The crash is deep inside harfbuzz, so you need to report it to harfbuzz: https://github.com/harfbuzz/harfbuzz/issues/

And you've been reporting good bugs for a long time now, so you should know better that to report a crash where ithout debug symbols for WebKit....

I know, I rebooted on Fedora 29 to get symbols but gdb was unable to load them:
- gdb told me to install them with dnf install
- dnf install was saying the package was installed

I know, I rebooted on Fedora 29 to get symbols but gdb was unable to load them:
- gdb told me to install them with dnf install
- dnf install was saying the package is installed

Hey there, per this comment, https://github.com/harfbuzz/harfbuzz/issues/1390#issuecomment-439682578 the stack-trace refers back to libwebkit2gtk itself, maybe you could see why WebKit callback is acting faulty on the case? We couldn't reproduce the issue here but I guess you can help more on finding what is happening from WebKit side. Any help on the case will be nice. Thanks

Here the full backtrace (dnf update does not update debug symbols :-/)

#0  0x00007eff0d1a1ce9 in WebCore::harfBuzzGetGlyph(hb_font_t*, void*, hb_codepoint_t, hb_codepoint_t, hb_codepoint_t*, void*) (fontData=<optimized out>, unicode=<optimized out>, glyph=0x7fffd9067d08) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/Source/WebCore/platform/graphics/harfbuzz/HarfBuzzFaceCairo.cpp:107
#1  0x00007eff07d855df in _ZN9hb_font_t17get_nominal_glyphEjPj (glyph=0x7fffd9067d08, unicode=0, this=<optimized out>) at hb-font-private.hh:211
#2  0x00007eff07d855df in decompose_current_character (shortest=true, c=0x7fffd9067d10) at hb-ot-shape-normalize.cc:169
#3  0x00007eff07d855df in decompose_cluster (always_short_circuit=<optimized out>, might_short_circuit=true, end=<optimized out>, c=0x7fffd9067d10) at hb-ot-shape-normalize.cc:271
#4  0x00007eff07d855df in _Z22_hb_ot_shape_normalizePK18hb_ot_shape_plan_tP11hb_buffer_tP9hb_font_t (plan=plan@entry=0x55b1e7556160, buffer=buffer@entry=0x55b1e75b4f70, font=font@entry=0x55b1e75b5060) at hb-ot-shape-normalize.cc:330
#5  0x00007eff07d737d6 in hb_ot_substitute_default (c=<synthetic pointer>) at hb-ot-shape.cc:604
#6  0x00007eff07d737d6 in hb_ot_substitute (c=<synthetic pointer>) at hb-ot-shape.cc:636
#7  0x00007eff07d737d6 in hb_ot_shape_internal (c=<synthetic pointer>) at hb-ot-shape.cc:870
#8  0x00007eff07d737d6 in _hb_ot_shape(hb_shape_plan_t*, hb_font_t*, hb_buffer_t*, hb_feature_t const*, unsigned int) (shape_plan=shape_plan@entry=0x55b1e7548920, font=font@entry=0x55b1e75b5060, buffer=buffer@entry=0x55b1e75b4f70, features=features@entry=0x7fffd9067fd0, num_features=num_features@entry=1) at hb-ot-shape.cc:898
#9  0x00007eff07d381ff in hb_shape_plan_execute(hb_shape_plan_t*, hb_font_t*, hb_buffer_t*, hb_feature_t const*, unsigned int) (shape_plan=shape_plan@entry=0x55b1e7548920, font=font@entry=0x55b1e75b5060, buffer=buffer@entry=0x55b1e75b4f70, features=features@entry=0x7fffd9067fd0, num_features=num_features@entry=1) at hb-shaper-list.hh:43
#10 0x00007eff07d3778a in hb_shape_full(hb_font_t*, hb_buffer_t*, hb_feature_t const*, unsigned int, char const* const*) (font=0x55b1e75b5060, buffer=0x55b1e75b4f70, features=0x7fffd9067fd0, num_features=1, shaper_list=<optimized out>) at hb-shape.cc:137
#11 0x00007eff0d19fa0d in _ZN7WebCore21ComplexTextController35collectComplexTextRunsForCharactersEPKDsjjPKNS_4FontE (this=0x7fffd9068150, characters=0x7efe8f49a68c u"", length=1, stringLocation=0, font=0x7efe63cc4b58) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Vector.h:724
#12 0x00007eff0cc0e338 in _ZN7WebCore21ComplexTextController22collectComplexTextRunsEv (this=this@entry=0x7fffd9068150) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/Source/WebCore/platform/graphics/ComplexTextController.cpp:468
#13 0x00007eff0cc10269 in _ZN7WebCore21ComplexTextControllerC2ERKNS_11FontCascadeERKNS_7TextRunEbPN3WTF7HashSetIPKNS_4FontENS7_7PtrHashISB_EENS7_10HashTraitsISB_EEEEb (this=0x7fffd9068150, font=..., run=..., mayUseNaturalWritingDirection=<optimized out>, fallbackFonts=<optimized out>, forTextEmphasis=<optimized out>) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/Source/WebCore/platform/graphics/ComplexTextController.cpp:155
#14 0x00007eff0cc268a8 in _ZNK7WebCore11FontCascade34getGlyphsAndAdvancesForComplexTextERKNS_7TextRunEjjRNS_11GlyphBufferENS0_20ForTextEmphasisOrNotE (this=<optimized out>, run=..., from=0, to=1, glyphBuffer=..., forTextEmphasis=<optimized out>) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/Source/WebCore/platform/graphics/FontCascade.cpp:1391
#15 0x00007eff0cc26f45 in _ZNK7WebCore11FontCascade8drawTextERNS_15GraphicsContextERKNS_7TextRunERKNS_10FloatPointEjSt8optionalIjENS0_24CustomFontNotReadyActionE (this=this@entry=0x7efea5c73be8, context=..., run=..., point=..., from=from@entry=0, to=Python Exception <class 'gdb.error'> There is no member or method named _M_payload.: 
..., customFontNotReadyAction=WebCore::FontCascade::UseFallbackIfFontNotReady) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Optional.h:312
#16 0x00007eff0cc46065 in _ZN7WebCore15GraphicsContext12drawBidiTextERKNS_11FontCascadeERKNS_7TextRunERKNS_10FloatPointENS1_24CustomFontNotReadyActionE (this=this@entry=0x7efe63cc4948, font=..., run=..., point=..., customFontNotReadyAction=customFontNotReadyAction@entry=WebCore::FontCascade::UseFallbackIfFontNotReady) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/ForwardingHeaders/wtf/Optional.h:418
#17 0x00007eff0c9079e9 in _ZNK7WebCore28CanvasRenderingContext2DBase9FontProxy12drawBidiTextERNS_15GraphicsContextERKNS_7TextRunERKNS_10FloatPointENS_11FontCascade24CustomFontNotReadyActionE (action=WebCore::FontCascade::UseFallbackIfFontNotReady, point=..., run=..., context=..., this=0x7efea5c73be0) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:348
#18 0x00007eff0c9079e9 in _ZN7WebCore24CanvasRenderingContext2D16drawTextInternalERKN3WTF6StringEffbSt8optionalIfE (this=0x7efe63c84000, text=..., x=<optimized out>, y=<optimized out>, fill=fill@entry=true, maxWidth=Python Exception <class 'gdb.error'> There is no member or method named _M_payload.: 
...) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp:586
#19 0x00007eff0c907da2 in _ZN7WebCore24CanvasRenderingContext2D8fillTextERKN3WTF6StringEffSt8optionalIfE (this=this@entry=0x7efe63c84000, text=..., x=<optimized out>, y=<optimized out>, maxWidth=Python Exception <class 'gdb.error'> There is no member or method named _M_payload.: 
...) at /usr/include/c++/8/new:169
#20 0x00007eff0d268012 in WebCore::jsCanvasRenderingContext2DPrototypeFunctionFillTextBody (throwScope=..., castedThis=<optimized out>, state=<optimized out>) at /usr/include/c++/8/new:169
#21 0x00007eff0d268012 in WebCore::IDLOperation<WebCore::JSCanvasRenderingContext2D>::call<WebCore::jsCanvasRenderingContext2DPrototypeFunctionFillTextBody> (operationName=0x7eff0d42c208 "fillText", state=...) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/Source/WebCore/bindings/js/JSDOMOperation.h:53
#22 0x00007eff0d268012 in _ZN7WebCore51jsCanvasRenderingContext2DPrototypeFunctionFillTextEPN3JSC9ExecStateE (state=<optimized out>) at /usr/src/debug/webkit2gtk3-2.22.3-1.fc29.x86_64/x86_64-redhat-linux-gnu/DerivedSources/WebCore/JSCanvasRenderingContext2D.cpp:3142
#23 0x00007efea7fff177 in  ()
#24 0x00007fffd907bce0 in  ()
#25 0x00007eff0aa16172 in llint_entry () at /lib64/libjavascriptcoregtk-4.0.so.18

My guess is bug #191825. Zan would know for sure.

(In reply to Michael Catanzaro from comment #6)
> My guess is bug #191825. Zan would know for sure.

Well it was a good guess since that patch fixed a serious bug with the glyph cache, and this function is crashing while modifying the glyph cache. But no, it's still broken even with that patch.

Can you post output of the `disassemble` operation in gdb, along with output of `info registers`?

Note it's 100% reproducible with the master runtime.

I assumed it was a use after free, but actually the cache entries are NEVER freed (not even when quitting the UI process!), neither the face cache nor the glyph cache, so this is a tough one.

Created attachment 355291 [details]
disassembly

Created attachment 355292 [details]
registers

First two frames with an -Og build:

#0  0x00007fc93ea70d61 in WebCore::harfBuzzGetGlyph (fontData=<optimized out>, unicode=<optimized out>, 
    glyph=0x7ffccfbdf288)
    at /home/mcatanzaro/Projects/WebKit/Source/WebCore/platform/graphics/harfbuzz/HarfBuzzFaceCairo.cpp:107
        glyphs = 0x7416370
        numGlyphs = 1
        buffer = "​"
        bufferLength = <optimized out>
        hbFontData = <optimized out>
        scaledFont = 0x73b3590
        result = {
          iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<unsigned int, unsigned int>, long, WTF::KeyValuePair<unsigned int, unsigned int>*, WTF::KeyValuePair<unsigned int, unsigned int>&>> = {<No data fields>}, 
            m_iterator = {<std::iterator<std::forward_iterator_tag, WTF::KeyValuePair<unsigned int, unsigned int>, long, WTF::KeyValuePair<unsigned int, unsigned int> const*, WTF::KeyValuePair<unsigned int, unsigned int> const&>> = {<No data fields>}, m_position = 0x0, m_endPosition = <optimized out>}}, 
          isNewEntry = <optimized out>}
#1  0x00007fc9397645df in hb_font_t::get_nominal_glyph (glyph=0x7ffccfbdf288, unicode=0, 
    this=<optimized out>) at hb-font-private.hh:211
No locals.


m_position = 0x0 looks suspicious to me.

Created attachment 355352 [details]
Patch

Comment on attachment 355352 [details]
Patch

Ah amazing! I would never have guessed that zero was not a valid key. I wonder how many similar bugs exist due to this.

Comment on attachment 355352 [details]
Patch

Clearing flags on attachment: 355352

Committed r238405: <https://trac.webkit.org/changeset/238405>

All reviewed patches have been landed.  Closing bug.