Bug 119088

Summary: [Qt] Crash in SimpleFontData, related to @font-face with non-existing src url
Product: WebKit Reporter: Milian Wolff <milian.wolff>
Component: WebKit QtAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: allan.jensen, michael.bruning
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Milian Wolff 2013-07-25 07:28:23 PDT
Using qtwebkit stable from gitorious, I see this crash now in an application of ours:

==11529== Invalid read of size 8
==11529==    at 0x87514B2: WTF::RefPtr<WebCore::FontPlatformDataPrivate>::RefPtr(WTF::RefPtr<WebCore::FontPlatformDataPrivate> const&) (RefPtr.h:43)
==11529==    by 0x874F848: WebCore::FontPlatformData::FontPlatformData(WebCore::FontPlatformData const&) (FontPlatformData.h:80)
==11529==    by 0x879B120: WebCore::SimpleFontData::SimpleFontData(WebCore::FontPlatformData const&, bool, bool, bool) (SimpleFontData.cpp:61)
==11529==    by 0x801FFFA: WebCore::SimpleFontData::create(WebCore::FontPlatformData const&, bool, bool, bool) (SimpleFontData.h:90)
==11529==    by 0x802077C: WebCore::CSSFontFaceSource::getFontData(WebCore::FontDescription const&, bool, bool, WebCore::CSSFontSelector*) (CSSFontFaceSource.cpp:185)
==11529==    by 0x800AAA7: WebCore::CSSFontFace::getFontData(WebCore::FontDescription const&, bool, bool) (CSSFontFace.cpp:105)
==11529==    by 0x80A0059: WebCore::CSSSegmentedFontFace::getFontData(WebCore::FontDescription const&) (CSSSegmentedFontFace.cpp:127)
==11529==    by 0x80132CE: WebCore::CSSFontSelector::getFontData(WebCore::FontDescription const&, WTF::AtomicString const&) (CSSFontSelector.cpp:539)
==11529==    by 0x8750992: WebCore::FontCache::getFontData(WebCore::Font const&, int&, WebCore::FontSelector*) (FontCache.cpp:475)
==11529==    by 0x874010E: WebCore::FontFallbackList::fontDataAt(WebCore::Font const*, unsigned int) const (FontFallbackList.cpp:108)
==11529==    by 0x8438477: WebCore::FontFallbackList::primaryFontData(WebCore::Font const*) const (FontFallbackList.h:96)
==11529==    by 0x8438428: WebCore::FontFallbackList::primarySimpleFontData(WebCore::Font const*) (FontFallbackList.h:92)
==11529==  Address 0x38 is not stack'd, malloc'd or (recently) free'd

I have not yet found a simple testcase which triggers this crash in a standalone WebView.
Comment 1 Milian Wolff 2013-07-25 07:30:45 PDT
Indeed, the crash goes away if I remove the usage of @font-face from our application.
Comment 2 Milian Wolff 2013-07-25 07:35:40 PDT
This snippet reproduces the crash for me:

<DOCTYPE html>
<html>
  <head>
    <title>bug 119088 test</title>
    <style type="text/css">
    @font-face {
      font-family: "test";
      src: url("file:///doesNotExist.ttf");
    }
    body {
      font-family: test;
    }
    </style>
  <body> test </body>
</html>
Comment 3 Milian Wolff 2013-07-25 07:43:07 PDT
In our application it is probably due to using a custom scheme handler for fonts, which does not seem to be supported anymore:

test.qml:
import QtQuick 2.0
import QtWebKit 3.0
import QtWebKit.experimental 1.0

WebView {
  id: webView
  height: 500
  width: 500
  url: "test.html"
  experimental {
    preferences.developerExtrasEnabled: true

    urlSchemeDelegates: [
        UrlSchemeDelegate {
            scheme: "test"
            onReceivedRequest: {
                console.log("retrieve:", request.url);
                reply.send()
            }
        }
    ]
  }
}

test.html:
<DOCTYPE html>
<html>
  <head>
    <title>bug 119088 test</title>
    <style type="text/css">
    @font-face {
      font-family: "test";
      src: url("test:///doesNotExist.ttf");
    }
    body {
      font-family: test;
    }
    </style>
  <body> test </body>
</html>

run it via:
qmlscene test.qml

expected output:
"retrieve test:///doesNotExist.ttf"

actual output:
WARNING: The web process experienced a crash on 'file:///ssd/milian/projects/qt5/examples/qmlwebkit2/test.html'.
Comment 4 Allan Sandfeld Jensen 2013-07-31 09:43:05 PDT
The example doesn't crash for me, though I have only tried WebKit trunk. I need to test Qt 5.0 or 5.1
Comment 5 Allan Sandfeld Jensen 2013-07-31 10:10:33 PDT
What version are you using? There was one crash fix in the area, but it should be fixed back in end of january, so in Qt 5.0.2 and Qt 5.1.
Comment 6 Milian Wolff 2013-07-31 10:29:04 PDT
I tried it with v5.1.0-17-g779b1cf. Do I understand it correctly, that you cannot reproduce this issue with a recent build of QtWebKit 5.1 stable?
Comment 7 Milian Wolff 2013-08-05 08:26:39 PDT
I just updated everything from the stable branches and wiped the build folders and redid everything, like this:

cd $(dirname $0)
mkdir qtbase &>/dev/null
cd qtbase

../../qtbase/configure -prefix /home/milian/projects/compiled/qt5 \
  -opensource -confirm-license -debug
make -j40 && make install

// note: qmake-qt5 is a ln -s of the qmabe build above

for d in qtjsbackend qtxmlpatterns qtdeclarative qtconnectivity qtlocation qttools qtwebkit; do
  if [ ! -d "$d" ]; then mkdir $d; fi
  pushd $d
  qmake-qt5 CONFIG+=debug ../../$d/$d.pro -r
  (make -j40 && make install -j4) || exit
  popd
done

And it still crashes:

==32468== Thread 1:
==32468== Invalid read of size 8
==32468==    at 0x8DDF820: WebCore::SimpleFontData::SimpleFontData(WebCore::FontPlatformData const&, bool, bool, bool) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x89C5668: WebCore::CSSFontFaceSource::getFontData(WebCore::FontDescription const&, bool, bool, WebCore::CSSFontSelector*) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x89B570B: WebCore::CSSFontFace::getFontData(WebCore::FontDescription const&, bool, bool) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x8A27578: WebCore::CSSSegmentedFontFace::getFontData(WebCore::FontDescription const&) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x89C2C67: WebCore::CSSFontSelector::getFontData(WebCore::FontDescription const&, WTF::AtomicString const&) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x8DA3AE3: WebCore::FontCache::getFontData(WebCore::Font const&, int&, WebCore::FontSelector*) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x8D8D811: WebCore::FontFallbackList::fontDataAt(WebCore::Font const*, unsigned int) const (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x8D8DADD: WebCore::FontFallbackList::determinePitch(WebCore::Font const*) const (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x9D1B386: WebCore::RenderBlock::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderBlock::RenderTextInfo&, WebCore::RenderBlock::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul>&) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x9D2090B: WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x9D330E7: WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==    by 0x9D337F3: WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (in /ssd/milian/projects/qt5/build-x86/qtwebkit/lib/libQt5WebKit.so.5.1.2)
==32468==  Address 0x38 is not stack'd, malloc'd or (recently) free'd

Considering that mibrunin also cannot reproduce this issue, I wonder what else could influence this? Any other stuff from the system which might be an issue? Any font library or such?
Comment 8 Allan Sandfeld Jensen 2013-08-05 08:43:50 PDT
I have tried both the HTML and QML example and neither of them crashes for me.

Perhaps you can get a better backtrace? I think the way to get that in official Qt version is to edit the file qtwebkit/Tools/qmake/mkspecs/features/production_build.prf and comment out the part that disables debug info in the internals of WebKit.
Comment 9 Michael BrĂ¼ning 2013-08-05 09:03:52 PDT
(In reply to comment #7)
> I just updated everything from the stable branches and wiped the build folders and redid everything, like this:
> 
> cd $(dirname $0)
> mkdir qtbase &>/dev/null
> cd qtbase
> 
> ../../qtbase/configure -prefix /home/milian/projects/compiled/qt5 \
>   -opensource -confirm-license -debug
> make -j40 && make install
> 
> // note: qmake-qt5 is a ln -s of the qmabe build above
> 
> for d in qtjsbackend qtxmlpatterns qtdeclarative qtconnectivity qtlocation qttools qtwebkit; do
>   if [ ! -d "$d" ]; then mkdir $d; fi
>   pushd $d
>   qmake-qt5 CONFIG+=debug ../../$d/$d.pro -r

This will not have any effect on the qtwebkit submodule, as qtwebkit/qtwebkit.pro simply does not exist. If you want to run qmake for qtwebkit, please use qtwebkit/WebKit.pro

>   (make -j40 && make install -j4) || exit
>   popd
> done
>
Comment 10 Milian Wolff 2013-08-05 09:59:12 PDT
Ok, here it is:

Program received signal SIGSEGV, Segmentation fault.
0x00007f8782536376 in WTF::RefPtr<WebCore::FontPlatformDataPrivate>::RefPtr (this=0x6c5c48, o=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WTF/wtf/RefPtr.h:43
43              ALWAYS_INLINE RefPtr(const RefPtr& o) : m_ptr(o.m_ptr) { refIfNotNull(m_ptr); }
(gdb) thread apply all bt

Thread 5 (Thread 0x7f87753a1700 (LWP 23989)):
#0  0x00007f877feeec61 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007f87837f110c in WTF::ThreadCondition::timedWait (this=0x659180, mutex=..., absoluteTime=1375721283.5345609)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WTF/wtf/ThreadingPthreads.cpp:400
#2  0x00007f87835015ae in JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock (this=0x659078, relative=1)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/JavaScriptCore/heap/BlockAllocator.cpp:89
#3  0x00007f87835015f4 in JSC::BlockAllocator::waitForRelativeTime (this=0x659078, relative=1)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/JavaScriptCore/heap/BlockAllocator.cpp:99
#4  0x00007f8783501642 in JSC::BlockAllocator::blockFreeingThreadMain (this=0x659078)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/JavaScriptCore/heap/BlockAllocator.cpp:113
#5  0x00007f878350161a in JSC::BlockAllocator::blockFreeingThreadStartFunc (blockAllocator=0x659078)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/JavaScriptCore/heap/BlockAllocator.cpp:104
#6  0x00007f87837d716d in WTF::threadEntryPoint (contextData=0x61de00)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WTF/wtf/Threading.cpp:69
#7  0x00007f87837f0705 in WTF::wtfThreadEntryPoint (param=0x645850)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WTF/wtf/ThreadingPthreads.cpp:196
#8  0x00007f877feeadd2 in start_thread () from /usr/lib/libpthread.so.0
#9  0x00007f877f403cdd in clone () from /usr/lib/libc.so.6

Thread 4 (Thread 0x7f8775c16700 (LWP 23988)):
#0  0x00007f877f3fb08d in poll () from /usr/lib/libc.so.6
#1  0x00007f8786087094 in ?? () from /usr/lib/libglib-2.0.so.0
#2  0x00007f878608719c in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#3  0x00007f878065eb0b in QEventDispatcherGlib::processEvents (this=0x7f87200008c0, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:426
#4  0x00007f87805eb686 in QEventLoop::processEvents (this=0x7f8775c15e20, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventloop.cpp:136
#5  0x00007f87805eb969 in QEventLoop::exec (this=0x7f8775c15e20, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventloop.cpp:212
#6  0x00007f87803f80fc in QThread::exec (this=0x638b00) at /ssd/milian/projects/qt5/qtbase/src/corelib/thread/qthread.cpp:507
#7  0x00007f87803f829a in QThread::run (this=0x638b00) at /ssd/milian/projects/qt5/qtbase/src/corelib/thread/qthread.cpp:574
#8  0x00007f87803feb98 in QThreadPrivate::start (arg=0x638b00) at /ssd/milian/projects/qt5/qtbase/src/corelib/thread/qthread_unix.cpp:345
#9  0x00007f877feeadd2 in start_thread () from /usr/lib/libpthread.so.0
#10 0x00007f877f403cdd in clone () from /usr/lib/libc.so.6

Thread 3 (Thread 0x7f87764f6700 (LWP 23987)):
#0  0x00007f877f3fb08d in poll () from /usr/lib/libc.so.6
#1  0x00007f8786087094 in ?? () from /usr/lib/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#2  0x00007f878608719c in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#3  0x00007f878065eb0b in QEventDispatcherGlib::processEvents (this=0x7f87280008c0, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:426
#4  0x00007f87805eb686 in QEventLoop::processEvents (this=0x7f87764f5e20, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventloop.cpp:136
#5  0x00007f87805eb969 in QEventLoop::exec (this=0x7f87764f5e20, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventloop.cpp:212
#6  0x00007f87803f80fc in QThread::exec (this=0x5b3450) at /ssd/milian/projects/qt5/qtbase/src/corelib/thread/qthread.cpp:507
#7  0x00007f87803f829a in QThread::run (this=0x5b3450) at /ssd/milian/projects/qt5/qtbase/src/corelib/thread/qthread.cpp:574
#8  0x00007f87803feb98 in QThreadPrivate::start (arg=0x5b3450) at /ssd/milian/projects/qt5/qtbase/src/corelib/thread/qthread_unix.cpp:345
#9  0x00007f877feeadd2 in start_thread () from /usr/lib/libpthread.so.0
#10 0x00007f877f403cdd in clone () from /usr/lib/libc.so.6

Thread 2 (Thread 0x7f8776f02700 (LWP 23986)):
#0  0x00007f877f3fb08d in poll () from /usr/lib/libc.so.6
#1  0x00007f877eef76e2 in ?? () from /usr/lib/libxcb.so.1
#2  0x00007f877eef8d7f in xcb_wait_for_event () from /usr/lib/libxcb.so.1
#3  0x00007f87797fc6c9 in QXcbEventReader::run (this=0x5957a0)
    at /ssd/milian/projects/qt5/qtbase/src/plugins/platforms/xcb/qxcbconnection.cpp:983
#4  0x00007f87803feb98 in QThreadPrivate::start (arg=0x5957a0) at /ssd/milian/projects/qt5/qtbase/src/corelib/thread/qthread_unix.cpp:345
#5  0x00007f877feeadd2 in start_thread () from /usr/lib/libpthread.so.0
#6  0x00007f877f403cdd in clone () from /usr/lib/libc.so.6

Thread 1 (Thread 0x7f878844e740 (LWP 23869)):
#0  0x00007f8782536376 in WTF::RefPtr<WebCore::FontPlatformDataPrivate>::RefPtr (this=0x6c5c48, o=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WTF/wtf/RefPtr.h:43
#1  0x00007f8782534719 in WebCore::FontPlatformData::FontPlatformData (this=0x6c5c48)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/qt/FontPlatformData.h:80
#2  0x00007f878257b5dd in WebCore::SimpleFontData::SimpleFontData (this=0x6c5c10, platformData=..., isCustomFont=true, isLoading=true, 
    isTextOrientationFallback=false) at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/SimpleFontData.cpp:59
#3  0x00007f878214632e in WebCore::SimpleFontData::create (platformData=..., isCustomFont=true, isLoading=true, 
    isTextOrientationFallback=false) at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/SimpleFontData.h:90
#4  0x00007f8782146fbe in WebCore::CSSFontFaceSource::getFontData (this=0x69d370, fontDescription=..., syntheticBold=false, 
    syntheticItalic=false, fontSelector=0x676550)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/css/CSSFontFaceSource.cpp:185
#5  0x00007f8782130f4c in WebCore::CSSFontFace::getFontData (this=0x697560, fontDescription=..., syntheticBold=false, syntheticItalic=false)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/css/CSSFontFace.cpp:105
#6  0x00007f87821c5982 in WebCore::CSSSegmentedFontFace::getFontData (this=0x69dc70, fontDescription=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/css/CSSSegmentedFontFace.cpp:127
---Type <return> to continue, or q <return> to quit---
#7  0x00007f87821398b1 in WebCore::CSSFontSelector::getFontData (this=0x676550, fontDescription=..., familyName=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/css/CSSFontSelector.cpp:539
#8  0x00007f8782535857 in WebCore::FontCache::getFontData (this=0x6336e0, font=..., familyIndex=@0x6a0c0c: 1, fontSelector=0x676550)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/FontCache.cpp:475
#9  0x00007f8782525e65 in WebCore::FontFallbackList::fontDataAt (this=0x6a0b70, font=0x698488, realizedFontIndex=0)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/FontFallbackList.cpp:108
#10 0x00007f878234430a in WebCore::FontFallbackList::primaryFontData (this=0x6a0b70, f=0x698488)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/FontFallbackList.h:96
#11 0x00007f8782525c1d in WebCore::FontFallbackList::determinePitch (this=0x6a0b70, font=0x698488)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/FontFallbackList.cpp:79
#12 0x00007f8783103b73 in WebCore::FontFallbackList::isFixedPitch (this=0x6a0b70, f=0x698488)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/FontFallbackList.h:73
#13 0x00007f8783103d00 in WebCore::Font::isFixedPitch (this=0x698488)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/graphics/Font.h:333
#14 0x00007f878316cf3e in WebCore::RenderBlock::LineBreaker::nextLineBreak (this=0x7fff567f11d0, resolver=..., lineInfo=..., 
    renderTextInfo=..., lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0, wordMeasurements=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlockLineLayout.cpp:2544
#15 0x00007f8783166d24 in WebCore::RenderBlock::layoutRunsAndFloatsInRange (this=0x678988, layoutState=..., resolver=..., 
    cleanLineStart=..., cleanLineBidiStatus=..., consecutiveHyphenatedLines=0)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1438
#16 0x00007f87831666c9 in WebCore::RenderBlock::layoutRunsAndFloats (this=0x678988, layoutState=..., hasInlineChild=true)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1369
#17 0x00007f8783168b81 in WebCore::RenderBlock::layoutInlineChildren (this=0x678988, relayoutChildren=true, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1717
#18 0x00007f878313b31c in WebCore::RenderBlock::layoutBlock (this=0x678988, relayoutChildren=true, pageLogicalHeight=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:1562
#19 0x00007f878313a886 in WebCore::RenderBlock::layout (this=0x678988)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:1390
#20 0x00007f87831404bf in WebCore::RenderBlock::layoutBlockChild (this=0x676cc8, child=0x678988, marginInfo=..., 
    previousFloatLogicalBottom=..., maxFloatLogicalBottom=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:2492
#21 0x00007f878314003f in WebCore::RenderBlock::layoutBlockChildren (this=0x676cc8, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:2428
#22 0x00007f878313b33d in WebCore::RenderBlock::layoutBlock (this=0x676cc8, relayoutChildren=true, pageLogicalHeight=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:1564
#23 0x00007f878313a886 in WebCore::RenderBlock::layout (this=0x676cc8)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:1390
#24 0x00007f87831404bf in WebCore::RenderBlock::layoutBlockChild (this=0x61dbf8, child=0x676cc8, marginInfo=..., 
    previousFloatLogicalBottom=..., maxFloatLogicalBottom=...)
---Type <return> to continue, or q <return> to quit---
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:2492
#25 0x00007f878314003f in WebCore::RenderBlock::layoutBlockChildren (this=0x61dbf8, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:2428
#26 0x00007f878313b33d in WebCore::RenderBlock::layoutBlock (this=0x61dbf8, relayoutChildren=true, pageLogicalHeight=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:1564
#27 0x00007f878313a886 in WebCore::RenderBlock::layout (this=0x61dbf8)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderBlock.cpp:1390
#28 0x00007f878324a556 in WebCore::RenderView::layoutContent (this=0x61dbf8, state=...)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderView.cpp:140
#29 0x00007f878324ab53 in WebCore::RenderView::layout (this=0x61dbf8)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/rendering/RenderView.cpp:198
#30 0x00007f87824c90f0 in WebCore::FrameView::layout (this=0x61c150, allowSubtree=true)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/page/FrameView.cpp:1196
#31 0x00007f87832de668 in WebCore::Document::implicitClose (this=0x658540)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/dom/Document.cpp:2463
#32 0x00007f87823fd6ad in WebCore::FrameLoader::checkCallImplicitClose (this=0x60c8b8)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/loader/FrameLoader.cpp:830
#33 0x00007f87823fd418 in WebCore::FrameLoader::checkCompleted (this=0x60c8b8)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/loader/FrameLoader.cpp:773
#34 0x00007f87823fd156 in WebCore::FrameLoader::finishedParsing (this=0x60c8b8)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/loader/FrameLoader.cpp:706
#35 0x00007f87832e5663 in WebCore::Document::finishedParsing (this=0x658540)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/dom/Document.cpp:4415
#36 0x00007f878238aa2f in WebCore::HTMLTreeBuilder::finished (this=0x61cc60)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2703
#37 0x00007f878235d382 in WebCore::HTMLDocumentParser::end (this=0x674230)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/html/parser/HTMLDocumentParser.cpp:377
#38 0x00007f878235d48b in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x674230)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/html/parser/HTMLDocumentParser.cpp:386
#39 0x00007f878235c5b3 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x674230)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/html/parser/HTMLDocumentParser.cpp:154
#40 0x00007f878235d4ce in WebCore::HTMLDocumentParser::attemptToEnd (this=0x674230)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/html/parser/HTMLDocumentParser.cpp:398
#41 0x00007f878235d585 in WebCore::HTMLDocumentParser::finish (this=0x674230)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/html/parser/HTMLDocumentParser.cpp:425
#42 0x00007f87823f49cd in WebCore::DocumentWriter::end (this=0x647128)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/loader/DocumentWriter.cpp:244
#43 0x00007f87823e3dcd in WebCore::DocumentLoader::finishedLoading (this=0x647080)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/loader/DocumentLoader.cpp:301
---Type <return> to continue, or q <return> to quit---
#44 0x00007f878241ecaf in WebCore::MainResourceLoader::didFinishLoading (this=0x6478f0, finishTime=0)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/loader/MainResourceLoader.cpp:520
#45 0x00007f878242b2b3 in WebCore::ResourceLoader::didFinishLoading (this=0x6478f0, finishTime=0)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/loader/ResourceLoader.cpp:453
#46 0x00007f87826e0e91 in WebCore::QNetworkReplyHandler::finish (this=0x6492e0)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:515
#47 0x00007f87826dfa90 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x649318)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:249
#48 0x00007f87826df7b8 in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x649318, 
    method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7f87826e0cbc <WebCore::QNetworkReplyHandler::finish()>) at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:215
#49 0x00007f87826e07a6 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x63bc20)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:408
#50 0x00007f87826e31e2 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x63bc20, _c=QMetaObject::InvokeMetaMethod, _id=1, 
    _a=0x7fff567f47d0) at .moc/debug-shared/moc_QNetworkReplyHandler.cpp:175
#51 0x00007f878062e5b7 in QMetaObject::activate (sender=0x5ffc50, signalOffset=7, local_signal_index=1, argv=0x0)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qobject.cpp:3479
#52 0x00007f878062de08 in QMetaObject::activate (sender=0x5ffc50, m=0x7f8780fdd640 <QNetworkReply::staticMetaObject>, local_signal_index=1, 
    argv=0x0) at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qobject.cpp:3354
#53 0x00007f8780f6219f in QNetworkReply::finished (this=0x5ffc50) at .moc/debug-shared/moc_qnetworkreply.cpp:297
#54 0x00007f8780f61d44 in QNetworkReply::qt_static_metacall (_o=0x5ffc50, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x63b440)
    at .moc/debug-shared/moc_qnetworkreply.cpp:183
#55 0x00007f8780626da5 in QMetaCallEvent::placeMetaCall (this=0x63b960, object=0x5ffc50)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qobject.cpp:479
#56 0x00007f8780627c92 in QObject::event (this=0x5ffc50, e=0x63b960) at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qobject.cpp:1070
#57 0x00007f878119c328 in QApplicationPrivate::notify_helper (this=0x579d70, receiver=0x5ffc50, e=0x63b960)
    at /ssd/milian/projects/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3457
#58 0x00007f8781199ac4 in QApplication::notify (this=0x572db0, receiver=0x5ffc50, e=0x63b960)
    at /ssd/milian/projects/qt5/qtbase/src/widgets/kernel/qapplication.cpp:2878
#59 0x00007f87805ee926 in QCoreApplication::notifyInternal (this=0x572db0, receiver=0x5ffc50, event=0x63b960)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:867
#60 0x00007f87805f248b in QCoreApplication::sendEvent (receiver=0x5ffc50, event=0x63b960)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qcoreapplication.h:232
#61 0x00007f87805efc6f in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x579ee0)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1471
#62 0x00007f87805ef61f in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1329
#63 0x00007f878065e363 in postEventSourceDispatch (s=0x585980)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:279
---Type <return> to continue, or q <return> to quit---
#64 0x00007f8786086da6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#65 0x00007f87860870f8 in ?? () from /usr/lib/libglib-2.0.so.0
#66 0x00007f878608719c in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#67 0x00007f878065eb0b in QEventDispatcherGlib::processEvents (this=0x57c170, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:426
#68 0x00007f877982bc10 in QPAEventDispatcherGlib::processEvents (this=0x57c170, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/platformsupport/eventdispatchers/qeventdispatcher_glib.cpp:123
#69 0x00007f87805eb686 in QEventLoop::processEvents (this=0x7fff567f5630, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventloop.cpp:136
#70 0x00007f87805eb969 in QEventLoop::exec (this=0x7fff567f5630, flags=...)
    at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qeventloop.cpp:212
#71 0x00007f87805ef002 in QCoreApplication::exec () at /ssd/milian/projects/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1120
#72 0x00007f87826ed4fc in WebCore::RunLoop::run ()
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebCore/platform/qt/RunLoopQt.cpp:69
#73 0x00007f8781f6c750 in WebKit::WebProcessMainQt (app=0x572db0)
    at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebKit2/WebProcess/qt/WebProcessMainQt.cpp:195
#74 0x00000000004011c8 in main (argc=2, argv=0x7fff567f5a58) at /ssd/milian/projects/qt5/qtwebkit-gitorious/Source/WebKit2/qt/MainQt.cpp:100


for a valgrind log and bt full, see http://paste.kde.org/p9b641be0/ (was too long for the bugtracker).
Comment 11 Allan Sandfeld Jensen 2013-08-13 03:35:00 PDT
If you are seeing the crash on a 32bit machine then it could be the same as https://bugreports.qt-project.org/browse/QTBUG-32879 and explain why we don't see it on out 64bit development machines.
Comment 12 Allan Sandfeld Jensen 2013-08-13 04:41:27 PDT
Most likely caused by the patch for bug #118532
Comment 13 Milian Wolff 2013-08-13 05:55:56 PDT
Nope, I'm on a 64bit machine:

Linux milian-kdab2 3.10.5-1-ARCH #1 SMP PREEMPT Mon Aug 5 08:04:22 CEST 2013 x86_64 GNU/Linux
Comment 14 Allan Sandfeld Jensen 2013-08-13 06:16:03 PDT
(In reply to comment #13)
> Nope, I'm on a 64bit machine:
> 
> Linux milian-kdab2 3.10.5-1-ARCH #1 SMP PREEMPT Mon Aug 5 08:04:22 CEST 2013 x86_64 GNU/Linux

Yes, the bug seem to hit more than 32bit, but is kind of random. Have you tried to revert the patch from bug 118532 ?
Comment 15 Milian Wolff 2013-08-13 08:39:01 PDT
https://codereview.qt-project.org/#change,62910 fixes the issue for me.
Comment 16 Allan Sandfeld Jensen 2013-08-14 04:29:36 PDT

*** This bug has been marked as a duplicate of bug 119740 ***
Comment 17 Allan Sandfeld Jensen 2013-08-14 04:30:15 PDT
(In reply to comment #15)
> https://codereview.qt-project.org/#change,62910 fixes the issue for me.

Can you test if the new patch in bug 118532 also works without crashing?