Please post a backtrace

Closing since no backtrace was provided

I can reproduce the issue in Debian Sid, webkit2gtk 2.20.0 (gdb) bt #0 0x00007f2acc0e40fc in WTFCrash() () at ./Source/WTF/wtf/Assertions.cpp:271 #1 0x00007f2ad134f0bd in WTF::VectorBufferBase<WebCore::InlineTextBox::StyledMarkedText, WTF::FastMalloc>::allocateBuffer(unsigned long) (newCapacity=<optimized out>, this=<optimized out>) at ./obj-x86_64-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Vector.h:267 #2 0x00007f2ad134f0bd in WTF::Vector<WebCore::InlineTextBox::StyledMarkedText, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveInitialCapacity(unsigned long) (initialCapacity=<optimized out>, this=<optimized out>) at ./obj-x86_64-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Vector.h:1216 #3 0x00007f2ad134f0bd in WebCore::InlineTextBox::subdivideAndResolveStyle(WTF::Vector<WebCore::MarkedText, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::InlineTextBox::MarkedTextStyle const&, WebCore::PaintInfo const&) (this=this@entry=0x7f2a03e009a0, textsToSubdivide=..., baseStyle=..., paintInfo=...) at ./Source/WebCore/rendering/InlineTextBox.cpp:790 #4 0x00007f2ad1356bf5 in WebCore::InlineTextBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (this=0x7f2a03e009a0, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/InlineTextBox.cpp:519 #5 0x00007f2ad1355959 in WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (this=this@entry=0x7f2a03003678, paintInfo=..., paintOffset=..., lineTop=..., lineBottom=...) at ./Source/WebCore/rendering/InlineFlowBox.cpp:1208 #6 0x00007f2ad150a2fc in WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (this=0x7f2a03003678, paintInfo=..., paintOffset=..., lineTop=..., lineBottom=...) at ./Source/WebCore/rendering/RootInlineBox.cpp:170 #7 0x00007f2ad1476431 in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const (this=0x7f2a30a001f8, renderer=0x7f2a30a00108, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderLineBoxList.cpp:260 #8 0x00007f2ad1366bd7 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1111 #9 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a30a00108, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #10 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a30a00108, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #11 0x00007f2ad1366cc5 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (this=this@entry=0x7f2a38300738, child=..., paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=usePrintRect@entry=false, paintType=WebCore::RenderBlock::PaintAsBlock) at ./Source/WebCore/rendering/RenderBlock.cpp:1167 #12 0x00007f2ad1367086 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (this=0x7f2a38300738, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at ./Source/WebCore/rendering/RenderBlock.cpp:1131 #13 0x00007f2ad1366bb5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1124 #14 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300738, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #15 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300738, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #16 0x00007f2ad1366cc5 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (this=this@entry=0x7f2a38300528, child=..., paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=usePrintRect@entry=false, paintType=WebCore::RenderBlock::PaintAsBlock) at ./Source/WebCore/rendering/RenderBlock.cpp:1167 #17 0x00007f2ad1367086 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (this=0x7f2a38300528, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at ./Source/WebCore/rendering/RenderBlock.cpp:1131 #18 0x00007f2ad1366bb5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1124 #19 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300528, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #20 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300528, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #21 0x00007f2ad1366cc5 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (this=this@entry=0x7f2a38300420, child=..., paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=usePrintRect@entry=false, paintType=WebCore::RenderBlock::PaintAsBlock) at ./Source/WebCore/rendering/RenderBlock.cpp:1167 #22 0x00007f2ad1367086 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (this=0x7f2a38300420, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at ./Source/WebCore/rendering/RenderBlock.cpp:1131 #23 0x00007f2ad1366bb5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) ---Type <return> to continue, or q <return> to quit--- at ./Source/WebCore/rendering/RenderBlock.cpp:1124 #24 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300420, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #25 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300420, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #26 0x00007f2ad1366cc5 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (this=this@entry=0x7f2a38300210, child=..., paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=usePrintRect@entry=false, paintType=WebCore::RenderBlock::PaintAsBlock) at ./Source/WebCore/rendering/RenderBlock.cpp:1167 #27 0x00007f2ad1367086 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (this=0x7f2a38300210, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at ./Source/WebCore/rendering/RenderBlock.cpp:1131 #28 0x00007f2ad1366bb5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=<optimized out>, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1124 #29 0x00007f2ad13832af in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300210, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1247 #30 0x00007f2ad1362b77 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (this=0x7f2a38300210, paintInfo=..., paintOffset=...) at ./Source/WebCore/rendering/RenderBlock.cpp:1090 #31 0x00007f2ad143440b in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (this=this@entry= 0x7f2a590a0480, phase=phase@entry=WebCore::PaintPhaseForeground, layerFragments=..., context=..., localPaintingInfo=..., paintBehavior=paintBehavior@entry=2048, subtreePaintRootForRenderer=0x0) at ./Source/WebCore/rendering/RenderLayer.cpp:4847 #32 0x00007f2ad14436e2 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (this=this@entry=0x7f2a590a0480, layerFragments=..., context=..., contextForTransparencyLayer=..., transparencyPaintDirtyRect=..., haveTransparency=haveTransparency@entry=false, localPaintingInfo=..., paintBehavior=2048, subtreePaintRootForRenderer=0x0) at ./Source/WebCore/rendering/RenderLayer.cpp:4824 #33 0x00007f2ad145b96e in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (this=<optimized out>, context=..., paintingInfo=..., paintFlags=paintFlags@entry=96) at ./Source/WebCore/rendering/RenderLayer.cpp:4431 #34 0x00007f2ad145d029 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, unsigned int, unsigned int) (this=0x7f2a333772c0, graphicsLayer=0x7f2a6857f200, context=..., paintDirtyRect=..., paintBehavior=2048, paintingPhase=<optimized out>) at ./Source/WebCore/rendering/RenderLayerBacking.cpp:2525 #35 0x00007f2ad145d2fe in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&, unsigned int) (this=0x7f2a333772c0, graphicsLayer=0x7f2a6857f200, context=..., paintingPhase=3, clip=..., layerPaintBehavior=2) at ./Source/WebCore/rendering/RenderLayerBacking.cpp:2572 #36 0x00007f2ad1253a3e in WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (this=this@entry=0x7f2a6857f200, context=..., clip=..., layerPaintBehavior=layerPaintBehavior@entry=0) at ./Source/WebCore/platform/graphics/GraphicsLayer.cpp:434 #37 0x00007f2ad05694bf in Nicosia::PaintingEngineBasic::<lambda(WebCore::GraphicsContext&)>::operator() (context=..., __closure=0x7ffcf32ee460) at ./Source/WebCore/platform/graphics/nicosia/NicosiaPaintingEngineBasic.cpp:64 #38 0x00007f2ad05694bf in Nicosia::PaintingContext::paint<Nicosia::PaintingEngineBasic::paint(WebCore::GraphicsLayer&, WTF::Ref<Nicosia::Buffer>&&, const WebCore::IntRect&, const WebCore::IntRect&, const WebCore::IntRect&, float)::<lambda(WebCore::GraphicsContext&)> > (paintFunctor=..., buffer=...) at ./Source/WebCore/platform/graphics/nicosia/NicosiaPaintingContext.h:48 #39 0x00007f2ad05694bf in Nicosia::PaintingEngineBasic::paint(WebCore::GraphicsLayer&, WTF::Ref<Nicosia::Buffer, WTF::DumbPtrTraits<Nicosia::Buffer> >&&, WebCore::IntRect const&, WebCore::IntRect const&, WebCore::IntRect const&, float) (this=this@entry=0x7f2a53290b08, layer= ..., buffer=buffer@entry=<unknown type in /usr/lib/debug/.build-id/8f/da266c836ca74e8c2affb15bf7b4081fac83fe.debug, CU 0xfda9219, DIE 0xfe09132>, sourceRect=..., mappedSourceRect=..., targetRect=..., contentsScale=contentsScale@entry=2) at ./Source/WebCore/platform/graphics/nicosia/NicosiaPaintingEngineBasic.cpp:47 #40 0x00007f2ad0564fd3 in WebCore::CoordinatedGraphicsLayer::updateContentBuffers() (this=0x7f2a6857f200) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:977 #41 0x00007f2ad0565183 in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=0x7f2a6857f200) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:927 #42 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #43 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) ---Type <return> to continue, or q <return> to quit--- at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #44 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #45 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #46 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=<optimized out>) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #47 0x00007f2ad05651ac in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() (this=this@entry=0x7f2a685c8400) at ./Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:930 #48 0x00007f2ad0542e10 in WebKit::CompositingCoordinator::flushPendingLayerChanges() (this=this@entry=0x7f2ab84e53b8) at ./Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:124 #49 0x00007f2ad05430cc in WebKit::CoordinatedLayerTreeHost::layerFlushTimerFired() (this=0x7f2ab84e5380) at ./Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp:199 #50 0x00007f2ad05434b8 in WebKit::CoordinatedLayerTreeHost::renderNextFrame() (this=0x7f2ab84e5380) at ./Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp:172 #51 0x00007f2ad03efee4 in WebKit::ThreadedCompositor::handleDisplayRefreshMonitorUpdate(bool) (this=0x7f2a52edaa80, hasBeenRescheduled=<optimized out>) at ./Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:354 #52 0x00007f2acc128493 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator() (__closure=0x0, userData=0x7f2ab8eb7ae0) at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:170 #53 0x00007f2acc128493 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:176 #54 0x00007f2accf180f5 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #55 0x00007f2accf184c0 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #56 0x00007f2accf187d2 in g_main_loop_run () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 #57 0x00007f2acc1288a0 in WTF::RunLoop::run() () at ./Source/WTF/wtf/glib/RunLoopGLib.cpp:96 #58 0x00007f2ad054d0e8 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) (argc=<optimized out>, argv=0x7ffcf32eea98) at ./Source/WebKit/Shared/unix/ChildProcessMain.h:61 #59 0x00007f2acf443a87 in __libc_start_main (main= 0x55dcfc1ca8d0 <main(int, char**)>, argc=3, argv=0x7ffcf32eea98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcf32eea88) at ../csu/libc-start.c:310 #60 0x000055dcfc1ca95a in _start () (gdb)

I have been tracking this one too. Bisection reveals it was introduced in [226138]. Don't understand the code well enough to offer a correction though.

Daniel, apparently this is related to a patch of yours. Could you take a look?

The stack-trace in comment 3 mens that subdivide() at <https://trac.webkit.org/browser/trunk/Source/WebCore/rendering/InlineTextBox.cpp?rev=235148#L794> is returning an empty Vector. I have not had success reproducing this issue using find-in-page in Safari :( Though I do know of a test case that can trigger the same issue and will post shortly.

Created attachment 348337 [details] Test case - will cause crash

<rdar://problem/41804994>

Created attachment 348349 [details] Patch and layout test

Thank you Daniel! Nice test.

(In reply to Beau Adkins from comment #4) > I have been tracking this one too. Bisection reveals it was introduced in > [226138]. Don't understand the code well enough to offer a correction though. Also: good bisection, thanks.

Committed r235485: <https://trac.webkit.org/changeset/235485>

Comment on attachment 348349 [details] Patch and layout test View in context: https://bugs.webkit.org/attachment.cgi?id=348349&action=review > Source/WebCore/ChangeLog:3 > + REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany "an empty" is repeated twice. > LayoutTests/ChangeLog:3 > + REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany Ditto.

(In reply to Said Abou-Hallawa from comment #13) > Comment on attachment 348349 [details] > Patch and layout test > > View in context: > https://bugs.webkit.org/attachment.cgi?id=348349&action=review > > > Source/WebCore/ChangeLog:3 > > + REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany > > "an empty" is repeated twice. > > > LayoutTests/ChangeLog:3 > > + REGRESSION (r226138): WebCore::subdivide() may return an empty an empty vector; Web process can crash when performing find in Epiphany > > Ditto. I fixed this before landing.