Crash in CoreIPC::Connection::sendOutgoingMessage

[renatahodovan]

The failing test:

<html style="-webkit-transform: rotateX(25deg);"> 
    <head>
        <style type="text/css">
            body {font-size: 778px;padding: 160%;}
        </style>
    </head>
    <body>  
        <textarea cols="50%,25%,25%"></textarea>
        <p>Block in inline</p>
        <p>&#x4e00;&#x4e8c;&#x4e09;&#x56db;&#x3041;</p> 

The backtrace:

SHOULD NEVER BE REACHED
/home/reni/Data/REPOS/webkitnix/Source/WebKit2/Platform/CoreIPC/unix/ConnectionUnix.cpp(460) : bool CoreIPC::Connection::sendOutgoingMessage(WTF::PassOwnPtr<CoreIPC::MessageEncoder>)
1   0x7ffff4704f33
2   0x7ffff46a4219
3   0x7ffff44d093b
4   0x7ffff44e1295
5   0x7ffff44e0e26
6   0x7ffff353a9bf
7   0x7ffff469f84c
8   0x7ffff469f891
9   0x7ffff06e9cd5 g_main_context_dispatch
10  0x7ffff06ea018
11  0x7ffff06ea48a g_main_loop_run
12  0x7ffff469ef2e
13  0x7ffff469ef08
14  0x7ffff4717b79
15  0x7ffff473d9b0
16  0x7fffef85ef6e
17  0x7ffff2430e2d clone

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffa3fff700 (LWP 3794)]
0x00007ffff4704f38 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:342
342     *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff4704f38 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff46a4219 in CoreIPC::Connection::sendOutgoingMessage (this=0x849130, encoder=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/Platform/CoreIPC/unix/ConnectionUnix.cpp:460
#2  0x00007ffff44d093b in CoreIPC::Connection::sendOutgoingMessages (this=0x849130)
    at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/Platform/CoreIPC/Connection.cpp:735
#3  0x00007ffff44e1295 in WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator() (this=0x7d1180, c=0x849130)
    at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Functional.h:218
#4  0x00007ffff44e0e26 in WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() (
    this=0x7d1170) at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Functional.h:496
#5  0x00007ffff353a9bf in WTF::Function<void ()>::operator()() const (this=0x69cb48) at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Functional.h:704
#6  0x00007ffff469f84c in WorkQueue::EventSource::performWork (this=0x69cb40)
    at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/Platform/gtk/WorkQueueGtk.cpp:49
#7  0x00007ffff469f891 in WorkQueue::EventSource::performWorkOnce (eventSource=0x69cb40)
    at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/Platform/gtk/WorkQueueGtk.cpp:55
#8  0x00007ffff06e9cd5 in g_main_dispatch (context=0x9030b0) at gmain.c:3054
#9  g_main_context_dispatch (context=context@entry=0x9030b0) at gmain.c:3630
#10 0x00007ffff06ea018 in g_main_context_iterate (context=0x9030b0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3701
#11 0x00007ffff06ea48a in g_main_loop_run (loop=0x8f8fd0) at gmain.c:3895
#12 0x00007ffff469ef2e in WorkQueue::workQueueThreadBody (this=0x901e50) at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/Platform/gtk/WorkQueueGtk.cpp:173
#13 0x00007ffff469ef08 in WorkQueue::startWorkQueueThread (workQueue=0x901e50)
    at /home/reni/Data/REPOS/webkitnix/Source/WebKit2/Platform/gtk/WorkQueueGtk.cpp:168
#14 0x00007ffff4717b79 in WTF::threadEntryPoint (contextData=0x8fb520) at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Threading.cpp:69
#15 0x00007ffff473d9b0 in WTF::wtfThreadEntryPoint (param=0x8fb3f0) at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/ThreadingPthreads.cpp:195
#16 0x00007fffef85ef6e in start_thread (arg=0x7fffa3fff700) at pthread_create.c:311
#17 0x00007ffff2430e2d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

[lauromoura]

Backtrace for sendMessage() with the problematic message (too much attachments):

(gdb) bt
#0  0x00007ffff235f425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff2362b8b in __GI_abort () at abort.c:91
#2  0x00007ffff44db946 in CoreIPC::Connection::sendMessage (this=0x858800, encoder=<incomplete type>, messageSendFlags=0) at /home/lauro/dev/nix/nix2/Source/WebKit2/Platform/CoreIPC/Connection.cpp:364
#3  0x00007ffff44f315d in CoreIPC::MessageSender::sendMessage (this=0xbe11b8, encoder=<incomplete type>) at /home/lauro/dev/nix/nix2/Source/WebKit2/Platform/CoreIPC/MessageSender.cpp:39
#4  0x00007ffff46aa0ff in CoreIPC::MessageSender::send<Messages::CoordinatedLayerTreeHostProxy::CommitCoordinatedGraphicsState> (this=0xbe11b8, message=..., destinationID=1) at /home/lauro/dev/nix/nix2/Source/WebKit2/Platform/CoreIPC/MessageSender.h:49
#5  0x00007ffff46a9545 in CoreIPC::MessageSender::send<Messages::CoordinatedLayerTreeHostProxy::CommitCoordinatedGraphicsState> (this=0xbe11b8, message=...) at /home/lauro/dev/nix/nix2/Source/WebKit2/Platform/CoreIPC/MessageSender.h:40
#6  0x00007ffff46a84ea in WebKit::CoordinatedLayerTreeHost::commitSceneState (this=0xbfd260, state=...) at /home/lauro/dev/nix/nix2/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp:366
#7  0x00007ffff361a884 in WebCore::CompositingCoordinator::flushPendingLayerChanges (this=0xbfd370) at /home/lauro/dev/nix/nix2/Source/WebCore/platform/graphics/texmap/coordinated/CompositingCoordinator.cpp:119
#8  0x00007ffff46a8147 in WebKit::CoordinatedLayerTreeHost::performScheduledLayerFlush (this=0xbfd260) at /home/lauro/dev/nix/nix2/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp:314
#9  0x00007ffff46a81f4 in WebKit::CoordinatedLayerTreeHost::layerFlushTimerFired (this=0xbfd260) at /home/lauro/dev/nix/nix2/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp:329
#10 0x00007ffff46ab981 in WebCore::Timer<WebKit::CoordinatedLayerTreeHost>::fired (this=0xbfd2d8) at /home/lauro/dev/nix/nix2/Source/WebCore/platform/Timer.h:114
#11 0x00007ffff3553a2a in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0xbf6050) at /home/lauro/dev/nix/nix2/Source/WebCore/platform/ThreadTimers.cpp:129
#12 0x00007ffff3553917 in WebCore::ThreadTimers::sharedTimerFired () at /home/lauro/dev/nix/nix2/Source/WebCore/platform/ThreadTimers.cpp:105
#13 0x00007ffff3fb136e in WebCore::timeoutCallback () at /home/lauro/dev/nix/nix2/Source/WebCore/platform/nix/SharedTimerNix.cpp:49
#14 0x00007ffff06ebb6b in g_timeout_dispatch (source=source@entry=0xc82a40, callback=<optimized out>, user_data=<optimized out>) at gmain.c:4413
#15 0x00007ffff06eaf55 in g_main_dispatch (context=0x6106f0) at gmain.c:3054
#16 g_main_context_dispatch (context=context@entry=0x6106f0) at gmain.c:3630
#17 0x00007ffff06eb298 in g_main_context_iterate (context=0x6106f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3701
#18 0x00007ffff06eb70a in g_main_loop_run (loop=0x610850) at gmain.c:3895
#19 0x00007ffff3fafc1e in WebCore::RunLoop::run () at /home/lauro/dev/nix/nix2/Source/WebCore/platform/nix/RunLoopNix.cpp:60
#20 0x00007ffff46be920 in WebKit::WebProcessMainNix (argc=2, argv=0x7fffffffd648) at /home/lauro/dev/nix/nix2/Source/WebKit2/WebProcess/nix/WebProcessMainNix.cpp:84
#21 0x000000000040082c in main (argc=2, argv=0x7fffffffd648) at /home/lauro/dev/nix/nix2/Source/WebKit2/nix/MainNix.cpp:30