acid3-test-77.html loads 'resources/Acid3Font-loader.svg' through HTMLIFrameElement. This file defines a <font> element which references 'resources/Acid3Font.svg' names as 'ACID3svgfont'. Furthermore it contains a <text font-family="ACID3svgfont'>X</text> element which is supposed to force us loading the font and delay sending the onload event. As the onload event is immediately fired now (as the load hasn't been kicked before the first layout happens), we're using a window.setTimeout("executeTest()", 150) hack instead of calling the function directly. Davids idea was to add <script>document.documentElement.offsetWidth;</script> to that document, and see wheter it fixes the onload send delay. Though it currently crashs us deep in SVGRootInlineBox. Fix both issues.
Since this is a repro crash, it should be a P1, no? Now we just need to create an example crashing test case.
http://paste.lisp.org/display/57519 is supposedly a crashlog for this crash.
ahha! This could be a test case for bug 17902! *** This bug has been marked as a duplicate of 17902 ***
I was wrong, this is not a dupe.
Created attachment 20040 [details] patch which shows the crash (code change is not required, only test change)
Does this affect the real Acid3 or only the modified copy we have in our LayoutTests directory?
bug 17902 affects the real acid3, but this crash does not (to my knowledge). This crash is reproducible in TOT however (if you modify the test case as described above).
Removing this from the list blocking bug 17064, since it's not an Acid3 bug.
CCing hyatt, since he had to leave #webkit before I could actually send him the bug link.
Running svg/custom/acid3-test-77.html with a debug build of WebKit r34722 causes an assertion failure as well: ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) (/path/to/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/HashTable.h:444 void WTF::HashTable<Key, Value, Extractor, HashFunctions, Traits, KeyTraits>::checkKey(const T&) [with T = UChar, HashTranslator = WTF::IdentityHashTranslator<UChar, std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned int> >, Key = UChar, Value = std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> >, Extractor = WTF::PairFirstExtractor<std::pair<UChar, WTF::RefPtr<WebCore::GlyphMapNode> > >, HashFunctions = WTF::IntHash<unsigned int>, Traits = WTF::PairHashTraits<WTF::HashTraits<UChar>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, KeyTraits = WTF::HashTraits<UChar>]) Back trace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x01fd2490 void WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::checkKey<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned> > >(unsigned short const&) + 116 (HashTable.h:444) 1 com.apple.WebCore 0x01fd2584 std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >* WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup<unsigned short, WTF::IdentityHashTranslator<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::IntHash<unsigned> > >(unsigned short const&) + 40 (HashTable.h:460) 2 com.apple.WebCore 0x01fd26c4 WTF::HashTable<unsigned short, std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> >, WTF::PairFirstExtractor<std::pair<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::IntHash<unsigned>, WTF::PairHashTraits<WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >, WTF::HashTraits<unsigned short> >::lookup(unsigned short const&) + 40 (HashTable.h:331) 3 com.apple.WebCore 0x01fd2710 WTF::HashMap<unsigned short, WTF::RefPtr<WebCore::GlyphMapNode>, WTF::IntHash<unsigned>, WTF::HashTraits<unsigned short>, WTF::HashTraits<WTF::RefPtr<WebCore::GlyphMapNode> > >::get(unsigned short const&) const + 48 (HashMap.h:208) 4 com.apple.WebCore 0x01fd27cc WebCore::SVGGlyphMap::get(WebCore::String const&, WTF::Vector<WebCore::SVGGlyphIdentifier, (unsigned long)0>&) + 104 (SVGGlyphMap.h:85) 5 com.apple.WebCore 0x0183df4c WebCore::SVGFontElement::getGlyphIdentifiersForString(WebCore::String const&, WTF::Vector<WebCore::SVGGlyphIdentifier, (unsigned long)0>&) const + 64 (SVGFontElement.cpp:238) 6 com.apple.WebCore 0x01fd605c WebCore::SVGTextRunWalker<WebCore::SVGTextRunWalkerMeasuredLengthData>::walk(WebCore::TextRun const&, bool, WebCore::String const&, int, int) + 716 (SVGFont.cpp:280) 7 com.apple.WebCore 0x018400b4 WebCore::floatWidthOfSubStringUsingSVGFont(WebCore::Font const*, WebCore::TextRun const&, int, int, int, int&, WebCore::String&) + 680 (SVGFont.cpp:416) 8 com.apple.WebCore 0x01840340 WebCore::Font::floatWidthUsingSVGFont(WebCore::TextRun const&, int, int&, WebCore::String&) const + 84 (SVGFont.cpp:433) 9 com.apple.WebCore 0x013f5f48 WebCore::Font::floatWidth(WebCore::TextRun const&, int, int&, WebCore::String&) const + 104 (Font.cpp:718) 10 com.apple.WebCore 0x01728af4 WebCore::SVGInlineTextBox::calculateGlyphWidth(WebCore::RenderStyle*, int, int, int&, WebCore::String&) const + 268 (SVGInlineTextBox.cpp:80) 11 com.apple.WebCore 0x01f4ed1c WebCore::SVGInlineTextBoxQueryWalker::chunkPortionCallback(WebCore::SVGInlineTextBox*, int, WebCore::AffineTransform const&, WebCore::SVGChar* const&, WebCore::SVGChar* const&) + 1288 (SVGTextContentElement.cpp:202) 12 com.apple.WebCore 0x01f4e168 WebCore::SVGTextChunkWalker<WebCore::SVGInlineTextBoxQueryWalker>::operator()(WebCore::SVGInlineTextBox*, int, WebCore::AffineTransform const&, WebCore::SVGChar* const&, WebCore::SVGChar* const&) + 188 (SVGCharacterLayoutInfo.h:342) 13 com.apple.WebCore 0x0177755c WebCore::SVGRootInlineBox::walkTextChunks(WebCore::SVGTextChunkWalkerBase*, WebCore::SVGInlineTextBox const*) + 900 (SVGRootInlineBox.cpp:1686) 14 com.apple.WebCore 0x0178b2e4 WebCore::executeTextQuery(WebCore::SVGTextContentElement const*, WebCore::SVGInlineTextBoxQueryWalker::QueryMode, long, long, WebCore::FloatPoint) + 468 (SVGTextContentElement.cpp:363) 15 com.apple.WebCore 0x0178bb58 WebCore::SVGTextContentElement::getEndPositionOfChar(long, int&) const + 196 (SVGTextContentElement.cpp:429) 16 com.apple.WebCore 0x0159e4f4 WebCore::jsSVGTextContentElementPrototypeFunctionGetEndPositionOfChar(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 200 (JSSVGTextContentElement.cpp:315) 17 com.apple.JavaScriptCore 0x0100c3f0 KJS::PrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::ArgList const&) + 68 (JSFunction.cpp:731) 18 com.apple.JavaScriptCore 0x01078ae4 KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 23892 (Machine.cpp:2122) 19 com.apple.JavaScriptCore 0x0107a3a4 KJS::Machine::execute(KJS::EvalNode*, KJS::ExecState*, KJS::JSObject*, KJS::RegisterFile*, int, KJS::ScopeChainNode*, KJS::JSValue**) + 1108 (Machine.cpp:799) 20 com.apple.JavaScriptCore 0x0107a750 KJS::callEval(KJS::ExecState*, KJS::JSObject*, KJS::ScopeChainNode*, KJS::RegisterFile*, KJS::Register*, int, int, KJS::JSValue*&) + 740 (Machine.cpp:461) 21 com.apple.JavaScriptCore 0x010785ec KJS::Machine::privateExecute(KJS::Machine::ExecutionFlag, KJS::ExecState*, KJS::RegisterFile*, KJS::Register*, KJS::ScopeChainNode*, KJS::CodeBlock*, KJS::JSValue**) + 22620 (Machine.cpp:2004) 22 com.apple.JavaScriptCore 0x0107ae90 KJS::Machine::execute(KJS::ProgramNode*, KJS::ExecState*, KJS::ScopeChainNode*, KJS::JSObject*, KJS::RegisterFileStack*, KJS::JSValue**) + 580 (Machine.cpp:669) 23 com.apple.JavaScriptCore 0x01064de8 KJS::Interpreter::evaluate(KJS::ExecState*, KJS::ScopeChain&, KJS::UString const&, int, WTF::PassRefPtr<KJS::SourceProvider>, KJS::JSValue*) + 476 (interpreter.cpp:82) 24 com.apple.WebCore 0x0182cd08 WebCore::ScriptController::evaluate(WebCore::String const&, int, WebCore::String const&) + 340 (ScriptController.cpp:90) 25 com.apple.WebCore 0x01421fa8 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 228 (FrameLoader.cpp:783) 26 com.apple.WebCore 0x01422068 WebCore::FrameLoader::executeScript(WebCore::String const&, bool) + 108 (FrameLoader.cpp:772) 27 com.apple.WebCore 0x017a2cb8 WebCore::ScheduledAction::execute(WebCore::JSDOMWindowShell*) + 1036 (ScheduledAction.cpp:92) 28 com.apple.WebCore 0x0186acbc WebCore::JSDOMWindowBase::timerFired(WebCore::DOMWindowTimer*) + 528 (JSDOMWindowBase.cpp:1280) 29 com.apple.WebCore 0x0186ad60 WebCore::DOMWindowTimer::fired() + 72 (JSDOMWindowBase.cpp:1313) 30 com.apple.WebCore 0x017e0780 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 240 (Timer.cpp:350) 31 com.apple.WebCore 0x017e0860 WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:370) 32 com.apple.WebCore 0x017b82f0 WebCore::timerFired(__CFRunLoopTimer*, void*) + 140 (SharedTimerMac.mm:85) 33 com.apple.CoreFoundation 0x907f2370 __CFRunLoopDoTimer + 184 34 com.apple.CoreFoundation 0x907dece8 __CFRunLoopRun + 1680 35 com.apple.CoreFoundation 0x907de29c CFRunLoopRunSpecific + 268 36 com.apple.HIToolbox 0x9329fb20 RunCurrentEventLoopInMode + 264 37 com.apple.HIToolbox 0x9329f1b4 ReceiveNextEventCommon + 380 38 com.apple.HIToolbox 0x9329f020 BlockUntilNextEventMatchingListInMode + 96 39 com.apple.AppKit 0x937a5874 _DPSNextEvent + 384 40 com.apple.AppKit 0x937a5538 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 41 com.apple.Safari 0x000095e0 0x1000 + 34272 42 com.apple.AppKit 0x937a1a7c -[NSApplication run] + 472 43 com.apple.AppKit 0x93892598 NSApplicationMain + 452 44 com.apple.Safari 0x0009bad4 0x1000 + 633556 45 com.apple.Safari 0x000022fc 0x1000 + 4860
<rdar://problem/6026695>
Can anyone still repro this? i've tried to no avail for 15 minutes now...
(In reply to comment #12) > Can anyone still repro this? i've tried to no avail for 15 minutes now... I'll try at work again tomorrow.
(In reply to comment #12) > Can anyone still repro this? i've tried to no avail for 15 minutes now... The buildbot still sees it: http://build.webkit.org/results/trunk-mac-intel-debug/4608/results.html
Closing this bug because the acid3-test-77 file does not appear in an TestExpectations and is only Skipped for qt-4.8.