Just had this again, and it's crashing when trying to access the first pattern element in here:

FcChar32
FcPatternHash (const FcPattern *p)
{
    int		i;
    FcChar32	h = 0;
    FcPatternElt    *pe = FcPatternElts(p);

    for (i = 0; i < p->num; i++)
    {
	h = (((h << 1) | (h >> 31)) ^ 
	     pe[i].object ^ // <--- crash
	     FcValueListHash (FcPatternEltValues(&pe[i])));
    }

so it seems we are passing an already deleted pattern to the function.

(gdb) bt
#0  IA__FcPatternHash (p=0x95c3468) at fcpat.c:432
#1  0xb6ad668e in WebCore::FontPlatformData::hash (this=0x931f188) at ../../WebCore/platform/graphics/gtk/FontPlatformData.h:91
#2  0xb6ad66d3 in WebCore::FontDataCacheKeyHash::hash (platformData=@0x931f188) at ../../WebCore/platform/graphics/FontCache.cpp:223
#3  0xb6ad66e6 in WTF::IdentityHashTranslator<WebCore::FontPlatformData, std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> >, WebCore::FontDataCacheKeyHash>::hash (key=@0x931f188) at ../../JavaScriptCore/wtf/HashTable.h:277
#4  0xb6ad6a1d in WTF::HashTable<WebCore::FontPlatformData, std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> >, WTF::PairFirstExtractor<std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> > >, WebCore::FontDataCacheKeyHash, WTF::PairHashTraits<WebCore::FontDataCacheKeyTraits, WTF::HashTraits<std::pair<WebCore::SimpleFontData*, unsigned int> > >, WebCore::FontDataCacheKeyTraits>::lookup<WebCore::FontPlatformData, WTF::IdentityHashTranslator<WebCore::FontPlatformData, std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> >, WebCore::FontDataCacheKeyHash> > (this=0x8eea850, key=@0x931f188)
    at ../../JavaScriptCore/wtf/HashTable.h:474
#5  0xb6ad6bf1 in WTF::HashTable<WebCore::FontPlatformData, std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> >, WTF::PairFirstExtractor<std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> > >, WebCore::FontDataCacheKeyHash, WTF::PairHashTraits<WebCore::FontDataCacheKeyTraits, WTF::HashTraits<std::pair<WebCore::SimpleFontData*, unsigned int> > >, WebCore::FontDataCacheKeyTraits>::contains<WebCore::FontPlatformData, WTF::IdentityHashTranslator<WebCore::FontPlatformData, std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> >, WebCore::FontDataCacheKeyHash> > (this=0x8eea850, key=@0x931f188)
    at ../../JavaScriptCore/wtf/HashTable.h:794
#6  0xb6ad6c22 in WTF::HashTable<WebCore::FontPlatformData, std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> >, WTF::PairFirstExtractor<std::pair<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int> > >, WebCore::FontDataCacheKeyHash, WTF::PairHashTraits<WebCore::FontDataCacheKeyTraits, WTF::HashTraits<std::pair<WebCore::SimpleFontData*, unsigned int> > >, WebCore::FontDataCacheKeyTraits>::contains (this=0x8eea850, key=@0x931f188) at ../../JavaScriptCore/wtf/HashTable.h:325
#7  0xb6ad6c40 in WTF::HashMap<WebCore::FontPlatformData, std::pair<WebCore::SimpleFontData*, unsigned int>, WebCore::FontDataCacheKeyHash, WebCore::FontDataCacheKeyTraits, WTF::HashTraits<std::pair<WebCore::SimpleFontData*, unsigned int> > >::contains (this=0x8eea850, key=@0x931f188)
    at ../../JavaScriptCore/wtf/HashMap.h:173
#8  0xb6ace352 in WebCore::FontCache::purgeInactiveFontData (this=0x8d7c2f0, count=21) at ../../WebCore/platform/graphics/FontCache.cpp:330
#9  0xb6ace865 in WebCore::FontCache::releaseFontData (this=0x8d7c2f0, fontData=0xab93518) at ../../WebCore/platform/graphics/FontCache.cpp:295
#10 0xb6ad8e17 in WebCore::FontFallbackList::releaseFontData (this=0xb3c2270) at ../../WebCore/platform/graphics/FontFallbackList.cpp:64
#11 0xb6acc793 in ~FontFallbackList (this=0xb3c2270) at ../../WebCore/platform/graphics/FontFallbackList.h:46
#12 0xb6acc7f3 in WTF::RefCounted<WebCore::FontFallbackList>::deref (this=0xb3c2270) at ../../JavaScriptCore/wtf/RefCounted.h:94
#13 0xb6acc87b in ~RefPtr (this=0xc1f4e94) at ../../JavaScriptCore/wtf/RefPtr.h:50
#14 0xb6acb404 in ~Font (this=0xc1f4e80) at ../../WebCore/platform/graphics/Font.cpp:118
#15 0xb6c2b898 in ~StyleInheritedData (this=0xc1f4e68) at ../../WebCore/rendering/style/StyleInheritedData.cpp:46
#16 0xb67e4ed1 in WTF::RefCounted<WebCore::StyleInheritedData>::deref (this=0xc1f4e68) at ../../JavaScriptCore/wtf/RefCounted.h:94
#17 0xb6c2798d in ~RefPtr (this=0xad165b8) at ../../JavaScriptCore/wtf/RefPtr.h:50
#18 0xb6c279a1 in ~DataRef (this=0xad165b8) at ../../WebCore/rendering/style/DataRef.h:31
#19 0xb6c25984 in ~RenderStyle (this=0xad16588) at ../../WebCore/rendering/style/RenderStyle.cpp:163
#20 0xb6759af5 in WTF::RefCounted<WebCore::RenderStyle>::deref (this=0xad16588) at ../../JavaScriptCore/wtf/RefCounted.h:94
---Type <return> to continue, or q <return> to quit---
#21 0xb6759bbb in ~RefPtr (this=0xb194610) at ../../JavaScriptCore/wtf/RefPtr.h:50
#22 0xb6bccb74 in ~RenderObject (this=0xb19460c) at ../../WebCore/rendering/RenderObject.cpp:215
#23 0xb6b8a686 in ~RenderBoxModelObject (this=0xb19460c) at ../../WebCore/rendering/RenderBoxModelObject.cpp:56
#24 0xb6ba4a73 in ~RenderInline (this=0xb19460c) at ../../WebCore/rendering/RenderInline.cpp:56
#25 0xb6bc5d9e in WebCore::RenderObject::arenaDelete (this=0xb19460c, arena=0xc0155c8, base=0xb19460c)
    at ../../WebCore/rendering/RenderObject.cpp:1861
#26 0xb6bc5f5e in WebCore::RenderObject::destroy (this=0xb19460c) at ../../WebCore/rendering/RenderObject.cpp:1834
#27 0xb6b8a31f in WebCore::RenderBoxModelObject::destroy (this=0xb19460c) at ../../WebCore/rendering/RenderBoxModelObject.cpp:74
#28 0xb6ba4a33 in WebCore::RenderInline::destroy (this=0xb19460c) at ../../WebCore/rendering/RenderInline.cpp:93
#29 0xb68695e6 in WebCore::Node::detach (this=0xb1d00e48) at ../../WebCore/dom/Node.cpp:1103
#30 0xb680c413 in WebCore::ContainerNode::detach (this=0xb1d00e48) at ../../WebCore/dom/ContainerNode.cpp:599
#31 0xb684cd20 in WebCore::Element::detach (this=0xb1d00e48) at ../../WebCore/dom/Element.cpp:720
#32 0xb680c3e1 in WebCore::ContainerNode::detach (this=0xb1d009c0) at ../../WebCore/dom/ContainerNode.cpp:597
#33 0xb684cd20 in WebCore::Element::detach (this=0xb1d009c0) at ../../WebCore/dom/Element.cpp:720
#34 0xb680c3e1 in WebCore::ContainerNode::detach (this=0xb1308008) at ../../WebCore/dom/ContainerNode.cpp:597
#35 0xb684cd20 in WebCore::Element::detach (this=0xb1308008) at ../../WebCore/dom/Element.cpp:720
#36 0xb680c3e1 in WebCore::ContainerNode::detach (this=0xb13647e8) at ../../WebCore/dom/ContainerNode.cpp:597
#37 0xb684cd20 in WebCore::Element::detach (this=0xb13647e8) at ../../WebCore/dom/Element.cpp:720
#38 0xb680c3e1 in WebCore::ContainerNode::detach (this=0xb136c298) at ../../WebCore/dom/ContainerNode.cpp:597
#39 0xb684cd20 in WebCore::Element::detach (this=0xb136c298) at ../../WebCore/dom/Element.cpp:720
#40 0xb680c3e1 in WebCore::ContainerNode::detach (this=0xab22478) at ../../WebCore/dom/ContainerNode.cpp:597
#41 0xb684cd20 in WebCore::Element::detach (this=0xab22478) at ../../WebCore/dom/Element.cpp:720
#42 0xb680c3e1 in WebCore::ContainerNode::detach (this=0xbdfd540) at ../../WebCore/dom/ContainerNode.cpp:597
#43 0xb684cd20 in WebCore::Element::detach (this=0xbdfd540) at ../../WebCore/dom/Element.cpp:720
#44 0xb680c3e1 in WebCore::ContainerNode::detach (this=0xb13be98) at ../../WebCore/dom/ContainerNode.cpp:597
#45 0xb684cd20 in WebCore::Element::detach (this=0xb13be98) at ../../WebCore/dom/Element.cpp:720
#46 0xb680c3e1 in WebCore::ContainerNode::detach (this=0xc812448) at ../../WebCore/dom/ContainerNode.cpp:597
#47 0xb681b946 in WebCore::Document::detach (this=0xc812448) at ../../WebCore/dom/Document.cpp:1310
#48 0xb6a6bf9e in WebCore::Frame::setView (this=0x9299900, view=0x0) at ../../WebCore/page/Frame.cpp:232
#49 0xb6a6c133 in WebCore::Frame::createView (this=0x9299900, viewportSize=@0xbfeb02a4, backgroundColor=@0xbfeb029c, transparent=false, 
    fixedLayoutSize=@0xbfeb0294, useFixedLayout=false, horizontalScrollbarMode=WebCore::ScrollbarAuto, 
    verticalScrollbarMode=WebCore::ScrollbarAuto) at ../../WebCore/page/Frame.cpp:1737
#50 0xb66ae11d in WebKit::FrameLoaderClient::transitionToCommittedForNewPage (this=0x9e79870)
    at ../../WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:918
#51 0xb6a062c9 in WebCore::FrameLoader::transitionToCommitted (this=0x929992c, cachedPage={m_ptr = 0xbfeb0394})
    at ../../WebCore/loader/FrameLoader.cpp:2901
#52 0xb6a06e19 in WebCore::FrameLoader::commitProvisionalLoad (this=0x929992c, prpCachedPage={m_ptr = 0xbfeb0490})
---Type <return> to continue, or q <return> to quit---
    at ../../WebCore/loader/FrameLoader.cpp:2772
#53 0xb69df644 in WebCore::DocumentLoader::commitIfReady (this=0xc5b51c8) at ../../WebCore/loader/DocumentLoader.cpp:339
#54 0xb69e1181 in WebCore::DocumentLoader::commitLoad (this=0xc5b51c8, 
    data=0xbfeb09b0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmln"..., length=1418) at ../../WebCore/loader/DocumentLoader.cpp:359
#55 0xb69e121e in WebCore::DocumentLoader::receivedData (this=0xc5b51c8, 
    data=0xbfeb09b0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmln"..., length=1418) at ../../WebCore/loader/DocumentLoader.cpp:373
#56 0xb69f9b59 in WebCore::FrameLoader::receivedData (this=0x929992c, 
    data=0xbfeb09b0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmln"..., length=1418) at ../../WebCore/loader/FrameLoader.cpp:2423
#57 0xb6a0fa9e in WebCore::MainResourceLoader::addData (this=0xc2cc4c8, 
    data=0xbfeb09b0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmln"..., length=1418, allAtOnce=false)
    at ../../WebCore/loader/MainResourceLoader.cpp:146
#58 0xb6a15ea7 in WebCore::ResourceLoader::didReceiveData (this=0xc2cc4c8, 
    data=0xbfeb09b0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmln"..., length=1418, lengthReceived=0, allAtOnce=false)
    at ../../WebCore/loader/ResourceLoader.cpp:257
#59 0xb6a0eb4e in WebCore::MainResourceLoader::didReceiveData (this=0xc2cc4c8, 
    data=0xbfeb09b0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmln"..., length=1418, lengthReceived=0, allAtOnce=false)
    at ../../WebCore/loader/MainResourceLoader.cpp:347
#60 0xb6a1512a in WebCore::ResourceLoader::didReceiveData (this=0xc2cc4c8, 
    data=0xbfeb09b0 "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n<html xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmln"..., length=1418, lengthReceived=0)
    at ../../WebCore/loader/ResourceLoader.cpp:411
#61 0xb6c3a0f9 in gotChunkCallback (msg=0xbd61988, chunk=0xbb85898, data=0xa8686f0)
    at ../../WebCore/platform/network/soup/ResourceHandleSoup.cpp:252
#62 0xb4daf52a in IA__g_cclosure_marshal_VOID__BOXED (closure=0xbc822a0, return_value=0x0, n_param_values=2, param_values=0xc64a200, 
    invocation_hint=0xbfeb07dc, marshal_data=0xb6c39f43) at gmarshal.c:566
#63 0xb4da0fdb in IA__g_closure_invoke (closure=0xbc822a0, return_value=0x0, n_param_values=2, param_values=0xc64a200, invocation_hint=0xbfeb07dc)
    at gclosure.c:767
#64 0xb4db86e7 in signal_emit_unlocked_R (node=0x8e7d620, detail=0, instance=0xbd61988, emission_return=0x0, instance_and_params=0xc64a200)
    at gsignal.c:3244
#65 0xb4db9d5b in IA__g_signal_emit_valist (instance=0xbd61988, signal_id=374, detail=0, 
    var_args=0xbfeb0980 "�B5�\034\0218��)��%\2235�\210\031�\v\230X�\v") at gsignal.c:2977
---Type <return> to continue, or q <return> to quit---
#66 0xb4dba206 in IA__g_signal_emit (instance=0xbd61988, signal_id=374, detail=0) at gsignal.c:3034
#67 0xb5354316 in soup_message_got_chunk (msg=0xbd61988, chunk=0xbb85898) at soup-message.c:830
#68 0xb5359325 in read_body_chunk (msg=0xbd61988) at soup-message-io.c:313
#69 0xb53599ad in io_read (sock=0x9462e48, msg=0xbd61988) at soup-message-io.c:758
#70 0xb4daee84 in IA__g_cclosure_marshal_VOID__VOID (closure=0x973fd20, return_value=0x0, n_param_values=1, param_values=0x8a87dc0, 
    invocation_hint=0xbfeb2bec, marshal_data=0xb53596e0) at gmarshal.c:77
#71 0xb4da0fdb in IA__g_closure_invoke (closure=0x973fd20, return_value=0x0, n_param_values=1, param_values=0x8a87dc0, invocation_hint=0xbfeb2bec)
    at gclosure.c:767
#72 0xb4db86e7 in signal_emit_unlocked_R (node=0x8e2b278, detail=0, instance=0x9462e48, emission_return=0x0, instance_and_params=0x8a87dc0)
    at gsignal.c:3244
#73 0xb4db9d5b in IA__g_signal_emit_valist (instance=0x9462e48, signal_id=382, detail=0, 
    var_args=0xbfeb2d8c "��ִ��ִ`�\177\v�-뿽\022ϴ\030\2073\f\001") at gsignal.c:2977
#74 0xb4dba206 in IA__g_signal_emit (instance=0x9462e48, signal_id=382, detail=0) at gsignal.c:3034
#75 0xb5364402 in socket_read_watch (chan=0xc338718, cond=<value optimized out>, user_data=0x9462e48) at soup-socket.c:1116
#76 0xb4cf12bd in g_io_unix_dispatch (source=0xb7fa560, callback=0xb53643b0 <socket_read_watch>, user_data=0x9462e48) at giounix.c:162
#77 0xb4cba0c8 in IA__g_main_context_dispatch (context=0x8768880) at gmain.c:1814
#78 0xb4cbd62b in g_main_context_iterate (context=0x8768880, block=1, dispatch=1, self=0x87404b8) at gmain.c:2448
#79 0xb4cbdafa in IA__g_main_loop_run (loop=0x87959c8) at gmain.c:2656
#80 0xb545bf29 in IA__gtk_main () at gtkmain.c:1205
#81 0x08048c86 in main (argc=Cannot access memory at address 0x157b6e68
) at ../../../src/ephy-main.c:781
Current language:  auto; currently c

Created attachment 28653 [details]
gtkfonts.patch

This patch makes FontPlatformDataGtk free the memory it allocates in its own destructor, instead of having SimpleFontDataGtk free it in platformDestroy. Also, since the class has reference counted members we need a copy constructor and '=' operator to properly track those references when assigning and copying objects. With these two changes I can't reproduce the crash anymore.

Holger said he was concerned this might be a performance regression, but: other ports have objects that they also have to copy in their FontPlatformData* classes, so I don't see how this is that different. Besides, what this does is to add two extra refcounts per copy, it does not do actual copies of the fc pattern or the cairo fonts. That being said, there might be better ways to handle this, so I'm totally open to comments :)

I'm convinced this is the proper change. You are absolutely right in terms of information hiding that FontPlatformData should own these things.

Comment on attachment 28653 [details]
gtkfonts.patch

>         * platform/graphics/gtk/FontPlatformData.h:
>         * platform/graphics/gtk/FontPlatformDataGtk.cpp:


FontPlatformDataPango.cpp needs some love too?


> +FontPlatformData& FontPlatformData::operator=(const FontPlatformData& other)
> +{
> +    m_size = other.m_size;
> +    m_syntheticBold = other.m_syntheticBold;
> +    m_syntheticOblique = other.m_syntheticOblique;
> +    if (other.m_scaledFont)
> +        m_scaledFont = cairo_scaled_font_reference (other.m_scaledFont);
> +    else
> +        m_scaledFont = 0;
> +
> +    if (other.m_pattern)
> +        FcPatternReference(other.m_pattern);
> +    m_pattern = other.m_pattern;
> +
> +    // This will be re-created on demand.
> +    m_fallbacks = 0;

This is not correct. FontPlatformData might already have a properly initialized m_scaledFont and m_pattern. This means the normal flow of things are. Ref the new stuff, unref the old stuff, copy over the pointers. This makes sure you don't lead and guards you against self assignment (fontData = fontData). And in case of the self assignment you reset m_fallbacks without freeing it...

A incomplete pointer: http://www.codingstandard.com/HICPPCM/High_Integrity_CPP_Rule_3.1.5.html


> +FontPlatformData::FontPlatformData(const FontPlatformData& other)
> +{
       *this = other;

to avoid the code duplication.

Created attachment 28682 [details]
gtkfontsv2.patch

Address Holger review.

I think I've fixed all your comments (thanks, great review), save for the Pango thing. I think Alp has said that the FC backend does everything the Pango one did, and that it's pointless to use it/maintain it now. If he can confirm this I think we should remove it (?), otherwise I'll make another patch to apply the same fix.

+    if (other.m_scaledFont)
+        cairo_scaled_font_reference (other.m_scaledFont);

Meh, bad space. I'll fix that when landing if the patch is OK :)

Comment on attachment 28682 [details]
gtkfontsv2.patch


> +    // Do this first, since we need to catch self assignment.
> +    if (m_fallbacks && !(*this == other)) {

okay, we don't want to go through the operator== of this class but really compare the pointers of this and &other. You might want to consider having if (this == &other)\ return *this; at the top but this would optimize for the unlikely case... at least change it to compare the pointers as discussed on irc.


> -    if (m_font.m_pattern && ((FcPattern*)-1 != m_font.m_pattern)) {

we don't do the -1 check in the assignment operator and it seems fine. So let us schedule this bit for removal too (later patch or might be proven wrong if the assignment is crashing).



regarding the pango backend. we should update it too, it is needed for users on OSX (native/framework) and win32...

Created attachment 28690 [details]
pangofonts.patch

Same fix for the pango backend.

Created attachment 28691 [details]
style.patch

Style fix which I forgot to apply in the first patch.

Comment on attachment 28690 [details]
pangofonts.patch


> -  PangoFontMap* FontPlatformData::m_fontMap = 0;
> -  GHashTable* FontPlatformData::m_hashTable = 0;
> +PangoFontMap* FontPlatformData::m_fontMap = 0;
> +GHashTable* FontPlatformData::m_hashTable = 0;

maybe move this to the style patch?


>  
>  FontPlatformData::FontPlatformData(const FontDescription& fontDescription, const AtomicString& familyName)
>      : m_context(0)
> @@ -193,7 +194,20 @@ bool FontPlatformData::init()
>  
>  FontPlatformData::~FontPlatformData()
>  {
> -    // Destroy takes place in FontData::platformDestroy().
> +    if (m_font && m_font != reinterpret_cast<PangoFont*>(-1)) {

probably the same as with the previous patch. (-1)

Comment on attachment 28691 [details]
style.patch


>      if (other.m_scaledFont)
> -        cairo_scaled_font_reference (other.m_scaledFont);
> +        cairo_scaled_font_reference(other.m_scaledFont);

damn, you tricked me. Sorry for not noticing. :)

All patches landed (r41762, r41767 and r41768), closing as FIXED.