Bug 215258

The crash seems to be related to FreeType and the Qt library. If you could identify which typography caused the crash to download it and test it on some other font viewer application and see if it also crashes, that would be useful.
Thanks

- Any news on this ? Have you tried what I mentioned ? Thanks

*** Bug 229142 has been marked as a duplicate of this bug. ***

Which qt version are you using? One harfbuzz bug was fixed in qt 4.6.1, see

http://bugreports.qt.nokia.com/browse/QTBUG-6436
https://bugs.kde.org/show_bug.cgi?id=217472

As reported in Bug 229142, it still crashes with Qt 4.6.2.

*** Bug 240753 has been marked as a duplicate of this bug. ***

*** Bug 244990 has been marked as a duplicate of this bug. ***

*** Bug 245818 has been marked as a duplicate of this bug. ***

*** Bug 231588 has been marked as a duplicate of this bug. ***

*** Bug 231583 has been marked as a duplicate of this bug. ***

*** Bug 246658 has been marked as a duplicate of this bug. ***

*** Bug 247091 has been marked as a duplicate of this bug. ***

*** Bug 247893 has been marked as a duplicate of this bug. ***

Valgrind log from rakuco:
 
==12090== Invalid read of size 4
==12090==    at 0x4514EC3: QBasicAtomicInt::ref() (qatomic_i386.h:120)
==12090==    by 0x5773E57: QFreetypeFace::getFace(QFontEngine::FaceId const&) (qfontengine_ft.cpp:210)
==12090==    by 0x576FCC2: fontFile(QByteArray const&, QFreetypeFace**, int*) (qfontengine_x11.cpp:289)
==12090==    by 0x5771B66: QFontEngineXLFD::faceId() const (qfontengine_x11.cpp:693)
==12090==    by 0x57720AF: QFontEngineXLFD::getSfntTableData(unsigned int, unsigned char*, unsigned int*) const (qfontengine_x11.cpp:772)
==12090==    by 0x5690E65: hb_getSFntTable(void*, unsigned int, unsigned char*, unsigned int*) (qfontengine.cpp:164)
==12090==    by 0x4F9EED7: getTableStream(void*, HB_Error (*)(void*, unsigned int, unsigned char*, unsigned int*), unsigned int) (harfbuzz-shaper.cpp:935)
==12090==    by 0x4F9F04F: HB_NewFace (harfbuzz-shaper.cpp:979)
==12090==    by 0x4FA622E: qHBNewFace(void*, HB_Error (*)(void*, unsigned int, unsigned char*, unsigned int*)) (qharfbuzz.cpp:125)
==12090==    by 0x56913B2: QFontEngine::harfbuzzFace() const (qfontengine.cpp:229)
==12090==    by 0x56C89D1: QTextEngine::shapeTextWithHarfbuzz(int) const (qtextengine.cpp:1227)
==12090==    by 0x56C7D18: QTextEngine::shapeText(int) const (qtextengine.cpp:874)
==12090==    by 0x56C9568: QTextEngine::shape(int) const (qtextengine.cpp:1358)
==12090==    by 0x56C7B8F: QTextEngine::shapeLine(QScriptLine const&) (qtextengine.cpp:844)
==12090==    by 0x55A2625: QPainter::drawText(QPointF const&, QString const&, int, int) (qpainter.cpp:5975)
==12090==    by 0x55A1A76: QPainter::drawText(QPointF const&, QString const&) (qpainter.cpp:5811)
==12090==    by 0xD77AEC1: QPainter::drawText(int, int, QString const&) (qpainter.h:957)
==12090==    by 0xD778871: khtml::drawDirectedText(QPainter*, Qt::LayoutDirection, int, int, QString const&) (font.cpp:95)
==12090==    by 0xD778A76: khtml::Font::drawText(QPainter*, int, int, QChar*, int, int, int, int, Qt::LayoutDirection, int, int, QColor, int, int, int) const (font.cpp:148)
==12090==    by 0xD7308B5: khtml::InlineTextBox::paintShadow(QPainter*, khtml::Font const*, int, int, khtml::ShadowData const*) (render_text.cpp:317)
==12090==    by 0xD72FC5D: khtml::InlineTextBox::paint(khtml::RenderObject::PaintInfo&, int, int) (render_text.cpp:178)
==12090==    by 0xD77F0A5: khtml::InlineFlowBox::paint(khtml::RenderObject::PaintInfo&, int, int) (render_line.cpp:874)
==12090==    by 0xD77F0A5: khtml::InlineFlowBox::paint(khtml::RenderObject::PaintInfo&, int, int) (render_line.cpp:874)
==12090==    by 0xD7808FD: khtml::RootInlineBox::paint(khtml::RenderObject::PaintInfo&, int, int) (render_line.cpp:1182)
==12090==    by 0xD72DFE1: khtml::RenderFlow::paintLines(khtml::RenderObject::PaintInfo&, int, int) (render_flow.cpp:389)
==12090==    by 0xD6F8287: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1797)
==12090==    by 0xD6F8123: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1767)
==12090==    by 0xD6F8D72: khtml::RenderBlock::paintFloats(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1901)
==12090==    by 0xD6F8371: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1806)
==12090==    by 0xD6F8123: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1767)
==12090==    by 0xD6F8304: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1801)
==12090==    by 0xD6F8123: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1767)
==12090==    by 0xD6F8304: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1801)
==12090==    by 0xD6F8123: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1767)
==12090==    by 0xD6F8304: khtml::RenderBlock::paintObject(khtml::RenderObject::PaintInfo&, int, int, bool) (render_block.cpp:1801)
==12090==    by 0xD6F8123: khtml::RenderBlock::paint(khtml::RenderObject::PaintInfo&, int, int) (render_block.cpp:1767)
==12090==    by 0xD73A42B: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1107)
==12090==    by 0xD73A68B: khtml::RenderLayer::paintLayer(khtml::RenderLayer*, QPainter*, QRect const&, bool) (render_layer.cpp:1134)
==12090==    by 0xD739BB1: khtml::RenderLayer::paint(QPainter*, QRect const&, bool) (render_layer.cpp:1001)
==12090==    by 0xD5971D9: KHTMLView::paintEvent(QPaintEvent*) (khtmlview.cpp:929)
==12090==    by 0x54810E5: QWidget::event(QEvent*) (qwidget.cpp:8306)
==12090==    by 0x58E08AF: QFrame::event(QEvent*) (qframe.cpp:557)
==12090==    by 0xD59E529: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2362)
==12090==    by 0xD59DEEE: KHTMLView::eventFilter(QObject*, QEvent*) (khtmlview.cpp:2207)
==12090==    by 0x5029092: QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (qcoreapplication.cpp:847)
==12090==    by 0x5420AB7: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4395)
==12090==    by 0x5420811: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4364)
==12090==    by 0x49DD891: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:310)
==12090==    by 0x5028DBA: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:732)
==12090==    by 0x542397C: QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) (in /home/rakuco/kde4/qt4/lib/libQtGui.so.4.7.0)
==12090==  Address 0x3c9198ac is 2,092 bytes inside a block of size 2,104 free'd
==12090==    at 0x40237AC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==12090==    by 0x577466B: QFreetypeFace::release(QFontEngine::FaceId const&) (qfontengine_ft.cpp:320)
==12090==    by 0x577018C: QFontEngineXLFD::~QFontEngineXLFD() (qfontengine_x11.cpp:346)
==12090==    by 0x577022C: QFontEngineXLFD::~QFontEngineXLFD() (qfontengine_x11.cpp:348)
==12090==    by 0x5695952: QFontEngineMulti::~QFontEngineMulti() (qfontengine.cpp:1282)
==12090==    by 0x576E580: QFontEngineMultiXLFD::~QFontEngineMultiXLFD() (qfontengine_x11.cpp:115)
==12090==    by 0x576E5E6: QFontEngineMultiXLFD::~QFontEngineMultiXLFD() (qfontengine_x11.cpp:116)
==12090==    by 0x568C838: QFontCache::clear() (qfont.cpp:2704)
==12090==    by 0x56A6D66: QFontDatabasePrivate::invalidate() (qfontdatabase.cpp:689)
==12090==    by 0x56B1B31: QFontDatabasePrivate::addAppFont(QByteArray const&, QString const&) (qfontdatabase.cpp:2516)
==12090==    by 0x56B1E00: QFontDatabase::addApplicationFontFromData(QByteArray const&) (qfontdatabase.cpp:2579)
==12090==    by 0xD7DE25B: DOM::CSSFontFaceSource::notifyFinished(khtml::CachedObject*) (css_webfont.cpp:92)
==12090==    by 0xD7E3BB7: khtml::CachedFont::checkNotify() (loader.cpp:877)
==12090==    by 0xD7E3AC6: khtml::CachedFont::data(QBuffer&, bool) (loader.cpp:869)
==12090==    by 0xD7E5F1C: khtml::Loader::slotFinished(KJob*) (loader.cpp:1244)
==12090==    by 0xD7E85B9: khtml::Loader::qt_metacall(QMetaObject::Call, int, void**) (loader.moc:141)
==12090==    by 0x503044D: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)
==12090==    by 0x504337C: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3272)
==12090==    by 0x4D55D7D: KJob::result(KJob*) (kjob.moc:194)
==12090==    by 0x4D5538C: KJob::emitResult() (kjob.cpp:312)
==12090==    by 0x4342D7A: KIO::SimpleJob::slotFinished() (job.cpp:522)
==12090==    by 0x4345DDA: KIO::TransferJob::slotFinished() (job.cpp:1111)
==12090==    by 0x434CFE7: KIO::TransferJob::qt_metacall(QMetaObject::Call, int, void**) (jobclasses.moc:367)
==12090==    by 0x503044D: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)
==12090==    by 0x504337C: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3272)
==12090==    by 0x43EB988: KIO::SlaveInterface::finished() (slaveinterface.moc:171)
==12090==    by 0x43E90DB: KIO::SlaveInterface::dispatch(int, QByteArray const&) (slaveinterface.cpp:175)
==12090==    by 0x43E8D7D: KIO::SlaveInterface::dispatch() (slaveinterface.cpp:91)
==12090==    by 0x43DF099: KIO::Slave::gotInput() (slave.cpp:344)
==12090==    by 0x43E0165: KIO::Slave::qt_metacall(QMetaObject::Call, int, void**) (slave.moc:82)
==12090==    by 0x503044D: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)
==12090==    by 0x504337C: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (qobject.cpp:3272)
==12090==    by 0x4314EE6: KIO::Connection::readyRead() (connection.moc:92)
==12090==    by 0x4311C87: KIO::ConnectionPrivate::dequeue() (connection.cpp:82)
==12090==    by 0x4314E73: KIO::Connection::qt_metacall(QMetaObject::Call, int, void**) (connection.moc:79)
==12090==    by 0x503044D: QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) (qmetaobject.cpp:237)
==12090==    by 0x503E48C: QMetaCallEvent::placeMetaCall(QObject*) (qobject.cpp:534)
==12090==    by 0x503F510: QObject::event(QEvent*) (qobject.cpp:1211)
==12090==    by 0x5420ADB: QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4399)
==12090==    by 0x541E387: QApplication::notify(QObject*, QEvent*) (qapplication.cpp:3801)
==12090==    by 0x49DD891: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:310)
==12090==    by 0x5028DBA: QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:732)
==12090==    by 0x502C6A8: QCoreApplication::sendEvent(QObject*, QEvent*) (in /home/rakuco/kde4/qt4/lib/libQtCore.so.4.7.0)
==12090==    by 0x5029E53: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1373)
==12090==    by 0x5029B10: QCoreApplication::sendPostedEvents(QObject*, int) (qcoreapplication.cpp:1266)
==12090==    by 0x505DA81: QCoreApplication::sendPostedEvents() (qcoreapplication.h:220)
==12090==    by 0x505CB95: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:277)
==12090==    by 0x66C0F71: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.2400.1)
==12090==    by 0x66C174F: g_main_context_iterate (in /usr/lib/libglib-2.0.so.0.2400.1)
==12090==    by 0x66C1A03: g_main_context_iteration (in /usr/lib/libglib-2.0.so.0.2400.1)

*** Bug 250209 has been marked as a duplicate of this bug. ***

I'm getting same backtrace (up to FT_Get_Sfnt_Table) in akregator. 

KDE 4.5.1 (gentoo portage build), freetype 2.4.2, QT 4.6.3

*** Bug 257034 has been marked as a duplicate of this bug. ***

*** Bug 257735 has been marked as a duplicate of this bug. ***

*** Bug 257299 has been marked as a duplicate of this bug. ***

Created attachment 54093 [details]
New crash information added by DrKonqi

konqueror (4.5.4 (KDE 4.5.4)) on KDE Platform 4.5.4 (KDE 4.5.4) using Qt 4.7.0

- What I was doing when the application crashed:

Had just clicked link to site in the same domain. This particular website has problem with rendering fonts - all fonts there are not smoothed at all.

This seems to be a random segfault, as I had browsed this website for days without crashes.

Using Arch-based Chakra Jaz.

-- Backtrace (Reduced):
#6  0x00007f53a4bb98ad in QFreetypeFace::getSfntTable (this=<value optimized out>, tag=1195656518, buffer=0x0, length=0x7fff9320c5dc) at text/qfontengine_ft.cpp:412
#7  0x00007f53a4bb3531 in QFontEngineXLFD::getSfntTableData (this=0x8488780, tag=1195656518, buffer=<value optimized out>, length=<value optimized out>) at text/qfontengine_x11.cpp:775
#8  0x00007f53a4adcd1a in hb_getSFntTable (font=<value optimized out>, tableTag=<value optimized out>, buffer=<value optimized out>, length=<value optimized out>) at text/qfontengine.cpp:164
#9  0x00007f53a57107b0 in getTableStream (font=0x8488780, tableFunc=0x7f53a4adcd10 <hb_getSFntTable>, tag=1195656518) at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:935
#10 0x00007f53a5711d88 in HB_NewFace (font=0x8488780, tableFunc=0x7f53a4adcd10 <hb_getSFntTable>) at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:979

Created attachment 54162 [details]
New crash information added by DrKonqi

konqueror (4.5.4 (KDE 4.5.4)) on KDE Platform 4.5.4 (KDE 4.5.4) using Qt 4.7.0

- What I was doing when the application crashed:

I opened 5 tabs in a row from my RSS reader. Nothing special about my setup.

Using Arch-based Chakra

-- Backtrace (Reduced):
#6  0x00007f3898c87cd0 in FT_Get_Sfnt_Table () from /usr/lib/libfreetype.so.6
#7  0x00007f389cb2a251 in QFreetypeFace::fsType (this=<value optimized out>) at text/qfontengine_ft.cpp:170
#8  0x00007f389cb26ff7 in QFontEngineXLFD::faceId (this=0x9ac0750) at text/qfontengine_x11.cpp:697
#9  0x00007f389cb24557 in QFontEngineXLFD::getSfntTableData (this=0x9ac0750, tag=1195656518, buffer=<value optimized out>, length=<value optimized out>) at text/qfontengine_x11.cpp:772
#10 0x00007f389ca4dd1a in hb_getSFntTable (font=<value optimized out>, tableTag=<value optimized out>, buffer=<value optimized out>, length=<value optimized out>) at text/qfontengine.cpp:164

*** Bug 259240 has been marked as a duplicate of this bug. ***

*** Bug 264311 has been marked as a duplicate of this bug. ***

*** Bug 270341 has been marked as a duplicate of this bug. ***

*** Bug 273089 has been marked as a duplicate of this bug. ***

Created attachment 60554 [details]
New crash information added by DrKonqi

konqueror (4.6.2 (4.6.2)) on KDE Platform 4.6.2 (4.6.2) using Qt 4.7.2

- What I was doing when the application crashed:

konqueror crashed on closing tab with this page: http://www.fontonic.com/download.asp?id=6010
(not replicable, however, since it deals with fonts, it may give some clue ...)

-- Backtrace (Reduced):
#6  FT_Get_Sfnt_Table (face=0x1, tag=ft_sfnt_os2) at /var/tmp/portage/media-libs/freetype-2.4.4/work/freetype-2.4.4/src/base/ftobjs.c:3553
#7  0x00007fdb26dbd171 in QFreetypeFace::fsType (this=<value optimized out>) at text/qfontengine_ft.cpp:169
#8  0x00007fdb26dbad62 in QFontEngineXLFD::faceId (this=0x22eb9c0) at text/qfontengine_x11.cpp:697
#9  0x00007fdb26dbae77 in QFontEngineXLFD::getSfntTableData (this=0x22eb9c0, tag=1195656518, buffer=<value optimized out>, length=<value optimized out>) at text/qfontengine_x11.cpp:772
#10 0x00007fdb26cf00ba in hb_getSFntTable (font=0x1, tableTag=2, buffer=0x1 <Address 0x1 out of bounds>, length=0x5) at text/qfontengine.cpp:163

*** Bug 276654 has been marked as a duplicate of this bug. ***

*** Bug 277426 has been marked as a duplicate of this bug. ***

The following site appears to trigger this crash every single time: http://www.bimmerpost.com/

(Just tested with KDE 4.7.0 and Qt 4.7.3.)

(In reply to comment #29)
> The following site appears to trigger this crash every single time:
> http://www.bimmerpost.com/
> 
> (Just tested with KDE 4.7.0 and Qt 4.7.3.)

Can't reproduce here on similar setup.

(In reply to comment #30)
> (In reply to comment #29)
> > The following site appears to trigger this crash every single time:
> > http://www.bimmerpost.com/
> > 
> > (Just tested with KDE 4.7.0 and Qt 4.7.3.)
> 
> Can't reproduce here on similar setup.

I can, with KDE SC 4.7.0, Qt 4.7.3 and freetype 2.4.6 on amd64.

running with valgrind --track-origin=yes I get the following right before the crash, looks like a double free:

==10309== Invalid read of size 4
==10309==    at 0x82084B8: QFreetypeFace::release(QFontEngine::FaceId const&) (qatomic_x86_64.h:133)
==10309==    by 0x82012CD: QFontEngineXLFD::~QFontEngineXLFD() (qfontengine_x11.cpp:346)
==10309==    by 0x8201368: QFontEngineXLFD::~QFontEngineXLFD() (qfontengine_x11.cpp:348)
==10309==    by 0x813E7B8: QFontEngineMulti::~QFontEngineMulti() (qfontengine.cpp:1306)
==10309==    by 0x82023C8: QFontEngineMultiXLFD::~QFontEngineMultiXLFD() (qfontengine_x11.cpp:116)
==10309==    by 0x8136C50: QFontCache::clear() (qfont.cpp:2704)
==10309==    by 0x814D07B: QFontDatabasePrivate::invalidate() (qfontdatabase.cpp:691)
==10309==    by 0x8157339: QFontDatabasePrivate::addAppFont(QByteArray const&, QString const&) (qfontdatabase.cpp:2518)
==10309==    by 0x815750A: QFontDatabase::addApplicationFontFromData(QByteArray const&) (qfontdatabase.cpp:2585)
==10309==    by 0x1AF6A69F: DOM::CSSFontFaceSource::notifyFinished(khtml::CachedObject*) (css_webfont.cpp:92)
==10309==    by 0x1AF6F14E: khtml::CachedFont::checkNotify() (loader.cpp:877)
==10309==    by 0x1AF6F331: khtml::CachedFont::data(QBuffer&, bool) (loader.cpp:869)
==10309==  Address 0x12cb11b0 is 2,304 bytes inside a block of size 2,331 free'd
==10309==    at 0x4C27F6C: free (vg_replace_malloc.c:366)
==10309==    by 0x1BA539CC: WTF::Vector<unsigned char, 0ul>::resize(unsigned long) (Vector.h:635)
==10309==    by 0x1BA531CA: KJS::CodeGen::emitOp(KJS::CompileState*, KJS::OpName, KJS::OpValue*, KJS::OpValue*, KJS::OpValue*, KJS::OpValue*, KJS::OpValue*) (opcodes.cpp.in:331)
==10309==    by 0x1BA60BA1: KJS::FuncExprNode::generateEvalCode(KJS::CompileState*) (nodes2bytecode.cpp:980)
==10309==    by 0x1BA5FC2D: KJS::AssignExprNode::generateEvalCode(KJS::CompileState*) (nodes2bytecode.cpp:1078)
==10309==    by 0x1BA6AF00: KJS::VarDeclNode::generateCode(KJS::CompileState*) (nodes2bytecode.cpp:1099)
==10309==    by 0x1BA6BFCB: KJS::VarDeclListNode::generateEvalCode(KJS::CompileState*) (nodes2bytecode.cpp:1116)
==10309==    by 0x1BA64EFF: KJS::VarStatementNode::generateExecCode(KJS::CompileState*) (nodes2bytecode.cpp:1124)
==10309==    by 0x1BA5F78C: KJS::SourceElementsNode::generateExecCode(KJS::CompileState*) (nodes2bytecode.cpp:993)
==10309==    by 0x1BA67C9B: KJS::FunctionBodyNode::generateExecCode(KJS::CompileState*) (nodes2bytecode.cpp:1581)
==10309==    by 0x1BA1567D: KJS::FunctionBodyNode::compile(KJS::CodeType, KJS::CompileType) (nodes.cpp:947)
==10309==    by 0x1BA3D44A: KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) (function.cpp:150)

Have not seen the FT_Get_Sfnt_Table crash here yet, after a rebuild of current trunk with:

Qt        4.8 (git://anongit.kde.org/qt branch "4.8")
Freetype  2.4.6

Have tried all of the links quoted here and in duplicate bugs, the only one that fails is the "200 lines kernel patch" one which seems to be a different crash.

*** Bug 281350 has been marked as a duplicate of this bug. ***

*** Bug 281912 has been marked as a duplicate of this bug. ***

I just want to contribute my backtrace. I differs from the previous ones that it contains source code filenames and lines like #26, but uses a more recent FreeType version (2.4.6). My crash happend in Konqueror/KDE 4.6.5 using Qt 4.7.3 in Gentoo Linux.


Thread 1 (Thread 0xb58b3710 (LWP 4145)):
[KCrash Handler]
#7  FT_Get_Sfnt_Table (face=0x6, tag=ft_sfnt_os2) at /var/tmp/portage/media-libs/freetype-2.4.6/work/freetype-2.4.6/src/base/ftobjs.c:3565
#8  0xb6662d7a in QFreetypeFace::fsType (this=0xbf669b8) at text/qfontengine_ft.cpp:169
#9  0xb6660c1f in QFontEngineXLFD::faceId (this=0xc65ad28) at text/qfontengine_x11.cpp:697
#10 0xb665ddfe in QFontEngineXLFD::getSfntTableData (this=0xc65ad28, tag=1195656518, buffer=0x0, length=0xbfc5ffcc) at text/qfontengine_x11.cpp:772
#11 0xb65758ad in hb_getSFntTable (font=0xc65ad28, tableTag=1195656518, buffer=0x0, length=0xbfc5ffcc) at text/qfontengine.cpp:163
#12 0xb6dd6e3c in getTableStream (font=0xc65ad28, tableFunc=<value optimized out>, tag=1195656518) at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:935
#13 0xb6dd6f3b in HB_NewFace (font=0xc65ad28, tableFunc=0xb6575887 <hb_getSFntTable(void*, HB_Tag, HB_Byte*, HB_UInt*)>) at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:979
#14 0xb6ddcfbd in qHBNewFace (font=0xc65ad28, tableFunc=0xb6575887 <hb_getSFntTable(void*, HB_Tag, HB_Byte*, HB_UInt*)>) at tools/qharfbuzz.cpp:125
#15 0xb657759f in QFontEngine::harfbuzzFace (this=0xc65ad28) at text/qfontengine.cpp:228
#16 0xb65b0fcd in QTextEngine::shapeTextWithHarfbuzz (this=0xbfc60a88, item=0) at text/qtextengine.cpp:1246
#17 0xb65b1c78 in QTextEngine::shapeText (this=0xbfc60a88, item=0) at text/qtextengine.cpp:874
#18 0xb65b2189 in QTextEngine::shape (this=0xbfc60a88, item=0) at text/qtextengine.cpp:1381
#19 0xb65b5f34 in QTextEngine::shapeLine (this=0xbfc60a88, line=...) at text/qtextengine.cpp:844
#20 0xb647eec6 in QPainter::drawText (this=0xbfc6462c, p=..., str=..., tf=0, justificationPadding=0) at painting/qpainter.cpp:5992
#21 0xb647f752 in QPainter::drawText (this=0xbfc6462c, p=..., str=...) at painting/qpainter.cpp:5820
#22 0xae25e3e3 in QPainter::drawText(int, int, QString const&) () from /usr/lib/libkhtml.so.5
#23 0xae25c92b in khtml::drawDirectedText (p=0xbfc6462c, d=<value optimized out>, x=368, y=405, str=...) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/font.cpp:95
#24 0xae25d247 in khtml::Font::drawText (this=0xc48c640, p=0xbfc6462c, x=368, y=405, str=0xc1efeb8, slen=29, pos=0, len=29, toAdd=0, d=Qt::LeftToRight, from=-1, to=-1, bg=..., uy=-1, h=-1, deco=0) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/font.cpp:148
#25 0xae21efea in khtml::InlineTextBox::paint (this=0xb2986d4, i=..., tx=368, ty=372) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_text.cpp:181
#26 0xae260521 in khtml::InlineFlowBox::paint (this=0xb298714, i=..., tx=368, ty=372) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_line.cpp:874
#27 0xae260656 in khtml::RootInlineBox::paint (this=0xb298714, i=..., tx=368, ty=372) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_line.cpp:1182
#28 0xae219148 in khtml::RenderFlow::paintLines (this=0xaed5aa4, i=..., _tx=368, _ty=372) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_flow.cpp:389
#29 0xae1ebe55 in khtml::RenderBlock::paintObject (this=0xaed5aa4, pI=..., _tx=368, _ty=372, shouldPaintOutline=true) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_block.cpp:1797
#30 0xae1ec176 in khtml::RenderBlock::paint (this=0xaed5aa4, pI=..., _tx=368, _ty=372) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_block.cpp:1767
#31 0xae1e6791 in khtml::RenderBlock::paintFloats (this=0xaed59b0, pI=..., _tx=368, _ty=366, paintSelection=false) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_block.cpp:1901
#32 0xae1ec0aa in khtml::RenderBlock::paintObject (this=0xaed59b0, pI=..., _tx=368, _ty=366, shouldPaintOutline=true) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_block.cpp:1806
#33 0xae1ec176 in khtml::RenderBlock::paint (this=0xaed59b0, pI=..., _tx=368, _ty=366) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_block.cpp:1767
#34 0xae224636 in khtml::RenderLayer::paintLayer (this=0xaed5a34, rootLayer=0xaece018, p=0xbfc6462c, paintDirtyRect=..., selectionOnly=false) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_layer.cpp:1124
#35 0xae22435b in khtml::RenderLayer::paintLayer (this=0xaece10c, rootLayer=0xaece018, p=0xbfc6462c, paintDirtyRect=..., selectionOnly=false) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_layer.cpp:1145
#36 0xae2243c8 in khtml::RenderLayer::paintLayer (this=0xaece018, rootLayer=0xaece018, p=0xbfc6462c, paintDirtyRect=..., selectionOnly=false) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_layer.cpp:1151
#37 0xae2249a0 in khtml::RenderLayer::paint (this=0xaece018, p=0xbfc6462c, damageRect=..., selectionOnly=<value optimized out>) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/rendering/render_layer.cpp:1018
#38 0xae0b2c61 in KHTMLView::paintEvent (this=0xb3cbf68, e=0xbfc64d34) at /var/tmp/portage/kde-base/kdelibs-4.6.5-r1/work/kdelibs-4.6.5/khtml/khtmlview.cpp:917
#39 0xb635b9a1 in QWidget::event (this=0xb3cbf68, event=0xbfc64d34) at kernel/qwidget.cpp:8405
#40 0xb679fafa in QFrame::event (this=0xb3cbf68, e=0xbfc64d34) at widgets/qframe.cpp:557

Created attachment 63697 [details]
Bash script that generates HTML page with @font-face CSS code based on locally installed TrueType fonts

To gather more information on this bug, I wrote a small shell script that based on the TTF files you have installed on your system (/usr/local/share/fonts and /usr/share/fonts) creates an HTML page with CSS code using @font-face.
Does not crash my Konqueror reliably, but slows it down considerable (having 50+ fonts) so it may be used for profiling. Maybe it can be developed further to generate HTML/CSS code that makes Konqueror crash in a reproducible way.

Created attachment 63698 [details]
Minor corrections

(In reply to comment #37)
> Created an attachment (id=63697) [details]
> Bash script that generates HTML page with @font-face CSS code based on locally
> installed TrueType fonts
> 
> To gather more information on this bug, I wrote a small shell script that based
> on the TTF files you have installed on your system (/usr/local/share/fonts and
> /usr/share/fonts) creates an HTML page with CSS code using @font-face.
> Does not crash my Konqueror reliably, but slows it down considerable (having
> 50+ fonts) so it may be used for profiling. Maybe it can be developed further
> to generate HTML/CSS code that makes Konqueror crash in a reproducible way.

I can confirm this for the webkit browser engine too. It is very very slow in rendering the generated page compared to both Firefox and Chromium.

*** Bug 282699 has been marked as a duplicate of this bug. ***

*** Bug 282442 has been marked as a duplicate of this bug. ***

*** Bug 287225 has been marked as a duplicate of this bug. ***

This to me entirely seems to be an upstream issue. Both the crash and the issue reported in comment# 37. The crash no longer seems to be reproducible in Qt 4.8 as reported in comment# 33. And I can confirm the very slow renderning of the html generated using the script from comment# 37 with Qt 4.8, though it is much better than it was with Qt 4.7.4. 

Can anyone else confirm whether or not the original crash reported is gone in Qt 4.8 and KDE 4.8 ?

With Qt 4.8 and KDE 4.8.1, I haven't been able to reproduce this crash yet, and I would have expected to hit it by now. However, I did run into another crash on phoronix.com (different backtrace), which is where (IIRC) I could most reliably reproduce this crash. I filed #295572 for this.

(In reply to comment #44)
> With Qt 4.8 and KDE 4.8.1, I haven't been able to reproduce this crash yet,
> and I would have expected to hit it by now. However, I did run into another
> crash on phoronix.com (different backtrace), which is where (IIRC) I could
> most reliably reproduce this crash. I filed #295572 for this.

Then reassinging this back to khtml.

Let's close this as fixed upstream