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 (gdb) bt #0 0x00007ffff6e0776f in WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #1 0x00007ffff6955064 in WebCore::FontGlyphs::realizeFallbackRangesAt(WebCore::FontDescription const&, unsigned int) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #2 0x00007ffff6bfbe56 in WebCore::RenderStyle::fontMetrics() const () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #3 0x00007ffff63fcbf1 in WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #4 0x00007ffff63fcd8f in WebCore::Length WebCore::CSSPrimitiveValue::computeLength<WebCore::Length>(WebCore::CSSToLengthConversionData const&) const () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #5 0x00007ffff6e87b51 in WebCore::StyleBuilderFunctions::applyValueWordSpacing(WebCore::StyleResolver&, WebCore::CSSValue&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #6 0x00007ffff6e6cc44 in WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #7 0x00007ffff645271f in WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #8 0x00007ffff6452832 in WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #9 0x00007ffff6458dc1 in WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #10 0x00007ffff645a1ed in WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #11 0x00007ffff6c57569 in WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #12 0x00007ffff6c57fa3 in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #13 0x00007ffff6c58bf9 in WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #14 0x00007ffff6c590c3 in WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #15 0x00007ffff64a17a7 in WebCore::Document::recalcStyle(WebCore::Style::Change) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #16 0x00007ffff64a1d85 in WebCore::Document::updateLayout() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #17 0x00007ffff64a2782 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #18 0x00007ffff62bda36 in WebCore::AccessibilityObject::updateBackingStore() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #19 0x00007ffff6dee24c in webkitAccessibleGetParent(_AtkObject*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #20 0x00007ffff375de68 in atk_object_real_get_property (object=0x6971d0, prop_id=3, value=0x7fffffffc8b0, pspec=0x469680) at atkobject.c:1365 #21 0x00007ffff2a1440c in object_get_property (value=0x7fffffffc8b0, pspec=0x469680, object=0x6971d0) at gobject.c:1370 #22 g_object_get_property (object=object@entry=0x6971d0, property_name=<optimized out>, value=value@entry=0x7fffffffc8b0) at gobject.c:2438 #23 0x00007ffff375cedd in atk_object_notify (obj=0x6971d0, pspec=0x469680) at atkobject.c:1531 #24 0x00007ffff2a0bea8 in g_closure_invoke (closure=0x412300, return_value=0x0, n_param_values=2, param_values=0x7fffffffca90, invocation_hint=0x7fffffffca30) at gclosure.c:768 #25 0x00007ffff2a1d377 in signal_emit_unlocked_R (node=node@entry=0x412390, detail=detail@entry=413, instance=instance@entry=0x6971d0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffca90) at gsignal.c:3483 #26 0x00007ffff2a25b78 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffcc28) at gsignal.c:3309 #27 0x00007ffff2a25e32 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3365 #28 0x00007ffff2a102b5 in g_object_dispatch_properties_changed (object=0x6971d0, n_pspecs=4148481896, pspecs=0x0) at gobject.c:1056 #29 0x00007ffff2a12873 in g_object_notify_by_spec_internal (pspec=<optimized out>, object=0x6971d0) at gobject.c:1150 #30 g_object_notify (object=0x6971d0, property_name=<optimized out>) at gobject.c:1197 #31 0x00007ffff67ab71f in WebCore::FrameLoader::dispatchDidClearWindowObjectInWorld(WebCore::DOMWrapperWorld&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #32 0x00007ffff635bc2a in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #33 0x00007ffff635c16b in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #34 0x00007ffff635c223 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #35 0x00007ffff65081b2 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #36 0x00007ffff65084bf in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #37 0x00007ffff66ee54b in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #38 0x00007ffff66eee4f in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #39 0x00007ffff66d4d70 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #40 0x00007ffff66d4e12 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #41 0x00007ffff66d7c7e in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #42 0x00007ffff66d9322 in WebCore::HTMLDocumentParser::append(WTF::PassRefPtr<WTF::StringImpl>) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #43 0x00007ffff6497caa in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #44 0x00007ffff67a070e in WebCore::DocumentWriter::end() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #45 0x00007ffff67962bf in WebCore::DocumentLoader::finishedLoading(double) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #46 0x00007ffff68150a9 in WebCore::CachedResource::checkNotify() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #47 0x00007ffff6810521 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #48 0x00007ffff67dd53e in WebCore::SubresourceLoader::didFinishLoading(double) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #49 0x00007ffff6e49068 in WebCore::readCallback(_GObject*, _GAsyncResult*, void*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #50 0x00007ffff34307e6 in async_ready_callback_wrapper (source_object=0x7fff74004ee0, res=0x713ae0, user_data=user_data@entry=0x7ffff7e76ba0) at ginputstream.c:523 #51 0x00007ffff34560e5 in g_task_return_now (task=0x713ae0) at gtask.c:1077 #52 0x00007ffff3456109 in complete_in_idle_cb (task=0x713ae0) at gtask.c:1086 #53 0x00007ffff270ea1d in g_main_dispatch (context=0x478b50) at gmain.c:3064 #54 g_main_context_dispatch (context=context@entry=0x478b50) at gmain.c:3663 #55 0x00007ffff270ed88 in g_main_context_iterate (context=0x478b50, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734 #56 0x00007ffff270f04a in g_main_loop_run (loop=0x901d40) at gmain.c:3928 #57 0x00007ffff61e6442 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #58 0x00007ffff4d4bec5 in __libc_start_main (main=0x4007b0 <main>, argc=2, argv=0x7fffffffd938, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd928) at libc-start.c:287 #59 0x0000000000400805 in _start () In debug, the issue is caught by an assertion check: ASSERTION FAILED: m_ptr ../../Source/WTF/wtf/RefPtr.h(69) : T& WTF::RefPtr<T>::operator*() const [with T = WebCore::Font] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff8affd700 (LWP 32620)] 0x00007fffed73b5ef in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007fffed73b5ef in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff36612a4 in WTF::RefPtr<WebCore::Font>::operator* (this=0x7fffffff53e0) at ../../Source/WTF/wtf/RefPtr.h:69 #2 0x00007ffff3d44b69 in WebCore::FontCache::lastResortFallbackFont (this=0x7ffff7dce500 <WebCore::fontCache()::globalFontCache>, fontDescription=...) at ../../Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp:107 #3 0x00007ffff36829e9 in WebCore::FontGlyphs::realizeFallbackRangesAt (this=0x7ffff7f35480, description=..., index=0) at ../../Source/WebCore/platform/graphics/FontGlyphs.cpp:118 #4 0x00007ffff31eab3a in WebCore::FontGlyphs::primaryFont (this=0x7ffff7f35480, description=...) at ../../Source/WebCore/platform/graphics/FontGlyphs.h:112 #5 0x00007ffff31eac22 in WebCore::FontCascade::primaryFont (this=0x7ffff7ecbaf8) at ../../Source/WebCore/platform/graphics/FontCascade.h:357 #6 0x00007ffff31eabb4 in WebCore::FontCascade::fontMetrics (this=0x7ffff7ecbaf8) at ../../Source/WebCore/platform/graphics/FontCascade.h:174 #7 0x00007ffff3a356fe in WebCore::RenderStyle::fontMetrics (this=0x7ffff7f1f8a0) at ../../Source/WebCore/rendering/style/RenderStyle.cpp:1344 #8 0x00007ffff2db4051 in WebCore::CSSPrimitiveValue::computeLengthDouble (this=0x7ffff7e79660, conversionData=...) at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:618 #9 0x00007ffff2db3d9b in WebCore::CSSPrimitiveValue::computeLength<WebCore::Length> (this=0x7ffff7e79660, conversionData=...) at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:577 #10 0x00007ffff3dfe411 in WebCore::StyleBuilderConverter::convertWordSpacing (styleResolver=..., value=...) at ../../Source/WebCore/css/StyleBuilderConverter.h:974 #11 0x00007ffff3e14776 in WebCore::StyleBuilderFunctions::applyValueWordSpacing (styleResolver=..., value=...) at DerivedSources/WebCore/StyleBuilder.cpp:2689 #12 0x00007ffff3ded63d in WebCore::StyleBuilder::applyProperty (property=WebCore::CSSPropertyWordSpacing, styleResolver=..., value=..., isInitial=false, isInherit=false) at DerivedSources/WebCore/StyleBuilder.cpp:7046 #13 0x00007ffff2e2e0eb in WebCore::StyleResolver::applyProperty (this=0x7ffff7f1b800, id=WebCore::CSSPropertyWordSpacing, value=0x7ffff7e79660) at ../../Source/WebCore/css/StyleResolver.cpp:1949 #14 0x00007ffff2e31575 in WebCore::StyleResolver::CascadedProperties::Property::apply (this=0x7fffffffaab0, resolver=...) at ../../Source/WebCore/css/StyleResolver.cpp:2672 #15 0x00007ffff2e316ea in WebCore::StyleResolver::applyCascadedProperties (this=0x7ffff7f1b800, cascade=..., firstProperty=18, lastProperty=429) at ../../Source/WebCore/css/StyleResolver.cpp:2702 #16 0x00007ffff2e2db4c in WebCore::StyleResolver::applyMatchedProperties (this=0x7ffff7f1b800, matchResult=..., element=0x7ffff7f23bc8, shouldUseMatchedPropertiesCache=WebCore::StyleResolver::UseMatchedPropertiesCache) at ../../Source/WebCore/css/StyleResolver.cpp:1786 #17 0x00007ffff2e28e48 in WebCore::StyleResolver::styleForElement (this=0x7ffff7f1b800, element=0x7ffff7f23bc8, defaultParent=0x7ffff7f1fc00, sharingBehavior=WebCore::AllowStyleSharing, matchingBehavior=WebCore::MatchAllRules, regionForStyling=0x0) at ../../Source/WebCore/css/StyleResolver.cpp:798 #18 0x00007ffff3ac0fb0 in WebCore::Style::styleForElement (element=..., inheritedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:262 #19 0x00007ffff3ac1157 in WebCore::Style::createRendererIfNeeded (element=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:288 #20 0x00007ffff3ac2713 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:615 #21 0x00007ffff3ac3006 in WebCore::Style::resolveLocal (current=..., inheritedStyle=..., renderTreePosition=..., inheritedChange=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:756 #22 0x00007ffff3ac379d in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:918 #23 0x00007ffff3ac3c82 in WebCore::Style::resolveTree (document=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:994 #24 0x00007ffff2ec680a in WebCore::Document::recalcStyle (this=0x7ffff7e91000, change=WebCore::Style::Force) at ../../Source/WebCore/dom/Document.cpp:1764 #25 0x00007ffff2ec6b01 in WebCore::Document::updateStyleIfNeeded (this=0x7ffff7e91000) at ../../Source/WebCore/dom/Document.cpp:1812 #26 0x00007ffff2ed1e3e in WebCore::Document::finishedParsing (this=0x7ffff7e91000) at ../../Source/WebCore/dom/Document.cpp:4627 #27 0x00007ffff3243961 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7ffff7f35800) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:404 #28 0x00007ffff328047a in WebCore::HTMLTreeBuilder::finished (this=0x7ffff7f357e0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2940 #29 0x00007ffff324c2fc in WebCore::HTMLDocumentParser::end (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:402 #30 0x00007ffff324c3ca in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:411 #31 0x00007ffff324b07a in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:132 #32 0x00007ffff324c401 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:423 #33 0x00007ffff324c4af in WebCore::HTMLDocumentParser::finish (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:451 #34 0x00007ffff33bbb29 in WebCore::DocumentWriter::end (this=0x7ffff7ebbaa0) at ../../Source/WebCore/loader/DocumentWriter.cpp:247 #35 0x00007ffff33a70f9 in WebCore::DocumentLoader::finishedLoading (this=0x7ffff7ebba00, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:440 #36 0x00007ffff33a6e62 in WebCore::DocumentLoader::notifyFinished (this=0x7ffff7ebba00, resource=0x7ffff7ec8680) at ../../Source/WebCore/loader/DocumentLoader.cpp:374 #37 0x00007ffff345b7e8 in WebCore::CachedResource::checkNotify (this=0x7ffff7ec8680) at ../../Source/WebCore/loader/cache/CachedResource.cpp:293 #38 0x00007ffff345b8e6 in WebCore::CachedResource::finishLoading (this=0x7ffff7ec8680) at ../../Source/WebCore/loader/cache/CachedResource.cpp:309 #39 0x00007ffff3457f1f in WebCore::CachedRawResource::finishLoading (this=0x7ffff7ec8680, data=0x7ffff7e89570) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:104 #40 0x00007ffff340a3f1 in WebCore::SubresourceLoader::didFinishLoading (this=0x7ffff7ec8200, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:364 #41 0x00007ffff3405d2b in WebCore::ResourceLoader::didFinishLoading (this=0x7ffff7ec8200, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:542 #42 0x00007ffff3db92b5 in WebCore::readCallback (asyncResult=0x7401f0, data=0x7ffff7e7eb40) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1295 #43 0x00007fffeb2777e6 in async_ready_callback_wrapper (source_object=0x7c72d0, res=0x7401f0, user_data=user_data@entry=0x7ffff7e7eb40) at ginputstream.c:523 #44 0x00007fffeb29d0e5 in g_task_return_now (task=0x7401f0) at gtask.c:1077 #45 0x00007fffeb29d109 in complete_in_idle_cb (task=0x7401f0) at gtask.c:1086 #46 0x00007fffea555a1d in g_main_dispatch (context=0x478b00) at gmain.c:3064 #47 g_main_context_dispatch (context=context@entry=0x478b00) at gmain.c:3663 #48 0x00007fffea555d88 in g_main_context_iterate (context=0x478b00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734 #49 0x00007fffea55604a in g_main_loop_run (loop=0x901d10) at gmain.c:3928 #50 0x00007ffff44b31e6 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #51 0x00007ffff29a1cfc in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd938) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #52 0x00007ffff29a1b61 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd938) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:77 #53 0x00000000004008d1 in main (argc=2, argv=0x7fffffffd938) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44 1069295 1 hyungwook.lee 2015-02-15 00:43:05 -0800 I've started look at this issue that can be reproduced in EFL port also. 1069526 2 ap 2015-02-16 12:28:28 -0800 I couldn't reproduce on Mac. 1074487 3 hyungwook.lee 2015-03-05 05:40:16 -0800 There is no fallback font in this case when we use FontCacheFreeType.cpp Ref<Font> FontCache::lastResortFallbackFont() return nullptr. 1074506 4 koivisto 2015-03-05 07:28:15 -0800 You should take care to always have a last resort fallback. 1074535 5 darin 2015-03-05 09:16:49 -0800 The fix is to make sure that function never tries to return nullptr. You can’t turn a nullptr into a Ref and you can’t have a WebKit port that will work properly with no last resort font. 1162725 6 mcatanzaro 2016-02-07 07:28:59 -0800 Dunno why the attached test case has anything to do with this bug (that's really weird), but in bug #153921 this was hit by someone who installed fontconfig improperly. 1162727 7 270817 mcatanzaro 2016-02-07 07:41:07 -0800 Created attachment 270817 Patch 1162728 8 mcatanzaro 2016-02-07 07:42:14 -0800 (Can't reproduce the crash in the test case, so just making this crash better.) 1162737 9 mcatanzaro 2016-02-07 09:08:24 -0800 *** Bug 153921 has been marked as a duplicate of this bug. *** 1193815 10 mcatanzaro 2016-05-17 08:17:11 -0700 Ping reviewers. 1193820 11 270817 mmaxfield 2016-05-17 08:43:45 -0700 Comment on attachment 270817 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=270817&action=review > Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp:141 > + RELEASE_ASSERT_NOT_REACHED(); How does this fix the problem? It looks like the patch substitutes one crash for another crash. 1193837 12 mcatanzaro 2016-05-17 09:12:07 -0700 (In reply to comment #11) > Comment on attachment 270817 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=270817&action=review > > > Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp:141 > > + RELEASE_ASSERT_NOT_REACHED(); > > How does this fix the problem? It looks like the patch substitutes one crash > for another crash. Exactly. We can't support this configuration, so we should crash nicely with SIGABRT rather than continuing and hoping to get SIGSEGV. 1193838 13 270817 commit-queue 2016-05-17 09:13:26 -0700 Comment on attachment 270817 Patch Rejecting attachment 270817 from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'apply-attachment', '--no-update', '--non-interactive', 270817, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: WS/WebKit Parsed 2 diffs from patch file(s). patching file Source/WebCore/ChangeLog Hunk #1 succeeded at 1 with fuzz 3. patching file Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp Hunk #1 FAILED at 134. 1 out of 1 hunk FAILED -- saving rejects to file Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp.rej Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force', '--reviewer', u'Myles C. Maxfield']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Full output: http://webkit-queues.webkit.org/results/1337080 1217678 14 mcatanzaro 2016-08-04 17:18:53 -0700 I left this bug open just because I didn't have time to reapply the patch...? 1217684 15 mcatanzaro 2016-08-04 17:22:20 -0700 Committed r204154: <http://trac.webkit.org/changeset/204154> 246324 2015-02-10 07:50:30 -0800 2015-02-10 07:50:30 -0800 Test case crash.html text/html 143 rhodovan.u-szeged PCFET0NUWVBFIGh0bWw+CjxzdHlsZT4KKiB7CiAgICB3b3JkLXNwYWNpbmc6IC0yNjY0ZXg7CiAg ICBmb250LWZhbWlseTogIkFyaWFsIiwgIk1vbm9zcGFjZSIgIWltcG9ydGFudDsKICAgIGZvbnQ6 IDQwOTZlbSBtb25vc3BhY2U7Cn0KPC9zdHlsZT4= 270817 2016-02-07 07:41:07 -0800 2016-05-17 09:13:26 -0700 Patch bug-141432-20160207094044.patch text/plain 1873 mcatanzaro U3VidmVyc2lvbiBSZXZpc2lvbjogMTk2MjM1CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggOGRkMTdlODBmNWE1ZGFj OWFmNmM0MTQzZTE0YzBmZmRkMjFkNzdhOC4uY2JlZmU1ODQwNWI5YjYzYjM0MDcwZDI1YzdhNGIx ZjFhYTQwNjE4OCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDE2LTAyLTA3ICBNaWNo YWVsIENhdGFuemFybyAgPG1jYXRhbnphcm9AaWdhbGlhLmNvbT4KKworICAgICAgICBbRm9udGNv bmZpZ10gU2VnbWVudGF0aW9uIGZhdWx0IGluIFdlYkNvcmU6OkZvbnRDYWNoZTo6bGFzdFJlc29y dEZhbGxiYWNrRm9udAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5j Z2k/aWQ9MTQxNDMyCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAg ICAgICAgQ3Jhc2ggbW9yZSBjbGVhbmx5IHdoZW4gd2UgY2FuJ3QgZmluZCBhbnkgbGFzdCByZXNv cnQgZmFsbGJhY2sgZm9udC4KKworICAgICAgICAqIHBsYXRmb3JtL2dyYXBoaWNzL2ZyZWV0eXBl L0ZvbnRDYWNoZUZyZWVUeXBlLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkZvbnRDYWNoZTo6bGFz dFJlc29ydEZhbGxiYWNrRm9udCk6CisKIDIwMTYtMDItMDYgIENocmlzIER1bWV6ICA8Y2R1bWV6 QGFwcGxlLmNvbT4KIAogICAgICAgICBQcmV2ZW50IGNyb3NzLW9yaWdpbiBhY2Nlc3MgdG8gd2lu ZG93Lmhpc3RvcnkKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNz L2ZyZWV0eXBlL0ZvbnRDYWNoZUZyZWVUeXBlLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3Jt L2dyYXBoaWNzL2ZyZWV0eXBlL0ZvbnRDYWNoZUZyZWVUeXBlLmNwcAppbmRleCBhMjkwMjAyMzli YTg3OWE0ODUzY2Y3YmI4MzM3MmJiZTI2MjdkNjExLi5hNDNlMTYzNGI1ZDk4ODkzN2NkZTlkMTE3 OTkwMTg3NDRkMmZiMDg0IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9ncmFw aGljcy9mcmVldHlwZS9Gb250Q2FjaGVGcmVlVHlwZS5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUv cGxhdGZvcm0vZ3JhcGhpY3MvZnJlZXR5cGUvRm9udENhY2hlRnJlZVR5cGUuY3BwCkBAIC0xMzQs NyArMTM0LDExIEBAIFJlZjxGb250PiBGb250Q2FjaGU6Omxhc3RSZXNvcnRGYWxsYmFja0ZvbnQo Y29uc3QgRm9udERlc2NyaXB0aW9uJiBmb250RGVzY3JpcHRpCiAgICAgLy8gV2Ugd2FudCB0byBy ZXR1cm4gYSBmYWxsYmFjayBmb250IGhlcmUsIG90aGVyd2lzZSB0aGUgbG9naWMgcHJldmVudGlu ZyBGb250Q29uZmlnCiAgICAgLy8gbWF0Y2hlcyBmb3Igbm9uLWZhbGxiYWNrIGZvbnRzIG1pZ2h0 IHJldHVybiAwLiBTZWUgaXNGYWxsYmFja0ZvbnRBbGxvd2VkLgogICAgIHN0YXRpYyBBdG9taWNT dHJpbmcgdGltZXNTdHIoInNlcmlmIik7Ci0gICAgcmV0dXJuICpmb250Rm9yRmFtaWx5KGZvbnRE ZXNjcmlwdGlvbiwgdGltZXNTdHIsIGZhbHNlKTsKKyAgICBpZiAoUmVmUHRyPEZvbnQ+IGZvbnQg PSBmb250Rm9yRmFtaWx5KGZvbnREZXNjcmlwdGlvbiwgdGltZXNTdHIsIGZhbHNlKSkKKyAgICAg ICAgcmV0dXJuICpmb250OworCisgICAgLy8gVGhpcyBjb3VsZCBiZSByZWFjaGVkIGR1ZSB0byBp bXByb3Blcmx5LWluc3RhbGxlZCBvciBtaXNjb25maWd1cmVkIGZvbnRjb25maWcuCisgICAgUkVM RUFTRV9BU1NFUlRfTk9UX1JFQUNIRUQoKTsKIH0KIAogVmVjdG9yPEZvbnRUcmFpdHNNYXNrPiBG b250Q2FjaGU6OmdldFRyYWl0c0luRmFtaWx5KGNvbnN0IEF0b21pY1N0cmluZyYpCg==