RESOLVED FIXED 119747
svg/text/text-overflow-ellipsis-svgfont-kerning-ligatures.html and svg/css/font-face-crash.html frequently assert in ComplexTextController::offsetForPosition 
https://bugs.webkit.org/show_bug.cgi?id=119747
Summary svg/text/text-overflow-ellipsis-svgfont-kerning-ligatures.html and svg/css/fo...
Antti Koivisto
Reported 2013-08-13 07:52:55 PDT
Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r153990%20(11617)/results.html Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 000000010fc9d000-000000010fc9e000 [ 4K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: CRASHING TEST: svg/text/text-overflow-ellipsis-svgfont-kerning-ligatures.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000011195c55a WTFCrash + 42 (Assertions.cpp:342) 1 com.apple.WebCore 0x000000011287d5ef WebCore::ComplexTextController::offsetForPosition(float, bool) + 2623 (ComplexTextController.cpp:258) 2 com.apple.WebCore 0x0000000112d5ee00 WebCore::Font::offsetForPositionForComplexText(WebCore::TextRun const&, float, bool) const + 144 (FontComplexTextMac.cpp:124) 3 com.apple.WebCore 0x0000000112d41dc6 WebCore::Font::offsetForPosition(WebCore::TextRun const&, float, bool) const + 150 (Font.cpp:380) 4 com.apple.WebCore 0x000000011307c768 WebCore::InlineTextBox::offsetForPosition(float, bool) const + 504 (InlineTextBox.cpp:1555) 5 com.apple.WebCore 0x000000011307452a WebCore::InlineTextBox::placeEllipsisBox(bool, float, float, float, float&, bool&) + 938 (InlineTextBox.cpp:294) 6 com.apple.WebCore 0x0000000113069179 WebCore::InlineFlowBox::placeEllipsisBox(bool, float, float, float, float&, bool&) + 233 (InlineFlowBox.cpp:1485) 7 com.apple.WebCore 0x0000000113c83d2e WebCore::RootInlineBox::placeEllipsisBox(bool, float, float, float, float&, bool&) + 94 (RootInlineBox.cpp:163) 8 com.apple.WebCore 0x0000000113c83c9c WebCore::RootInlineBox::placeEllipsis(WTF::AtomicString const&, bool, float, float, float, WebCore::InlineBox*) + 844 (RootInlineBox.cpp:156) 9 com.apple.WebCore 0x00000001139e0889 WebCore::RenderBlock::checkLinesForTextOverflow() + 1545 (RenderBlockLineLayout.cpp:3615) 10 com.apple.WebCore 0x00000001139dfe89 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 2729 (RenderBlockLineLayout.cpp:2212) 11 com.apple.WebCore 0x000000011397d715 WebCore::RenderBlock::layoutBlock(bool, WebCore::LayoutUnit) + 1205 (RenderBlock.cpp:1645) 12 com.apple.WebCore 0x000000011397ca2d WebCore::RenderBlock::layout() + 125 (RenderBlock.cpp:1432) 13 com.apple.WebCore 0x000000011398a242 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1266 (RenderBlock.cpp:2664) 14 com.apple.WebCore 0x000000011397feb6 WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 614 (RenderBlock.cpp:2596) 15 com.apple.WebCore 0x000000011397d738 WebCore::RenderBlock::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlock.cpp:1650) 16 com.apple.WebCore 0x000000011397ca2d WebCore::RenderBlock::layout() + 125 (RenderBlock.cpp:1432) 17 com.apple.WebCore 0x000000011398a242 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1266 (RenderBlock.cpp:2664) 18 com.apple.WebCore 0x000000011397feb6 WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 614 (RenderBlock.cpp:2596) 19 com.apple.WebCore 0x000000011397d738 WebCore::RenderBlock::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlock.cpp:1650) 20 com.apple.WebCore 0x000000011397ca2d WebCore::RenderBlock::layout() + 125 (RenderBlock.cpp:1432) 21 com.apple.WebCore 0x000000011398a242 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1266 (RenderBlock.cpp:2664) 22 com.apple.WebCore 0x000000011397feb6 WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 614 (RenderBlock.cpp:2596) 23 com.apple.WebCore 0x000000011397d738 WebCore::RenderBlock::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlock.cpp:1650) 24 com.apple.WebCore 0x000000011397ca2d WebCore::RenderBlock::layout() + 125 (RenderBlock.cpp:1432) 25 com.apple.WebCore 0x0000000113c3c0ed WebCore::RenderView::layoutContent(WebCore::LayoutState const&) + 93 (RenderView.cpp:143) 26 com.apple.WebCore 0x0000000113c3cfd5 WebCore::RenderView::layout() + 1349 (RenderView.cpp:327) 27 com.apple.WebCore 0x0000000112dcdea2 WebCore::FrameView::layout(bool) + 3218 (FrameView.cpp:1333) 28 com.apple.WebCore 0x0000000112b2dd8f WebCore::Document::implicitClose() + 991 (Document.cpp:2419) 29 com.apple.WebCore 0x0000000112da461b WebCore::FrameLoader::checkCallImplicitClose() + 155 (FrameLoader.cpp:851) 30 com.apple.WebCore 0x0000000112da4296 WebCore::FrameLoader::checkCompleted() + 358 (FrameLoader.cpp:795) 31 com.apple.WebCore 0x0000000112da2e28 WebCore::FrameLoader::finishedParsing() + 184 (FrameLoader.cpp:728) 32 com.apple.WebCore 0x0000000112b38a0b WebCore::Document::finishedParsing() + 475 (Document.cpp:4393) 33 com.apple.WebCore 0x0000000112ef6378 WebCore::HTMLConstructionSite::finishedParsing() + 24 (HTMLConstructionSite.cpp:349) 34 com.apple.WebCore 0x0000000112fe9b24 WebCore::HTMLTreeBuilder::finished() + 116 (HTMLTreeBuilder.cpp:2927) 35 com.apple.WebCore 0x0000000112f160fe WebCore::HTMLDocumentParser::end() + 174 (HTMLDocumentParser.cpp:764) 36 com.apple.WebCore 0x0000000112f14b52 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 242 (HTMLDocumentParser.cpp:775) 37 com.apple.WebCore 0x0000000112f1497f WebCore::HTMLDocumentParser::prepareToStopParsing() + 271 (HTMLDocumentParser.cpp:212) 38 com.apple.WebCore 0x0000000112f16153 WebCore::HTMLDocumentParser::attemptToEnd() + 67 (HTMLDocumentParser.cpp:787) 39 com.apple.WebCore 0x0000000112f161a8 WebCore::HTMLDocumentParser::finish() + 72 (HTMLDocumentParser.cpp:836) 40 com.apple.WebCore 0x0000000112ba17ba WebCore::DocumentWriter::end() + 346 (DocumentWriter.cpp:249) 41 com.apple.WebCore 0x0000000112b70693 WebCore::DocumentLoader::finishedLoading(double) + 595 (DocumentLoader.cpp:403) 42 com.apple.WebCore 0x0000000112b703ae WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) + 270 (DocumentLoader.cpp:345) 43 com.apple.WebCore 0x000000011281a11d WebCore::CachedResource::checkNotify() + 109 (CachedResource.cpp:369) 44 com.apple.WebCore 0x000000011281a234 WebCore::CachedResource::finishLoading(WebCore::ResourceBuffer*) + 52 (CachedResource.cpp:386) 45 com.apple.WebCore 0x000000011281447b WebCore::CachedRawResource::finishLoading(WebCore::ResourceBuffer*) + 187 (CachedRawResource.cpp:95) 46 com.apple.WebCore 0x0000000113e3d12b WebCore::SubresourceLoader::didFinishLoading(double) + 459 (SubresourceLoader.cpp:284) 47 com.apple.WebCore 0x0000000113c6b935 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 53 (ResourceLoader.cpp:489) 48 com.apple.WebCore 0x000000011404d5fa -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 186 (WebCoreResourceHandleAsDelegate.mm:234)
Attachments
Patch (6.67 KB, patch)
2014-03-03 19:34 PST, Myles C. Maxfield 		no flags
DetailsFormatted DiffDiff
Patch (7.45 KB, patch)
2014-03-10 15:43 PDT, Myles C. Maxfield 		no flags
DetailsFormatted DiffDiff
Patch (10.99 KB, patch)
2014-04-01 12:14 PDT, Myles C. Maxfield 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2014-02-10 14:47:26 PST
*** Bug 128541 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 2 2014-02-10 14:53:58 PST
This was fixed by <http://trac.webkit.org/r154384> and <http://trac.webkit.org/r154674>, but after many months, the fixes were rolled out in <http://trac.webkit.org/r163655>. So the test is asserting again. Skipped the test in debug builds in <http://trac.webkit.org/r163824>.
Alexey Proskuryakov
Comment 3 2014-02-10 22:13:15 PST
svg/css/font-face-crash.html is another test that started to hit this assertion.
Alexey Proskuryakov
Comment 4 2014-02-10 22:14:21 PST
*** Bug 111626 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 5 2014-02-10 22:16:16 PST
Skipped svg/css/font-face-crash.html in debug builds in <http://trac.webkit.org/r163861>.
Myles C. Maxfield
Comment 6 2014-03-03 19:34:12 PST
Created attachment 225729 [details] Patch
Myles C. Maxfield
Comment 7 2014-03-03 21:24:06 PST
Comment on attachment 225729 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=225729&action=review > LayoutTests/svg/text/svg-font-hittest.html:29 > + }), 100); This is likely flakey. Does anyone have any ideas about how to make this more robust?
Alexey Proskuryakov
Comment 8 2014-03-03 22:59:00 PST
Comment on attachment 225729 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=225729&action=review > LayoutTests/ChangeLog:3 > + svg/text/text-overflow-ellipsis-svgfont-kerning-ligatures.html and svg/css/font-face-crash.html frequently assert in ComplexTextController::offsetForPosition Shouldn't these tests be unskilled now? Both are skipped in LayoutTests/platform/mac/TestExpectations. >> LayoutTests/svg/text/svg-font-hittest.html:29 >> + }), 100); > > This is likely flakey. Does anyone have any ideas about how to make this more robust? I think that fast/css/font-face-download-error.html is an example of how to make such tests non-flaky.
Myles C. Maxfield
Comment 9 2014-03-10 15:43:00 PDT
Created attachment 226344 [details] Patch
Alexey Proskuryakov
Comment 10 2014-04-01 09:46:43 PDT
Who are the qualified reviewers for this patch?
Simon Fraser (smfr)
Comment 11 2014-04-01 10:49:08 PDT
Comment on attachment 226344 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=226344&action=review > Source/WebCore/platform/graphics/Font.cpp:447 > + if (codePath(run) != Complex && (!typesettingFeatures() || run.renderingContext())) What is the significance of having a rendering context? It's obscure enough to warrant a comment.
Myles C. Maxfield
Comment 12 2014-04-01 10:58:27 PDT
Comment on attachment 226344 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=226344&action=review >> Source/WebCore/platform/graphics/Font.cpp:447 >> + if (codePath(run) != Complex && (!typesettingFeatures() || run.renderingContext())) > > What is the significance of having a rendering context? It's obscure enough to warrant a comment. Okay, i'll add one. However, This pattern appears in this file many times.
Myles C. Maxfield
Comment 13 2014-04-01 12:14:13 PDT
Created attachment 228305 [details] Patch
WebKit Commit Bot
Comment 14 2014-04-01 13:05:34 PDT
Comment on attachment 228305 [details] Patch Clearing flags on attachment: 228305 Committed r166603: <http://trac.webkit.org/changeset/166603>
WebKit Commit Bot
Comment 15 2014-04-01 13:05:41 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.