RESOLVED WORKSFORME 17672
Reproducible SVG Crash when acid3-test-77.html timing dependency is fixed 
https://bugs.webkit.org/show_bug.cgi?id=17672
Summary Reproducible SVG Crash when acid3-test-77.html timing dependency is fixed
Nikolas Zimmermann
Reported 2008-03-04 15:27:34 PST
acid3-test-77.html loads 'resources/Acid3Font-loader.svg' through HTMLIFrameElement. This file defines a <font> element which references 'resources/Acid3Font.svg' names as 'ACID3svgfont'. Furthermore it contains a <text font-family="ACID3svgfont'>X</text> element which is supposed to force us loading the font and delay sending the onload event. As the onload event is immediately fired now (as the load hasn't been kicked before the first layout happens), we're using a window.setTimeout("executeTest()", 150) hack instead of calling the function directly. Davids idea was to add <script>document.documentElement.offsetWidth;</script> to that document, and see wheter it fixes the onload send delay. Though it currently crashs us deep in SVGRootInlineBox. Fix both issues.
Attachments
patch which shows the crash (code change is not required, only test change) (2.03 KB, patch)
2008-03-25 14:09 PDT, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2008-03-17 10:02:32 PDT
Since this is a repro crash, it should be a P1, no? Now we just need to create an example crashing test case.
Eric Seidel (no email)
Comment 2 2008-03-17 16:01:49 PDT
http://paste.lisp.org/display/57519 is supposedly a crashlog for this crash.
Eric Seidel (no email)
Comment 3 2008-03-25 13:07:02 PDT
ahha! This could be a test case for bug 17902! *** This bug has been marked as a duplicate of 17902 ***
Eric Seidel (no email)
Comment 4 2008-03-25 14:07:36 PDT
I was wrong, this is not a dupe.
Eric Seidel (no email)
Comment 5 2008-03-25 14:09:10 PDT
Created attachment 20040 [details] patch which shows the crash (code change is not required, only test change)
Darin Adler
Comment 6 2008-03-25 16:19:19 PDT
Does this affect the real Acid3 or only the modified copy we have in our LayoutTests directory?
Eric Seidel (no email)
Comment 7 2008-03-25 16:27:50 PDT
bug 17902 affects the real acid3, but this crash does not (to my knowledge). This crash is reproducible in TOT however (if you modify the test case as described above).
Darin Adler
Comment 8 2008-03-26 19:59:28 PDT
Removing this from the list blocking bug 17064, since it's not an Acid3 bug.
Eric Seidel (no email)
Comment 9 2008-03-30 13:30:59 PDT
CCing hyatt, since he had to leave #webkit before I could actually send him the bug link.
David Kilzer (:ddkilzer)
Comment 10 2008-06-22 12:41:51 PDT
Running svg/custom/acid3-test-77.html with a debug build of WebKit r34722 causes an assertion failure as well: ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) (/path/to/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/HashTable.h:444 void WTF::HashTable<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::checkKey(const T&) [with T = UChar, HashTranslator = WTF::IdentityHashTranslator<UChar, std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> >, Key = UChar, Value = std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, Extractor = WTF::PairFirstExtractor<std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> > >, HashFunctions = WTF::IntHash<unsigned int>, Traits = WTF::PairHashTraits<WTF::HashTraits<UChar>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, KeyTraits = WTF::HashTraits<UChar>]) Back trace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x01fd2490 void WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::checkKey<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned> > >(unsigned short const&) + 116 (HashTable.h:444) 1 com.apple.WebCore 0x01fd2584 std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >* WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned> > >(unsigned short const&) + 40 (HashTable.h:460) 2 com.apple.WebCore 0x01fd26c4 WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup(unsigned short const&) + 40 (HashTable.h:331) 3 com.apple.WebCore 0x01fd2710 WTF::HashMap<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode>, WTF::IntHash<unsigned>, WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >::get(unsigned short const&) const + 48 (HashMap.h:208) 4 com.apple.WebCore 0x01fd27cc WebCore::SVGGlyphMap::get(WebCore::String const&, WTF::Vector<WebCore::SVGGlyphIdentifier, (unsigned long)0>&) + 104 (SVGGlyphMap.h:85) 5 com.apple.WebCore 0x0183df4c WebCore::SVGFontElement::getGlyphIdentifiersForString(WebCore::String const&, WTF::Vector<WebCore::SVGGlyphIdentifier, (unsigned long)0>&) const + 64 (SVGFontElement.cpp:238) 6 com.apple.WebCore 0x01fd605c WebCore::SVGTextRunWalker<WebCore::SVGTextRunWalkerMeasuredLengthData>::walk(WebCore::TextRun const&, bool, WebCore::String const&, int, int) + 716 (SVGFont.cpp:280) 7 com.apple.WebCore 0x018400b4 WebCore::floatWidthOfSubStringUsingSVGFont(WebCore::Font const*, WebCore::TextRun const&, int, int, int, int&, WebCore::String&) + 680 (SVGFont.cpp:416) 8 com.apple.WebCore 0x01840340 WebCore::Font::floatWidthUsingSVGFont(WebCore::TextRun const&, int, int&, WebCore::String&) const + 84 (SVGFont.cpp:433) 9 com.apple.WebCore 0x013f5f48 WebCore::Font::floatWidth(WebCore::TextRun const&, int, int&, WebCore::String&) const + 104 (Font.cpp:718) 10 com.apple.WebCore 0x01728af4 WebCore::SVGInlineTextBox::calculateGlyphWidth(WebCore::RenderStyle*, int, int, int&, WebCore::String&) const + 268 (SVGInlineTextBox.cpp:80) 11 com.apple.WebCore 0x01f4ed1c WebCore::SVGInlineTextBoxQueryWalker::chunkPortionCallback(WebCore::SVGInlineTextBox*, int, WebCore::AffineTransform const&, WebCore::SVGChar* const&, WebCore::SVGChar* const&) + 1288 (SVGTextContentElement.cpp:202) 12 com.apple.WebCore 0x01f4e168 WebCore::SVGTextChunkWalker<WebCore::SVGInlineTextBoxQueryWalker>::operator()(WebCore::SVGInlineTextBox*, int, WebCore::AffineTransform const&, WebCore::SVGChar* const&, WebCore::SVGChar* const&) + 188 (SVGCharacterLayoutInfo.h:342) 13 com.apple.WebCore 0x0177755c WebCore::SVGRootInlineBox::walkTextChunks(WebCore::SVGTextChunkWalkerBase*, WebCore::SVGInlineTextBox const*) + 900 (SVGRootInlineBox.cpp:1686) 14 com.apple.WebCore 0x0178b2e4 WebCore::executeTextQuery(WebCore::SVGTextContentElement const*, WebCore::SVGInlineTextBoxQueryWalker::QueryMode, long, long, WebCore::FloatPoint) + 468 (SVGTextContentElement.cpp:363) 15 com.apple.WebCore 0x0178bb58 WebCore::SVGTextContentElement::getEndPositionOfChar(long, int&) const + 196 (SVGTextContentElement.cpp:429) 16 com.apple.WebCore 0x0159e4f4 WebCore::jsSVGTextContentElementPrototypeFunctionGetEndPositionOfChar(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 200 (JSSVGTextContentElement.cpp:315) 17 com.apple.JavaScriptCore 0x0100c3f0 KJS::PrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 68 (JSFunction.cpp:731) 18 com.apple.JavaScriptCore 0x01078ae4 KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 23892 (Machine.cpp:2122) 19 com.apple.JavaScriptCore 0x0107a3a4 KJS::Machine::execute(KJS::EvalNode*, KJS::ExecState*, KJS::JSObject*, KJS::RegisterFile*, int, KJS::ScopeChainNode*, KJS::JSValue**) + 1108 (Machine.cpp:799) 20 com.apple.JavaScriptCore 0x0107a750 KJS::callEval(KJS::ExecState*, KJS::JSObject*, KJS::ScopeChainNode*, KJS::RegisterFile*, KJS::Register*, int, int, KJS::JSValue*&) + 740 (Machine.cpp:461) 21 com.apple.JavaScriptCore 0x010785ec KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 22620 (Machine.cpp:2004) 22 com.apple.JavaScriptCore 0x0107ae90 KJS::Machine::execute(KJS::ProgramNode*, KJS::ExecState*, KJS::ScopeChainNode*, KJS::JSObject*, KJS::RegisterFileStack*, KJS::JSValue**) + 580 (Machine.cpp:669) 23 com.apple.JavaScriptCore 0x01064de8 KJS::Interpreter::evaluate(KJS::ExecState*, KJS::ScopeChain&, KJS::UString const&, int, WTF::PassRefPtr<KJS::SourceProvider>, KJS::JSValue*) + 476 (interpreter.cpp:82) 24 com.apple.WebCore 0x0182cd08 WebCore::ScriptController::evaluate(WebCore::String const&, int, WebCore::String const&) + 340 (ScriptController.cpp:90) 25 com.apple.WebCore 0x01421fa8 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 228 (FrameLoader.cpp:783) 26 com.apple.WebCore 0x01422068 WebCore::FrameLoader::executeScript(WebCore::String const&, bool) + 108 (FrameLoader.cpp:772) 27 com.apple.WebCore 0x017a2cb8 WebCore::ScheduledAction::execute(WebCore::JSDOMWindowShell*) + 1036 (ScheduledAction.cpp:92) 28 com.apple.WebCore 0x0186acbc WebCore::JSDOMWindowBase::timerFired(WebCore::DOMWindowTimer*) + 528 (JSDOMWindowBase.cpp:1280) 29 com.apple.WebCore 0x0186ad60 WebCore::DOMWindowTimer::fired() + 72 (JSDOMWindowBase.cpp:1313) 30 com.apple.WebCore 0x017e0780 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 240 (Timer.cpp:350) 31 com.apple.WebCore 0x017e0860 WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:370) 32 com.apple.WebCore 0x017b82f0 WebCore::timerFired(__CFRunLoopTimer*, void*) + 140 (SharedTimerMac.mm:85) 33 com.apple.CoreFoundation 0x907f2370 __CFRunLoopDoTimer + 184 34 com.apple.CoreFoundation 0x907dece8 __CFRunLoopRun + 1680 35 com.apple.CoreFoundation 0x907de29c CFRunLoopRunSpecific + 268 36 com.apple.HIToolbox 0x9329fb20 RunCurrentEventLoopInMode + 264 37 com.apple.HIToolbox 0x9329f1b4 ReceiveNextEventCommon + 380 38 com.apple.HIToolbox 0x9329f020 BlockUntilNextEventMatchingListInMode + 96 39 com.apple.AppKit 0x937a5874 _DPSNextEvent + 384 40 com.apple.AppKit 0x937a5538 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 41 com.apple.Safari 0x000095e0 0x1000 + 34272 42 com.apple.AppKit 0x937a1a7c -[NSApplication run] + 472 43 com.apple.AppKit 0x93892598 NSApplicationMain + 452 44 com.apple.Safari 0x0009bad4 0x1000 + 633556 45 com.apple.Safari 0x000022fc 0x1000 + 4860
David Kilzer (:ddkilzer)
Comment 11 2008-06-22 12:42:50 PDT
<rdar://problem/6026695>
Oliver Hunt
Comment 12 2008-07-20 17:02:31 PDT
Can anyone still repro this? i've tried to no avail for 15 minutes now...
David Kilzer (:ddkilzer)
Comment 13 2008-07-20 17:07:48 PDT
(In reply to comment #12) > Can anyone still repro this? i've tried to no avail for 15 minutes now... I'll try at work again tomorrow.
David Kilzer (:ddkilzer)
Comment 14 2008-07-20 22:00:58 PDT
(In reply to comment #12) > Can anyone still repro this? i've tried to no avail for 15 minutes now... The buildbot still sees it: http://build.webkit.org/results/trunk-mac-intel-debug/4608/results.html
Stephen Chenney
Comment 15 2012-07-20 08:43:10 PDT
Closing this bug because the acid3-test-77 file does not appear in an TestExpectations and is only Skipped for qt-4.8.
Note You need to log in before you can comment on or make changes to this bug.