Bug 113796

Summary: Crashes in Harfbuzz opening the Boston page
Product: WebKit Reporter: Bastien Nocera <bugzilla>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: bashi, behdad, berto, cgarcia, mrobinson
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Bastien Nocera
Reported 2013-04-02 09:28:01 PDT
harfbuzz-0.9.14-1.fc19.x86_64 pango-1.34.0-1.fc19.x86_64 webkitgtk3-1.11.92-1.fc19.x86_64 epiphany-3.8.0-1.fc19.x86_64 When opening http://en.wikipedia.org/wiki/Boston and skipping to the next page (not sure if that step is needed), the view process crashes. strchr() is being passed a NULL string. Core was generated by `/usr/libexec/WebKitWebProcess 16'. Program terminated with signal 11, Segmentation fault. #0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:136 136 ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory. Thread 1 (Thread 0x7f10d7852a00 (LWP 2309)): #0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:136 No locals. #1 0x00000034bac3ef1d in strchr (__c=45, __s=0x0) at /usr/include/string.h:227 No locals. #2 _hb_graphite2_shape (shape_plan=<optimized out>, font=<optimized out>, buffer=0x2855740, features=0x0, num_features=0) at hb-graphite2.cc:229 ci = <optimized out> chars = <optimized out> gids = <optimized out> grfont = 0x2855940 lang = 0x0 ic = <optimized out> curradvx = <optimized out> scratch_size = 0 scratch = <optimized out> script_tag = {42194816, 0} glyph_count = <optimized out> is = <optimized out> curradvy = <optimized out> pPos = <optimized out> grface = 0x25bce10 lang_len = <optimized out> feats = <optimized out> clusters = <optimized out> face = <optimized out> seg = <optimized out> pg = <optimized out> #3 0x00000034bac151c6 in hb_shape_plan_execute (shape_plan=0x2843590, font=0x283d780, buffer=0x2855740, features=0x0, num_features=0) at hb-shaper-list.hh:35 __PRETTY_FUNCTION__ = "hb_bool_t hb_shape_plan_execute(hb_shape_plan_t*, hb_font_t*, hb_buffer_t*, const hb_feature_t*, unsigned int)" #4 0x00000034bac14351 in hb_shape_full (font=0x283d780, buffer=0x2855740, features=0x0, num_features=0, shaper_list=<optimized out>) at hb-shape.cc:260 __PRETTY_FUNCTION__ = "hb_bool_t hb_shape_full(hb_font_t*, hb_buffer_t*, const hb_feature_t*, unsigned int, const char* const*)" shape_plan = 0x2843590 res = <optimized out> #5 0x0000003e08b2278e in WebCore::HarfBuzzShaper::shapeHarfBuzzRuns () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #6 0x0000003e08b23c4f in WebCore::HarfBuzzShaper::shape () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #7 0x0000003e08b1db40 in WebCore::Font::drawComplexText () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #8 0x0000003e091a7967 in WebCore::GraphicsContext::drawText () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #9 0x0000003e08b66cf9 in paintTextWithShadows () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #10 0x0000003e08b6af7e in WebCore::InlineTextBox::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #11 0x0000003e08b64f6a in WebCore::InlineFlowBox::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #12 0x0000003e08cd0a7c in WebCore::RootInlineBox::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #13 0x0000003e08c40d90 in WebCore::RenderLineBoxList::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #14 0x0000003e08b713f5 in WebCore::RenderBlock::paintContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #15 0x0000003e08b84ea3 in WebCore::RenderBlock::paintObject () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #16 0x0000003e08b6e05f in WebCore::RenderBlock::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #17 0x0000003e08b71511 in WebCore::RenderBlock::paintChild () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #18 0x0000003e08b71680 in WebCore::RenderBlock::paintChildren () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #19 0x0000003e08b7139d in WebCore::RenderBlock::paintContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #20 0x0000003e08b84ea3 in WebCore::RenderBlock::paintObject () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #21 0x0000003e08b6e05f in WebCore::RenderBlock::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #22 0x0000003e08b71511 in WebCore::RenderBlock::paintChild () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #23 0x0000003e08b71680 in WebCore::RenderBlock::paintChildren () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #24 0x0000003e08b7139d in WebCore::RenderBlock::paintContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #25 0x0000003e08b84ea3 in WebCore::RenderBlock::paintObject () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #26 0x0000003e08b6e05f in WebCore::RenderBlock::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #27 0x0000003e08b71511 in WebCore::RenderBlock::paintChild () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #28 0x0000003e08b71680 in WebCore::RenderBlock::paintChildren () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #29 0x0000003e08b7139d in WebCore::RenderBlock::paintContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #30 0x0000003e08b84ea3 in WebCore::RenderBlock::paintObject () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #31 0x0000003e08b6e05f in WebCore::RenderBlock::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #32 0x0000003e08b71511 in WebCore::RenderBlock::paintChild () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #33 0x0000003e08b71680 in WebCore::RenderBlock::paintChildren () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #34 0x0000003e08b7139d in WebCore::RenderBlock::paintContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #35 0x0000003e08b84ea3 in WebCore::RenderBlock::paintObject () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #36 0x0000003e08b6e05f in WebCore::RenderBlock::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #37 0x0000003e08c24f96 in WebCore::RenderLayer::paintLayerContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #38 0x0000003e08c25691 in WebCore::RenderLayer::paintLayer () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #39 0x0000003e08c26536 in WebCore::RenderLayer::paintList () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #40 0x0000003e08c242f2 in WebCore::RenderLayer::paintLayerContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #41 0x0000003e08c25691 in WebCore::RenderLayer::paintLayer () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #42 0x0000003e08c26536 in WebCore::RenderLayer::paintList () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #43 0x0000003e08c242f2 in WebCore::RenderLayer::paintLayerContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #44 0x0000003e08c25691 in WebCore::RenderLayer::paintLayer () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #45 0x0000003e08c2578e in WebCore::RenderLayer::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #46 0x0000003e08aec730 in WebCore::FrameView::paintContents () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #47 0x0000003e09252e0c in WebCore::ScrollView::paint () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #48 0x0000003e083a708c in WebKit::WebPage::drawRect () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #49 0x0000003e08396585 in WebKit::DrawingAreaImpl::display () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #50 0x0000003e083979d2 in WebKit::DrawingAreaImpl::display () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #51 0x0000003e096ff59a in WebCore::RunLoop::TimerBase::timerFiredCallback () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #52 0x00000034b9048aa3 in g_timeout_dispatch (source=source@entry=0x24d24e0, callback=<optimized out>, user_data=<optimized out>) at gmain.c:4413 timeout_source = 0x24d24e0 again = <optimized out> #53 0x00000034b9047f46 in g_main_dispatch (context=0x16a5640) at gmain.c:3054 dispatch = 0x34b9048a90 <g_timeout_dispatch> was_in_call = 0 user_data = 0x22d0c38 callback = 0x3e096ff580 <WebCore::RunLoop::TimerBase::timerFiredCallback(WebCore::RunLoop::TimerBase*)> cb_funcs = 0x34b932a900 <g_source_callback_funcs> cb_data = 0x22bd9d0 need_destroy = <optimized out> current_source_link = {data = 0x24d24e0, next = 0x0} source = 0x24d24e0 current = 0x16d5100 i = 0 #54 g_main_context_dispatch (context=context@entry=0x16a5640) at gmain.c:3630 No locals. #55 0x00000034b9048298 in g_main_context_iterate (context=0x16a5640, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3701 max_priority = 0 timeout = 0 some_ready = 1 nfds = <optimized out> allocated_nfds = 27 fds = 0x2538cc0 #56 0x00000034b904869a in g_main_loop_run (loop=0x184eab0) at gmain.c:3895 __PRETTY_FUNCTION__ = "g_main_loop_run" #57 0x0000003e08338b0d in WebProcessMainGtk () from /lib64/libwebkit2gtk-3.0.so.22 No locals. #58 0x0000003fcf821b75 in __libc_start_main (main=0x400870 <main()>, argc=2, ubp_av=0x7fff1ec243d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff1ec243c8) at libc-start.c:258 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -2214406359183816603, 4196472, 140733709435856, 0, 0, 2214333553699424357, -2217101279134381979}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3fcf40f4f3 <_dl_init+275>, 0x3fcf622208}, data = {prev = 0x0, cleanup = 0x0, canceltype = -817826573}}} not_first_call = <optimized out> #59 0x00000000004008a1 in _start ()
Attachments
Add attachment proposed patch, testcase, etc.
Behdad Esfahbod
Comment 1 2013-04-02 11:09:57 PDT
Ouch. Pushed a fix to harfbuzz: commit 7148dc1a978610af25b4f490691a62d709c8c463 Author: Behdad Esfahbod <behdad@behdad.org> Date: Tue Apr 2 14:08:53 2013 -0400 [graphite2] Don't crash if language is not set https://bugs.webkit.org/show_bug.cgi?id=113796
Alberto Garcia
Comment 2 2013-09-13 00:08:20 PDT
So this was a harfbuzz bug if I got it right. Closing then.
Note You need to log in before you can comment on or make changes to this bug.