Bug 48723

Summary:

Possible Crash in SegmentedFontData::isLoading

Product:

WebKit

Reporter:

Ryuan Choi <ryuan.choi>

Component:

CSS

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED WORKSFORME

Severity:

Normal

CC:

j, misc, mitz, mrobinson, plaes, uzytkownik2, xan.lopez

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

Attachments:

Description	Flags
Patch	none
traceback.log	none
Patch	none

Description Ryuan Choi 2010-10-30 22:40:07 PDT

It's hardly reproducible in desktop.
but, I got below callstack in my mobile browser(test site is http://samsung.com/us)

#0  WebCore::SegmentedFontData::isLoading (this=0x84e8ae8) at .././WebCore/platform/graphics/SegmentedFontData.cpp:77
#1  0x010bc230 in WebCore::FontFallbackList::fontDataAt (this=0x83fb5c8, font=0x84097d4, realizedFontIndex=0) at .././WebCore/platform/graphics/FontFallbackList.cpp:108
#2  0x010bc3b4 in WebCore::FontFallbackList::primaryFontData (this=0x83fb5c8, font=0x84097d4) at .././WebCore/platform/graphics/FontFallbackList.h:66
#3  WebCore::FontFallbackList::determinePitch (this=0x83fb5c8, font=0x84097d4) at .././WebCore/platform/graphics/FontFallbackList.cpp:76
#4  0x01139d85 in WebCore::FontFallbackList::isFixedPitch (this=0x83d7c74, resolver=..., firstLine=true, isLineEmpty=@0xbfffd42c, previousLineBrokeCleanly=@0xbfffd42d, hyphenated=@0xbfffd42b, clear=0xbfffd410)
    at .././WebCore/platform/graphics/FontFallbackList.h:47
#5  WebCore::Font::isFixedPitch (this=0x83d7c74, resolver=..., firstLine=true, isLineEmpty=@0xbfffd42c, previousLineBrokeCleanly=@0xbfffd42d, hyphenated=@0xbfffd42b, clear=0xbfffd410) at .././WebCore/platform/graphics/Font.h:251
#6  WebCore::RenderBlock::findNextLineBreak (this=0x83d7c74, resolver=..., firstLine=true, isLineEmpty=@0xbfffd42c, previousLineBrokeCleanly=@0xbfffd42d, hyphenated=@0xbfffd42b, clear=0xbfffd410)
    at .././WebCore/rendering/RenderBlockLineLayout.cpp:1567

As my poor tracing, It looks highly related to CSSFontFace::fontLoaded.
CSSFontFace call CSSSegmentedFontFace::fontLoaded when loaded source is same as m_activeSource.
but, m_activeSource can get one source, although CSSFontFace::getFontData is called more than one time.

Comment 1 Ryuan Choi 2010-11-01 17:54:57 PDT

Created attachment 72609 [details]
Patch

Comment 2 mitz 2010-11-01 17:57:00 PDT

Comment on attachment 72609 [details]
Patch

How can there be multiple active sources simultaneously?

Comment 3 Ryuan Choi 2010-11-01 20:05:19 PDT

(In reply to comment #2)
> (From update of attachment 72609 [details])
> How can there be multiple active sources simultaneously?

I believe that It's caused by arguments.

I got below log (SFD means SegmentedFontData and pointer in () is this pointer).
As following below message, CSSFontFace(0x77c380) choose two sources.


CSSFontFace(0x77c380)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x77be78 <-- first one
    returned result is 0x945678
SFD(0xcff8e8) fontData is 0x945678
CSSFontFace(0x55dce8)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x55dd70
    returned result is 0xd07000
SFD(0xd034f0) fontData is 0xd07000
CSSFontFace(0x77c380)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x77be78
    returned result is 0xd093a0
SFD(0xb32b78) fontData is 0xd093a0
SFD(0xb32b78) fontData is 0xd093a0
CSSFontFace(0x55dce8)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x55dd70
    returned result is 0xcec1c0
SFD(0xd33248) fontData is 0xcec1c0
CSSFontFace(0x77c380)::getFontData(fd, 1, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[0]->getFontData()=> 0x77c350 <-- second one
    returned result is 0xced468
SFD(0x8af130) fontData is 0xced468
SFD(0xb32b78) fontData is 0xd093a0
SFD(0xcff8e8) fontData is 0x945678
SFD(0xcff8e8) fontData is 0x945678
SFD(0xcff8e8) fontData is 0x945678
SFD(0xcff8e8) fontData is 0x945678
SFD(0xcff8e8) fontData is 0x945678
SFD(0xcff8e8) fontData is 0x945678
SFD(0xcff8e8) fontData is 0x945678
SFD(0xcff8e8) fontData is 0x945678
CSSFontFace(0x55dce8)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x55dd70
    returned result is 0xd12cc8
SFD(0xcff630) fontData is 0xd12cc8
SFD(0xb32b78) fontData is 0xd093a0
SFD(0xcff630) fontData is 0xd12cc8

[WebKit] ResourceHandle::create: network is active
[WebKit] ResourceHandle::create: status is: 2 (DNet Active)
CSSFontFace(0x7068e8)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x706970
    returned result is 0xc550c0
SFD(0xb65ed0) fontData is 0xc550c0
CSSFontFace(0x55dce8)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x55dd70
    returned result is 0xafecb8
SFD(0xbad360) fontData is 0xafecb8
SFD(0xb669f0) fontData is 0xcca2c8
CSSFontFace(0x55dce8)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x55dd70
    returned result is 0x968500
SFD(0xcccbb8) fontData is 0x968500
CSSFontFace(0x7068e8)::getFontData(fd, 1, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x706970
    returned result is 0xb2b2c8
SFD(0xcd75e0) fontData is 0xb2b2c8
CSSFontFace(0x7068e8)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x706970
    returned result is 0xb3cfa8
SFD(0xcff8c0) fontData is 0xb3cfa8
CSSFontFace(0x55dce8)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
    activeSource is m_sources[1]->getFontData()=> 0x55dd70
    returned result is 0xb254c0
SFD(0x937f68) fontData is 0xb254c0
SFD(0x8a3658) fontData is 0x938830
[sys_assert]START of sighandler 
[sys_assert]this thread is main thread. pid=2995

Comment 4 Priit Laes (IRC: plaes) 2010-11-16 03:17:24 PST

Created attachment 73977 [details]
traceback.log

I'm seeing similar (also hardly reproducible, just happens every once-in-a-while) stacktrace with Epiphany/WebkitGtk-1.3.6 on Linux:

#6  <signal handler called>
#7  0x00007f04d3d1b648 in WebCore::FontFallbackList::fontDataAt (this=0x7f042e585000, font=<value optimized out>, realizedFontIndex=<value optimized out>) at WebCore/platform/graphics/FontFallbackList.cpp:107
#8  0x00007f04d3d1b788 in primaryFontData (this=0x7f0431e33500, font=0x31a46529) at WebCore/platform/graphics/FontFallbackList.h:66
#9  WebCore::FontFallbackList::determinePitch (this=0x7f0431e33500, font=0x31a46529) at WebCore/platform/graphics/FontFallbackList.cpp:76
#10 0x00007f04d3dbd768 in isFixedPitch (this=<value optimized out>, resolver=<value optimized out>, firstLine=<value optimized out>, isLineEmpty=<value optimized out>, previousLineBrokeCleanly=<value optimized out>, hyphenated=@0x7fffcef50509, clear=0x7fffcef504f4, lastFloatFromPreviousLine=0x0) at ./WebCore/platform/graphics/FontFallbackList.h:47
#11 isFixedPitch (this=<value optimized out>, resolver=<value optimized out>, firstLine=<value optimized out>, isLineEmpty=<value optimized out>, previousLineBrokeCleanly=<value optimized out>, hyphenated=@0x7fffcef50509, clear=0x7fffcef504f4, lastFloatFromPreviousLine=0x0) at ./WebCore/platform/graphics/Font.h:251
#12 WebCore::RenderBlock::findNextLineBreak (this=<value optimized out>, resolver=<value optimized out>, firstLine=<value optimized out>, isLineEmpty=<value optimized out>, previousLineBrokeCleanly=<value optimized out>, hyphenated=@0x7fffcef50509, clear=0x7fffcef504f4, lastFloatFromPreviousLine=0x0) at WebCore/rendering/RenderBlockLineLayout.cpp:1623
#13 0x00007f04d3dbf502 in WebCore::RenderBlock::layoutInlineChildren (this=0x7f043161b560, relayoutChildren=<value optimized out>, repaintLogicalTop=@0x7fffcef5063c, repaintLogicalBottom=@0x7fffcef50638) at WebCore/rendering/RenderBlockLineLayout.cpp:665
#14 0x00007f04d3db36f2 in WebCore::RenderBlock::layoutBlock (this=0x7f043161b560, relayoutChildren=true, pageHeight=0) at WebCore/rendering/RenderBlock.cpp:1202
#15 0x00007f04d3d9cfdd in WebCore::RenderBlock::layout (this=0x7f043161b560) at WebCore/rendering/RenderBlock.cpp:1100

Comment 5 Eric Seidel (no email) 2011-04-10 16:30:38 PDT

Comment on attachment 72609 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=72609&action=review

Can you explain more about the crash an dhow it might be triggered in your ChagneLog?

> WebCore/css/CSSFontFace.cpp:82
> +    if (m_activeSources.find(source) == WTF::notFound)

Isn't there a contains() helper which does just this?

Comment 6 Ryuan Choi 2011-04-14 18:22:55 PDT

(In reply to comment #5)
> (From update of attachment 72609 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=72609&action=review
> 
> Can you explain more about the crash an dhow it might be triggered in your ChagneLog?
> 
> > WebCore/css/CSSFontFace.cpp:82
> > +    if (m_activeSources.find(source) == WTF::notFound)
> 
> Isn't there a contains() helper which does just this?

Right. I'll update patch like you mentioned.

Comment 7 Ryuan Choi 2011-04-14 21:26:09 PDT

Created attachment 89731 [details]
Patch

Comment 8 mitz 2011-04-14 21:58:32 PDT

(In reply to comment #3)
> (In reply to comment #2)
> > (From update of attachment 72609 [details] [details])
> > How can there be multiple active sources simultaneously?
> 
> I believe that It's caused by arguments.
> 
> I got below log (SFD means SegmentedFontData and pointer in () is this pointer).
> As following below message, CSSFontFace(0x77c380) choose two sources.
> 
> 
> CSSFontFace(0x77c380)::getFontData(fd, 0, 0), fontSelector(0x7a6ad8)
>     activeSource is m_sources[1]->getFontData()=> 0x77be78 <-- first one
>     returned result is 0x945678

> CSSFontFace(0x77c380)::getFontData(fd, 1, 0), fontSelector(0x7a6ad8)
>     activeSource is m_sources[0]->getFontData()=> 0x77c350 <-- second one
>     returned result is 0xced468

Can you explain how m_sources[0] became active here whereas it wasn’t active the first time around? I can’t identify a code path in CSSFontFaceSource::getFontData() which would explain returning 0 at first and later returning a non-0 value.

Comment 9 Adele Peterson 2011-04-26 16:54:55 PDT

Comment on attachment 89731 [details]
Patch

r- until mitz's question is answered.

Comment 10 Martin Robinson 2011-04-27 13:06:32 PDT

*** Bug 59621 has been marked as a duplicate of this bug. ***

Comment 11 Martin Robinson 2011-05-01 00:31:55 PDT

*** Bug 59871 has been marked as a duplicate of this bug. ***

Comment 12 Martin Robinson 2011-08-29 14:31:59 PDT

I haven't seen this crash for some months. Ryuan, are you still experiencing it?

Comment 13 Ryuan Choi 2011-08-29 16:24:36 PDT

(In reply to comment #12)
> I haven't seen this crash for some months. Ryuan, are you still experiencing it?

I'm not sure because we are using it in a local.

Anyway, I want to close and reopen when I saw same issue.
Thanks.