Bug 141432 - [Gtk][EFL][Fontconfig] Segmentation fault in WebCore::FontCache::lastResortFallbackFont
Summary: [Gtk][EFL][Fontconfig] Segmentation fault in WebCore::FontCache::lastResortFa...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Catanzaro
URL:
Keywords:
: 153921 (view as bug list)
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2015-02-10 07:50 PST by Renata Hodovan
Modified: 2016-08-04 17:22 PDT (History)
10 users (show)

See Also:

Attachments
Test case (143 bytes, text/html)
2015-02-10 07:50 PST, Renata Hodovan 		no flags Details
Patch (1.83 KB, patch)
2016-02-07 07:41 PST, Michael Catanzaro 		mmaxfield: review+
commit-queue: commit-queue-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2015-02-10 07:50:30 PST 
Created attachment 246324 [details]
Test case

Load this test with debug/release WK:

<!DOCTYPE html>
<style>
* {
    word-spacing: -2664ex;
    font-family: "Arial", "Monospace" !important;
    font: 4096em monospace;
}
</style>


In release, it results in a segfault:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff92ffd700 (LWP 32215)]
0x00007ffff6e0776f in WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
(gdb) bt
#0  0x00007ffff6e0776f in WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#1  0x00007ffff6955064 in WebCore::FontGlyphs::realizeFallbackRangesAt(WebCore::FontDescription const&, unsigned int) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#2  0x00007ffff6bfbe56 in WebCore::RenderStyle::fontMetrics() const ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#3  0x00007ffff63fcbf1 in WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#4  0x00007ffff63fcd8f in WebCore::Length WebCore::CSSPrimitiveValue::computeLength<WebCore::Length>(WebCore::CSSToLengthConversionData const&) const
    () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#5  0x00007ffff6e87b51 in WebCore::StyleBuilderFunctions::applyValueWordSpacing(WebCore::StyleResolver&, WebCore::CSSValue&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#6  0x00007ffff6e6cc44 in WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#7  0x00007ffff645271f in WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007ffff6452832 in WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007ffff6458dc1 in WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#10 0x00007ffff645a1ed in WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#11 0x00007ffff6c57569 in WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#12 0x00007ffff6c57fa3 in WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#13 0x00007ffff6c58bf9 in WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#14 0x00007ffff6c590c3 in WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#15 0x00007ffff64a17a7 in WebCore::Document::recalcStyle(WebCore::Style::Change) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#16 0x00007ffff64a1d85 in WebCore::Document::updateLayout() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#17 0x00007ffff64a2782 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#18 0x00007ffff62bda36 in WebCore::AccessibilityObject::updateBackingStore() ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#19 0x00007ffff6dee24c in webkitAccessibleGetParent(_AtkObject*) () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#20 0x00007ffff375de68 in atk_object_real_get_property (object=0x6971d0, prop_id=3, value=0x7fffffffc8b0, pspec=0x469680) at atkobject.c:1365
#21 0x00007ffff2a1440c in object_get_property (value=0x7fffffffc8b0, pspec=0x469680, object=0x6971d0) at gobject.c:1370
#22 g_object_get_property (object=object@entry=0x6971d0, property_name=<optimized out>, value=value@entry=0x7fffffffc8b0) at gobject.c:2438
#23 0x00007ffff375cedd in atk_object_notify (obj=0x6971d0, pspec=0x469680) at atkobject.c:1531
#24 0x00007ffff2a0bea8 in g_closure_invoke (closure=0x412300, return_value=0x0, n_param_values=2, param_values=0x7fffffffca90, 
    invocation_hint=0x7fffffffca30) at gclosure.c:768
#25 0x00007ffff2a1d377 in signal_emit_unlocked_R (node=node@entry=0x412390, detail=detail@entry=413, instance=instance@entry=0x6971d0, 
    emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffca90) at gsignal.c:3483
#26 0x00007ffff2a25b78 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, 
    var_args=var_args@entry=0x7fffffffcc28) at gsignal.c:3309
#27 0x00007ffff2a25e32 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3365
#28 0x00007ffff2a102b5 in g_object_dispatch_properties_changed (object=0x6971d0, n_pspecs=4148481896, pspecs=0x0) at gobject.c:1056
#29 0x00007ffff2a12873 in g_object_notify_by_spec_internal (pspec=<optimized out>, object=0x6971d0) at gobject.c:1150
#30 g_object_notify (object=0x6971d0, property_name=<optimized out>) at gobject.c:1197
#31 0x00007ffff67ab71f in WebCore::FrameLoader::dispatchDidClearWindowObjectInWorld(WebCore::DOMWrapperWorld&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#32 0x00007ffff635bc2a in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#33 0x00007ffff635c16b in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#34 0x00007ffff635c223 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#35 0x00007ffff65081b2 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#36 0x00007ffff65084bf in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#37 0x00007ffff66ee54b in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#38 0x00007ffff66eee4f in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#39 0x00007ffff66d4d70 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#40 0x00007ffff66d4e12 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#41 0x00007ffff66d7c7e in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#42 0x00007ffff66d9322 in WebCore::HTMLDocumentParser::append(WTF::PassRefPtr<WTF::StringImpl>) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#43 0x00007ffff6497caa in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#44 0x00007ffff67a070e in WebCore::DocumentWriter::end() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#45 0x00007ffff67962bf in WebCore::DocumentLoader::finishedLoading(double) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#46 0x00007ffff68150a9 in WebCore::CachedResource::checkNotify() () from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#47 0x00007ffff6810521 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#48 0x00007ffff67dd53e in WebCore::SubresourceLoader::didFinishLoading(double) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#49 0x00007ffff6e49068 in WebCore::readCallback(_GObject*, _GAsyncResult*, void*) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#50 0x00007ffff34307e6 in async_ready_callback_wrapper (source_object=0x7fff74004ee0, res=0x713ae0, user_data=user_data@entry=0x7ffff7e76ba0)
    at ginputstream.c:523
#51 0x00007ffff34560e5 in g_task_return_now (task=0x713ae0) at gtask.c:1077
#52 0x00007ffff3456109 in complete_in_idle_cb (task=0x713ae0) at gtask.c:1086
#53 0x00007ffff270ea1d in g_main_dispatch (context=0x478b50) at gmain.c:3064
#54 g_main_context_dispatch (context=context@entry=0x478b50) at gmain.c:3663
#55 0x00007ffff270ed88 in g_main_context_iterate (context=0x478b50, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3734
#56 0x00007ffff270f04a in g_main_loop_run (loop=0x901d40) at gmain.c:3928
#57 0x00007ffff61e6442 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) ()
   from /home/reni/data/REPOS/webkit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#58 0x00007ffff4d4bec5 in __libc_start_main (main=0x4007b0 <main>, argc=2, argv=0x7fffffffd938, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffd928) at libc-start.c:287
#59 0x0000000000400805 in _start ()


In debug, the issue is caught by an assertion check:

ASSERTION FAILED: m_ptr
../../Source/WTF/wtf/RefPtr.h(69) : T& WTF::RefPtr<T>::operator*() const [with T = WebCore::Font]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff8affd700 (LWP 32620)]
0x00007fffed73b5ef in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007fffed73b5ef in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff36612a4 in WTF::RefPtr<WebCore::Font>::operator* (this=0x7fffffff53e0) at ../../Source/WTF/wtf/RefPtr.h:69
#2  0x00007ffff3d44b69 in WebCore::FontCache::lastResortFallbackFont (this=0x7ffff7dce500 <WebCore::fontCache()::globalFontCache>, 
    fontDescription=...) at ../../Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp:107
#3  0x00007ffff36829e9 in WebCore::FontGlyphs::realizeFallbackRangesAt (this=0x7ffff7f35480, description=..., index=0)
    at ../../Source/WebCore/platform/graphics/FontGlyphs.cpp:118
#4  0x00007ffff31eab3a in WebCore::FontGlyphs::primaryFont (this=0x7ffff7f35480, description=...)
    at ../../Source/WebCore/platform/graphics/FontGlyphs.h:112
#5  0x00007ffff31eac22 in WebCore::FontCascade::primaryFont (this=0x7ffff7ecbaf8) at ../../Source/WebCore/platform/graphics/FontCascade.h:357
#6  0x00007ffff31eabb4 in WebCore::FontCascade::fontMetrics (this=0x7ffff7ecbaf8) at ../../Source/WebCore/platform/graphics/FontCascade.h:174
#7  0x00007ffff3a356fe in WebCore::RenderStyle::fontMetrics (this=0x7ffff7f1f8a0) at ../../Source/WebCore/rendering/style/RenderStyle.cpp:1344
#8  0x00007ffff2db4051 in WebCore::CSSPrimitiveValue::computeLengthDouble (this=0x7ffff7e79660, conversionData=...)
    at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:618
#9  0x00007ffff2db3d9b in WebCore::CSSPrimitiveValue::computeLength<WebCore::Length> (this=0x7ffff7e79660, conversionData=...)
    at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:577
#10 0x00007ffff3dfe411 in WebCore::StyleBuilderConverter::convertWordSpacing (styleResolver=..., value=...)
    at ../../Source/WebCore/css/StyleBuilderConverter.h:974
#11 0x00007ffff3e14776 in WebCore::StyleBuilderFunctions::applyValueWordSpacing (styleResolver=..., value=...)
    at DerivedSources/WebCore/StyleBuilder.cpp:2689
#12 0x00007ffff3ded63d in WebCore::StyleBuilder::applyProperty (property=WebCore::CSSPropertyWordSpacing, styleResolver=..., value=..., 
    isInitial=false, isInherit=false) at DerivedSources/WebCore/StyleBuilder.cpp:7046
#13 0x00007ffff2e2e0eb in WebCore::StyleResolver::applyProperty (this=0x7ffff7f1b800, id=WebCore::CSSPropertyWordSpacing, value=0x7ffff7e79660)
    at ../../Source/WebCore/css/StyleResolver.cpp:1949
#14 0x00007ffff2e31575 in WebCore::StyleResolver::CascadedProperties::Property::apply (this=0x7fffffffaab0, resolver=...)
    at ../../Source/WebCore/css/StyleResolver.cpp:2672
#15 0x00007ffff2e316ea in WebCore::StyleResolver::applyCascadedProperties (this=0x7ffff7f1b800, cascade=..., firstProperty=18, lastProperty=429)
    at ../../Source/WebCore/css/StyleResolver.cpp:2702
#16 0x00007ffff2e2db4c in WebCore::StyleResolver::applyMatchedProperties (this=0x7ffff7f1b800, matchResult=..., element=0x7ffff7f23bc8, 
    shouldUseMatchedPropertiesCache=WebCore::StyleResolver::UseMatchedPropertiesCache) at ../../Source/WebCore/css/StyleResolver.cpp:1786
#17 0x00007ffff2e28e48 in WebCore::StyleResolver::styleForElement (this=0x7ffff7f1b800, element=0x7ffff7f23bc8, defaultParent=0x7ffff7f1fc00, 
    sharingBehavior=WebCore::AllowStyleSharing, matchingBehavior=WebCore::MatchAllRules, regionForStyling=0x0)
    at ../../Source/WebCore/css/StyleResolver.cpp:798
#18 0x00007ffff3ac0fb0 in WebCore::Style::styleForElement (element=..., inheritedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:262
#19 0x00007ffff3ac1157 in WebCore::Style::createRendererIfNeeded (element=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:288
#20 0x00007ffff3ac2713 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:615
#21 0x00007ffff3ac3006 in WebCore::Style::resolveLocal (current=..., inheritedStyle=..., renderTreePosition=..., 
    inheritedChange=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:756
#22 0x00007ffff3ac379d in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., change=WebCore::Style::Force)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:918
#23 0x00007ffff3ac3c82 in WebCore::Style::resolveTree (document=..., change=WebCore::Style::Force)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:994
#24 0x00007ffff2ec680a in WebCore::Document::recalcStyle (this=0x7ffff7e91000, change=WebCore::Style::Force)
    at ../../Source/WebCore/dom/Document.cpp:1764
#25 0x00007ffff2ec6b01 in WebCore::Document::updateStyleIfNeeded (this=0x7ffff7e91000) at ../../Source/WebCore/dom/Document.cpp:1812
#26 0x00007ffff2ed1e3e in WebCore::Document::finishedParsing (this=0x7ffff7e91000) at ../../Source/WebCore/dom/Document.cpp:4627
#27 0x00007ffff3243961 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7ffff7f35800)
    at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:404
#28 0x00007ffff328047a in WebCore::HTMLTreeBuilder::finished (this=0x7ffff7f357e0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2940
#29 0x00007ffff324c2fc in WebCore::HTMLDocumentParser::end (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:402
#30 0x00007ffff324c3ca in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7ffff7ed0100)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:411
#31 0x00007ffff324b07a in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7ffff7ed0100)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:132
#32 0x00007ffff324c401 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7ffff7ed0100)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:423
#33 0x00007ffff324c4af in WebCore::HTMLDocumentParser::finish (this=0x7ffff7ed0100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:451
#34 0x00007ffff33bbb29 in WebCore::DocumentWriter::end (this=0x7ffff7ebbaa0) at ../../Source/WebCore/loader/DocumentWriter.cpp:247
#35 0x00007ffff33a70f9 in WebCore::DocumentLoader::finishedLoading (this=0x7ffff7ebba00, finishTime=0)
    at ../../Source/WebCore/loader/DocumentLoader.cpp:440
#36 0x00007ffff33a6e62 in WebCore::DocumentLoader::notifyFinished (this=0x7ffff7ebba00, resource=0x7ffff7ec8680)
    at ../../Source/WebCore/loader/DocumentLoader.cpp:374
#37 0x00007ffff345b7e8 in WebCore::CachedResource::checkNotify (this=0x7ffff7ec8680) at ../../Source/WebCore/loader/cache/CachedResource.cpp:293
#38 0x00007ffff345b8e6 in WebCore::CachedResource::finishLoading (this=0x7ffff7ec8680) at ../../Source/WebCore/loader/cache/CachedResource.cpp:309
#39 0x00007ffff3457f1f in WebCore::CachedRawResource::finishLoading (this=0x7ffff7ec8680, data=0x7ffff7e89570)
    at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:104
#40 0x00007ffff340a3f1 in WebCore::SubresourceLoader::didFinishLoading (this=0x7ffff7ec8200, finishTime=0)
    at ../../Source/WebCore/loader/SubresourceLoader.cpp:364
#41 0x00007ffff3405d2b in WebCore::ResourceLoader::didFinishLoading (this=0x7ffff7ec8200, finishTime=0)
    at ../../Source/WebCore/loader/ResourceLoader.cpp:542
#42 0x00007ffff3db92b5 in WebCore::readCallback (asyncResult=0x7401f0, data=0x7ffff7e7eb40)
    at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1295
#43 0x00007fffeb2777e6 in async_ready_callback_wrapper (source_object=0x7c72d0, res=0x7401f0, user_data=user_data@entry=0x7ffff7e7eb40)
    at ginputstream.c:523
#44 0x00007fffeb29d0e5 in g_task_return_now (task=0x7401f0) at gtask.c:1077
#45 0x00007fffeb29d109 in complete_in_idle_cb (task=0x7401f0) at gtask.c:1086
#46 0x00007fffea555a1d in g_main_dispatch (context=0x478b00) at gmain.c:3064
#47 g_main_context_dispatch (context=context@entry=0x478b00) at gmain.c:3663
#48 0x00007fffea555d88 in g_main_context_iterate (context=0x478b00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3734
#49 0x00007fffea55604a in g_main_loop_run (loop=0x901d10) at gmain.c:3928
#50 0x00007ffff44b31e6 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#51 0x00007ffff29a1cfc in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd938)
    at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#52 0x00007ffff29a1b61 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd938) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:77
#53 0x00000000004008d1 in main (argc=2, argv=0x7fffffffd938) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44
Comment 1 Hyungwook Lee 2015-02-15 00:43:05 PST 
I've started look at this issue that can be reproduced in EFL port also.
Comment 2 Alexey Proskuryakov 2015-02-16 12:28:28 PST 
I couldn't reproduce on Mac.
Comment 3 Hyungwook Lee 2015-03-05 05:40:16 PST 
There is no fallback font in this case when we use FontCacheFreeType.cpp
Ref<Font> FontCache::lastResortFallbackFont() return nullptr.
Comment 4 Antti Koivisto 2015-03-05 07:28:15 PST 
You should take care to always have a last resort fallback.
Comment 5 Darin Adler 2015-03-05 09:16:49 PST 
The fix is to make sure that function never tries to return nullptr. You can’t turn a nullptr into a Ref and you can’t have a WebKit port that will work properly with no last resort font.
Comment 6 Michael Catanzaro 2016-02-07 07:28:59 PST 
Dunno why the attached test case has anything to do with this bug (that's really weird), but in bug #153921 this was hit by someone who installed fontconfig improperly.
Comment 7 Michael Catanzaro 2016-02-07 07:41:07 PST 
Created attachment 270817 [details]
Patch
Comment 8 Michael Catanzaro 2016-02-07 07:42:14 PST 
(Can't reproduce the crash in the test case, so just making this crash better.)
Comment 9 Michael Catanzaro 2016-02-07 09:08:24 PST 
*** Bug 153921 has been marked as a duplicate of this bug. ***
Comment 10 Michael Catanzaro 2016-05-17 08:17:11 PDT 
Ping reviewers.
Comment 11 Myles C. Maxfield 2016-05-17 08:43:45 PDT 
Comment on attachment 270817 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=270817&action=review

> Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp:141
> +    RELEASE_ASSERT_NOT_REACHED();

How does this fix the problem? It looks like the patch substitutes one crash for another crash.
Comment 12 Michael Catanzaro 2016-05-17 09:12:07 PDT 
(In reply to comment #11)
> Comment on attachment 270817 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=270817&action=review
> 
> > Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp:141
> > +    RELEASE_ASSERT_NOT_REACHED();
> 
> How does this fix the problem? It looks like the patch substitutes one crash
> for another crash.

Exactly. We can't support this configuration, so we should crash nicely with SIGABRT rather than continuing and hoping to get SIGSEGV.
Comment 13 WebKit Commit Bot 2016-05-17 09:13:26 PDT 
Comment on attachment 270817 [details]
Patch

Rejecting attachment 270817 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'apply-attachment', '--no-update', '--non-interactive', 270817, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit

Last 500 characters of output:
WS/WebKit

Parsed 2 diffs from patch file(s).
patching file Source/WebCore/ChangeLog
Hunk #1 succeeded at 1 with fuzz 3.
patching file Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp
Hunk #1 FAILED at 134.
1 out of 1 hunk FAILED -- saving rejects to file Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp.rej

Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force', '--reviewer', u'Myles C. Maxfield']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

Full output: http://webkit-queues.webkit.org/results/1337080
Comment 14 Michael Catanzaro 2016-08-04 17:18:53 PDT 
I left this bug open just because I didn't have time to reapply the patch...?
Comment 15 Michael Catanzaro 2016-08-04 17:22:20 PDT 
Committed r204154: <http://trac.webkit.org/changeset/204154>