RESOLVED CONFIGURATION CHANGED Bug 64364
crash in WebCore::FontFallbackList::determinePitch () 
https://bugs.webkit.org/show_bug.cgi?id=64364
Summary crash in WebCore::FontFallbackList::determinePitch ()
Marco Peereboom
Reported 2011-07-12 09:11:54 PDT
WebCore/platform/graphics/FontFallbackList.cpp void FontFallbackList::determinePitch(const Font* font) const font can be NULL causing the following crash: #0 0x00000002110c8d7b in WebCore::FontFallbackList::determinePitch () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #1 0x00000002111804be in WebCore::RenderBlock::findNextLineBreak () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #2 0x0000000211181c4c in WebCore::RenderBlock::layoutInlineChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #3 0x0000000211170bf8 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #4 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #5 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #6 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #7 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #8 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #9 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #10 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #11 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #12 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #13 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #14 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #15 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #16 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #17 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #18 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #19 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #20 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #21 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #22 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #23 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #24 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #25 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #26 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #27 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #28 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #29 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #30 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #31 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #32 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #33 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #34 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #35 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #36 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #37 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #38 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #39 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #40 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #41 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #42 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #43 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #44 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #45 0x0000000211225d6f in WebCore::RenderView::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #46 0x000000021108eeff in WebCore::FrameView::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #47 0x000000021112420a in WebCore::ThreadTimers::sharedTimerFiredInternal () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #48 0x0000000210b04772 in WebCore::timeout_cb () from /usr/local/lib/libwebkitgtk-1.0.so.0.1 #49 0x00000002042e2b7b in g_source_get_time () from /usr/local/lib/libglib-2.0.so.2800.0 #50 0x00000002042e2173 in g_main_context_dispatch () from /usr/local/lib/libglib-2.0.so.2800.0 #51 0x00000002042e6152 in g_main_context_prepare () from /usr/local/lib/libglib-2.0.so.2800.0 #52 0x00000002042e6545 in g_main_loop_run () from /usr/local/lib/libglib-2.0.so.2800.0 #53 0x00000002122efa83 in gtk_main () from /usr/local/lib/libgtk-x11-2.0.so.2400.0 #54 0x0000000000417dc6 in main (argc=0, argv=0x7f7fffff2608) at /home/marco/xxxterm/xxxterm.c:8388 This seems to coincide with file descriptor starvation although I am not 100% sure of that. Patch to follow.
Attachments
patch1 (1.31 KB, patch)
2011-07-12 09:21 PDT, Marco Peereboom 		no flags
DetailsFormatted DiffDiff
patch2 (1.31 KB, patch)
2011-07-12 09:43 PDT, Marco Peereboom 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Marco Peereboom
Comment 1 2011-07-12 09:21:21 PDT
Created attachment 100496 [details] patch1 Verify font and fontData to be not NULL.
WebKit Review Bot
Comment 2 2011-07-12 09:24:01 PDT
Attachment 100496 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCor..." exit_code: 1 Source/WebCore/platform/graphics/FontFallbackList.cpp:76: Tests for true/false, null/non-null, and zero/non-zero should all be done without equality comparisons. [readability/comparison_to_zero] [5] Source/WebCore/platform/graphics/FontFallbackList.cpp:76: Use 0 instead of NULL. [readability/null] [5] Source/WebCore/platform/graphics/FontFallbackList.cpp:77: Tab found; better to use spaces [whitespace/tab] [1] Source/WebCore/platform/graphics/FontFallbackList.cpp:81: Tests for true/false, null/non-null, and zero/non-zero should all be done without equality comparisons. [readability/comparison_to_zero] [5] Source/WebCore/platform/graphics/FontFallbackList.cpp:81: Use 0 instead of NULL. [readability/null] [5] Source/WebCore/platform/graphics/FontFallbackList.cpp:82: Tab found; better to use spaces [whitespace/tab] [1] Total errors found: 6 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
Martin Robinson
Comment 3 2011-07-12 09:29:40 PDT
What version of WebKit do you see this with? I recently fixed a FontCache bug that might have been causing this issue.
Marco Peereboom
Comment 4 2011-07-12 09:37:38 PDT
Whatever is bundled in webkit-gtk 1.4.2 as found here: http://webkitgtk.org/webkit-1.4.2.tar.gz
Marco Peereboom
Comment 5 2011-07-12 09:43:34 PDT
Created attachment 100501 [details] patch2 Fix style
mitz
Comment 6 2011-07-12 21:48:32 PDT
Is this crash reproducible? As far as I can tell, bailing out of determinePitch() would merely delay the crash.
Marco Peereboom
Comment 7 2011-07-13 11:55:22 PDT
(In reply to comment #6) > Is this crash reproducible? As far as I can tell, bailing out of determinePitch() would merely delay the crash. This is trivially to reproduce on OpenBSD with a small number of file descriptors available. In my browser I set the ulimit -n to like 60 and open up a ton of tabs and it'll bomb. I agree though this patch only makes it a little better and in other cases it'll bomb elsewhere in the font code. Even though this helps it isn't a fix so it should be disregarded. What seems to be the root cause is file descriptor starvation but I have not been able to locate where this cascades into this (and many other similar crashes).
Adrian Perez
Comment 8 2022-04-08 00:23:36 PDT
This bug refers to code that has changed drastically since, and the changes from the patch no longer seem relevant. Let's close this for now =)
Note You need to log in before you can comment on or make changes to this bug.