Bug 18443

I get a crash on the following CSS gradients testcase with r31841: https://bugs.webkit.org/attachment.cgi?id=20472 FWIW, this is happening on the Gtk Port, built with gcc 4.2.3 on x86_64, I haven't tested others. The build happened with with -O2 and -g, but not with --enable-debug. Backtrace follows: $ gdb /usr/lib/webkit-1.0/GtkLauncher GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"... (gdb) set pagination off (gdb) run https://bugs.webkit.org/attachment.cgi?id=20472 Starting program: /usr/lib/webkit-1.0/GtkLauncher https://bugs.webkit.org/attachment.cgi?id=20472 [Thread debugging using libthread_db enabled] warning: Lowest section in /usr/lib/libicudata.so.38 is .hash at 0000000000000120 [New Thread 0x2b2077fb0520 (LWP 6916)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x2b2077fb0520 (LWP 6916)] WebCore::GeneratedImage::drawPattern (this=<value optimized out>, context=0x7fff3cdd7720, srcRect=@0x7fff3cdd6950, patternTransform=@0x7fff3cdd6920, phase=@0x7fff3cdd6980, compositeOp=WebCore::CompositeSourceOver, destRect=@0x7fff3cdd6a10) at ../WebCore/platform/graphics/GeneratedImage.cpp:65 65 ../WebCore/platform/graphics/GeneratedImage.cpp: No such file or directory. in ../WebCore/platform/graphics/GeneratedImage.cpp Current language: auto; currently c++ (gdb) bt full #0 WebCore::GeneratedImage::drawPattern (this=<value optimized out>, context=0x7fff3cdd7720, srcRect=@0x7fff3cdd6950, patternTransform=@0x7fff3cdd6920, phase=@0x7fff3cdd6980, compositeOp=WebCore::CompositeSourceOver, destRect=@0x7fff3cdd6a10) at ../WebCore/platform/graphics/GeneratedImage.cpp:65 graphicsContext = (WebCore::GraphicsContext *) 0x2b2079406c50 #1 0x00002b206e46b256 in WebCore::Image::drawTiled (this=0x2b207940f6e0, ctxt=0x7fff3cdd7720, destRect=@0x7fff3cdd6a10, srcPoint=@0x7fff3cdd6a30, scaledTileSize=@0x7fff3cdd6a20, op=WebCore::CompositeSourceOver) at ../WebCore/platform/graphics/Image.cpp:153 intrinsicTileSize = {m_width = 150, m_height = 150} patternTransform = {m_transform = {xx = 1, yx = 0, xy = 0, yy = 1, x0 = 0, y0 = 0}} oneTileRect = {m_location = {m_x = -140, m_y = -140}, m_size = {m_width = 150, m_height = 150}} tileRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 150, m_height = 150}} #2 0x00002b206e46807d in WebCore::GraphicsContext::drawTiledImage (this=0x7fff3cdd7720, image=0x2b207940f6e0, rect=@0x7fff3cdd6af0, srcPoint=@0x7fff3cdd6b80, tileSize=<value optimized out>, op=WebCore::CompositeSourceOver) at ../WebCore/platform/graphics/GraphicsContext.cpp:369 No locals. #3 0x00002b206e4be3d3 in WebCore::RenderBox::paintBackgroundExtended (this=0x2b20793e1a38, paintInfo=@0x7fff3cdd6f90, c=@0x2b20793a57b0, bgLayer=0x2b2079435208, clipY=8, clipH=154, tx=8, ty=8, w=154, h=154, box=0x0) at ../WebCore/rendering/RenderBox.cpp:738 destRect = {m_location = {m_x = 8, m_y = 8}, m_size = {m_width = 154, m_height = 154}} phase = {m_x = 148, m_y = 148} tileSize = {m_width = 150, m_height = 150} context = (class WebCore::GraphicsContext *) 0x7fff3cdd7720 includeLeftEdge = <value optimized out> includeRightEdge = <value optimized out> bLeft = 2 bRight = 2 pLeft = 0 pRight = 0 clippedToBorderRadius = false bg = (class WebCore::StyleImage *) 0x2b20794330c0 shouldPaintBackgroundImage = <value optimized out> bgColor = {static black = 4278190080, static white = 4294967295, static darkGray = <optimized out>, static gray = <optimized out>, static lightGray = <optimized out>, static transparent = <optimized out>, m_color = 0, m_valid = false} isTransparent = <value optimized out> #4 0x00002b206e4b9e86 in WebCore::RenderBox::paintBackground (this=0x2b20793a5730, paintInfo=@0x2b2079406c50, c=@0x7fff3cdd6850, bgLayer=0x3, clipY=1887884928, clipH=0, tx=8, ty=8, width=154, height=154) at ../WebCore/rendering/RenderBox.cpp:426 No locals. #5 0x00002b206e4b9f0f in WebCore::RenderBox::paintBackgrounds (this=0x2b20793e1a38, paintInfo=@0x7fff3cdd6f90, c=@0x2b20793a57b0, bgLayer=0x2b2079435230, clipY=8, clipH=154, tx=8, ty=8, width=154, height=154) at ../WebCore/rendering/RenderBox.cpp:419 No locals. #6 0x00002b206e4b9f0f in WebCore::RenderBox::paintBackgrounds (this=0x2b20793e1a38, paintInfo=@0x7fff3cdd6f90, c=@0x2b20793a57b0, bgLayer=0x2b2079435258, clipY=8, clipH=154, tx=8, ty=8, width=154, height=154) at ../WebCore/rendering/RenderBox.cpp:419 No locals. #7 0x00002b206e4b9f0f in WebCore::RenderBox::paintBackgrounds (this=0x2b20793e1a38, paintInfo=@0x7fff3cdd6f90, c=@0x2b20793a57b0, bgLayer=0x2b20793a5788, clipY=8, clipH=154, tx=8, ty=8, width=154, height=154) at ../WebCore/rendering/RenderBox.cpp:419 No locals. #8 0x00002b206e4bbd44 in WebCore::RenderBox::paintBoxDecorations (this=0x2b20793e1a38, paintInfo=@0x7fff3cdd6f90, tx=8, ty=8) at ../WebCore/rendering/RenderBox.cpp:403 w = 154 h = 154 my = 8 mh = 154 themePainted = <value optimized out> #9 0x00002b206e4b6c4f in WebCore::RenderBlock::paintObject (this=0x2b20793e1a38, paintInfo=@0x7fff3cdd6f90, tx=8, ty=8) at ../WebCore/rendering/RenderBlock.cpp:1568 paintPhase = WebCore::PaintPhaseChildBlockBackground inlineFlow = false scrolledX = <value optimized out> scrolledY = <value optimized out> #10 0x00002b206e4adf3c in WebCore::RenderBlock::paint (this=0x2b20793e1a38, paintInfo=@0x7fff3cdd6f90, tx=8, ty=8) at ../WebCore/rendering/RenderBlock.cpp:1416 phase = WebCore::PaintPhaseChildBlockBackground #11 0x00002b206e4abb30 in WebCore::RenderBlock::paintChildren (this=0x2b20793e1910, paintInfo=@0x7fff3cdd70f0, tx=8, ty=8) at ../WebCore/rendering/RenderBlock.cpp:1528 child = (class WebCore::RenderObject *) 0x2b20793e1a38 newPhase = <value optimized out> info = {context = 0x7fff3cdd7720, rect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}}, phase = WebCore::PaintPhaseChildBlockBackground, forceBlackText = false, paintingRoot = 0x0, outlineObjects = 0x0} #12 0x00002b206e4b6bf3 in WebCore::RenderBlock::paintObject (this=0x2b20793e1910, paintInfo=@0x7fff3cdd70f0, tx=8, ty=8) at ../WebCore/rendering/RenderBlock.cpp:1586 paintPhase = WebCore::PaintPhaseChildBlockBackground inlineFlow = false scrolledX = 8 scrolledY = 8 #13 0x00002b206e4adf3c in WebCore::RenderBlock::paint (this=0x2b20793e1910, paintInfo=@0x7fff3cdd70f0, tx=8, ty=8) at ../WebCore/rendering/RenderBlock.cpp:1416 phase = WebCore::PaintPhaseChildBlockBackground #14 0x00002b206e4abb30 in WebCore::RenderBlock::paintChildren (this=0x2b20793e1708, paintInfo=@0x7fff3cdd72e0, tx=0, ty=0) at ../WebCore/rendering/RenderBlock.cpp:1528 child = (class WebCore::RenderObject *) 0x2b20793e1910 newPhase = <value optimized out> info = {context = 0x7fff3cdd7720, rect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}}, phase = WebCore::PaintPhaseChildBlockBackground, forceBlackText = false, paintingRoot = 0x0, outlineObjects = 0x0} #15 0x00002b206e4b6bf3 in WebCore::RenderBlock::paintObject (this=0x2b20793e1708, paintInfo=@0x7fff3cdd72e0, tx=0, ty=0) at ../WebCore/rendering/RenderBlock.cpp:1586 paintPhase = WebCore::PaintPhaseChildBlockBackgrounds inlineFlow = false scrolledX = 0 scrolledY = 0 #16 0x00002b206e4adf3c in WebCore::RenderBlock::paint (this=0x2b20793e1708, paintInfo=@0x7fff3cdd72e0, tx=0, ty=0) at ../WebCore/rendering/RenderBlock.cpp:1416 phase = WebCore::PaintPhaseChildBlockBackgrounds #17 0x00002b206e4dec79 in WebCore::RenderLayer::paintLayer (this=0x2b20793e17d0, rootLayer=0x2b20793e1568, p=0x7fff3cdd7720, paintDirtyRect=@0x7fff3cdd76a0, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0, appliedTransform=false) at ../WebCore/rendering/RenderLayer.cpp:1596 paintInfo = {context = 0x7fff3cdd7720, rect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}}, phase = WebCore::PaintPhaseChildBlockBackgrounds, forceBlackText = false, paintingRoot = 0x0, outlineObjects = 0x0} layerBounds = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} damageRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} clipRectToApply = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} outlineRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} y = 539 tx = 0 ty = 0 forceBlackText = <value optimized out> paintingRootForRenderer = (class WebCore::RenderObject *) 0x0 shouldPaint = true #18 0x00002b206e4dea81 in WebCore::RenderLayer::paintLayer (this=0x2b20793e1568, rootLayer=0x2b20793e1568, p=0x7fff3cdd7720, paintDirtyRect=@0x7fff3cdd76a0, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0, appliedTransform=false) at ../WebCore/rendering/RenderLayer.cpp:1626 it = (class WebCore::RenderLayer **) 0x2b20793e3388 layerBounds = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} damageRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} clipRectToApply = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} outlineRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} y = <value optimized out> tx = 0 ty = 0 forceBlackText = <value optimized out> paintingRootForRenderer = (class WebCore::RenderObject *) 0x0 shouldPaint = true #19 0x00002b206e4def44 in WebCore::RenderLayer::paint (this=0x2b20793a5730, p=0x7fff3cdd6850, damageRect=@0x3, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=<value optimized out>) at ../WebCore/rendering/RenderLayer.cpp:1451 No locals. #20 0x00002b206e43d8e8 in WebCore::Frame::paint (this=0x2b20793a4228, p=0x7fff3cdd7720, rect=@0x7fff3cdd76a0) at ../WebCore/page/Frame.cpp:1346 eltRenderer = (class WebCore::RenderObject *) 0x0 #21 0x00002b206e14b601 in WebCore::ScrollView::paint (this=0x2b20793a6828, context=0x7fff3cdd7720, rect=@0x7fff3cdd7710) at ../WebCore/platform/gtk/ScrollViewGtk.cpp:733 documentDirtyRect = {m_location = {m_x = 0, m_y = 0}, m_size = {m_width = 800, m_height = 539}} #22 0x00002b206e12b660 in webkit_web_view_expose_event (widget=<value optimized out>, event=<value optimized out>) at ../WebKit/gtk/webkit/webkitwebview.cpp:264 priv = <value optimized out> frame = (class WebCore::Frame *) 0x2b20793a4228 clip = {x = 0, y = 0, width = 800, height = 539} cr = (cairo_t *) 0xa88f50 ctx = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_common = 0x2b20793f2d20, m_data = 0x2b207940f730} #23 0x00002b206f1a84df in _gtk_marshal_BOOLEAN__BOXED (closure=0x636810, return_value=0x7fff3cdd79e0, n_param_values=<value optimized out>, param_values=0x7fff3cdd7ac0, invocation_hint=<value optimized out>, marshal_data=0x2b206e12b590) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmarshalers.c:84 data1 = (gpointer) 0x66e3b0 data2 = (gpointer) 0x7fff3cdd6850 v_return = <value optimized out> __PRETTY_FUNCTION__ = "_gtk_marshal_BOOLEAN__BOXED" #24 0x00002b206f623b5f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #25 0x00002b206f6379d8 in ?? () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #26 0x00002b206f638d16 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #27 0x00002b206f6393b3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 No symbol table info available. #28 0x00002b206f2af925 in gtk_widget_event_internal (widget=0x66e3b0, event=0x7fff3cdd7ea0) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkwidget.c:4678 signal_num = <value optimized out> return_val = 0 #29 0x00002b206f1a297e in IA__gtk_main_do_event (event=0x7fff3cdd7ea0) at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1514 event_widget = (GtkWidget *) 0x66e3b0 grab_widget = (GtkWidget *) 0x66e3b0 window_group = (GtkWindowGroup *) 0x6d9a80 rewritten_event = (GdkEvent *) 0x0 tmp_list = <value optimized out> __PRETTY_FUNCTION__ = "IA__gtk_main_do_event" #30 0x00002b206fd51b94 in gdk_window_process_updates_internal (window=0x8860a0) at /build/buildd/gtk+2.0-2.12.9/gdk/gdkwindow.c:2378 event = {type = GDK_EXPOSE, any = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0'}, expose = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', area = {x = 0, y = 0, width = 800, height = 539}, region = 0x66b790, count = 0}, no_expose = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0'}, visibility = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', state = GDK_VISIBILITY_UNOBSCURED}, motion = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', time = 0, x = 1.6975966327722179e-311, y = 2.6630138310843189e-321, axes = 0x66b790, state = 0, is_hint = 0, device = 0x2b206eb01220, x_root = 5.4298051629462999e-317, y_root = 3.2054821001173407e-317}, button = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', time = 0, x = 1.6975966327722179e-311, y = 2.6630138310843189e-321, axes = 0x66b790, state = 0, button = 0, device = 0x2b206eb01220, x_root = 5.4298051629462999e-317, y_root = 3.2054821001173407e-317}, scroll = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', time = 0, x = 1.6975966327722179e-311, y = 2.6630138310843189e-321, state = 6731664, direction = GDK_SCROLL_UP, device = 0x0, x_root = 2.3427751028334667e-310, y_root = 5.4298051629462999e-317}, key = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', time = 0, state = 0, keyval = 800, length = 539, string = 0x66b790 "\002", hardware_keycode = 0, group = 0 '\0', is_modifier = 0}, crossing = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', subwindow = 0x32000000000, time = 539, x = 3.3258839217462691e-317, y = 0, x_root = 2.3427751028334667e-310, y_root = 5.4298051629462999e-317, mode = 6487968, detail = GDK_NOTIFY_ANCESTOR, focus = 1, state = 0}, focus_change = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', in = 0}, configure = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', x = 0, y = 0, width = 800, height = 539}, property = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', atom = 0x32000000000, time = 539, state = 0}, selection = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', selection = 0x32000000000, target = 0x21b, property = 0x66b790, time = 0, requestor = 0}, owner_change = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', owner = 0, reason = GDK_OWNER_CHANGE_NEW_OWNER, selection = 0x21b, time = 6731664, selection_time = 0}, proximity = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', time = 0, device = 0x32000000000}, client = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', message_type = 0x32000000000, data_format = 539, data = {b = "\220&#65533;f", '\0' <repeats 13 times>, " \022&#65533;n", s = {-18544, 102, 0, 0, 0, 0, 0, 0, 4640, 28336}, l = {6731664, 0, 47418295980576, 10990048, 6487968}}}, dnd = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', context = 0x32000000000, time = 539, x_root = 0, y_root = 0}, window_state = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', changed_mask = 0, new_window_state = 0}, setting = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', action = GDK_SETTING_ACTION_NEW, name = 0x32000000000 <Address 0x32000000000 out of bounds>}, grab_broken = {type = GDK_EXPOSE, window = 0x8860a0, send_event = 0 '\0', keyboard = 0, implicit = 0, grab_window = 0x21b}} window_rect = {x = 0, y = 0, width = 800, height = 539} expose_region = (GdkRegion *) 0x66b790 window_region = (GdkRegion *) 0x6d4460 width = 800 height = 539 save_region = 1 #31 0x00002b206fd521b7 in IA__gdk_window_process_all_updates () at /build/buildd/gtk+2.0-2.12.9/gdk/gdkwindow.c:2444 private = (GdkWindowObject *) 0x8860a0 old_update_windows = (GSList *) 0x783d10 tmp_list = (GSList *) 0x783a90 #32 0x00002b206fd521d9 in gdk_window_update_idle (data=0x2b20793a5730) at /build/buildd/gtk+2.0-2.12.9/gdk/gdkwindow.c:2288 No locals. #33 0x00002b206fd3982e in gdk_threads_dispatch (data=0x6dac20) at /build/buildd/gtk+2.0-2.12.9/gdk/gdk.c:470 ret = 0 #34 0x00002b206f8920f2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #35 0x00002b206f895396 in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #36 0x00002b206f895657 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #37 0x00002b206f1a2b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 tmp_list = (GList *) 0x62b0b0 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x662280 loop = (GMainLoop *) 0x883570 #38 0x0000000000401e9b in main (argc=2, argv=0x7fff3cdd8288) at ../WebKitTools/GtkLauncher/main.c:200 vbox = (GtkWidget *) 0x62b0b0 uri = <value optimized out>