300412 2025-10-08 14:53:43 -0700 [Win] Regression - crashing while drawing text blob 2025-10-10 11:53:11 -0700 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build PC Windows 11 RESOLVED FIXED InRadar P2 Normal --- 1 ian.grunert cgarcia cgarcia webkit-bug-importer oldest_to_newest 2149563 0 ian.grunert 2025-10-08 14:53:43 -0700 Crashing on main https://commits.webkit.org/301218@main Bisected the issue to this commit: https://commits.webkit.org/300818@main Exception thrown at 0x00007FF8B4131C1C (WebCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF. Stack trace: > WebCore.dll!SkCanvas::drawTextBlob(const SkTextBlob * blob, float x, float y, const SkPaint & paint) Line 2565 C++ [Inline Frame] WebCore.dll!SkCanvas::drawTextBlob(const sk_sp<SkTextBlob> & blob, float x, float y, const SkPaint & paint) Line 2029 C++ WebCore.dll!WebCore::GraphicsContextSkia::drawSkiaText(const sk_sp<SkTextBlob> & blob, float x, float y, bool enableAntialias, bool isVertical) Line 1127 C++ [Inline Frame] WebCore.dll!WebCore::DisplayList::DrawGlyphs::apply(WebCore::GraphicsContext & context) Line 285 C++ [Inline Frame] WebCore.dll!WebCore::DisplayList::applyItem::<lambda_1>::operator()(const WebCore::DisplayList::DrawGlyphs & item) Line 43 C++ [Inline Frame] WebCore.dll!mpark::lib::cpp17::detail::invoke(WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'> && args, const WebCore::DisplayList::DrawGlyphs &) Line 696 C++ [Inline Frame] WebCore.dll!mpark::lib::cpp17::invoke(WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'> && args, const WebCore::DisplayList::DrawGlyphs &) Line 704 C++ [Inline Frame] WebCore.dll!mpark::detail::visitation::variant::visit_exhaustiveness_check<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>,const WebCore::DisplayList::DrawGlyphs &>::invoke(WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'> && values, const WebCore::DisplayList::DrawGlyphs &) Line 1597 C++ [Inline Frame] WebCore.dll!mpark::detail::visitation::variant::value_visitor<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>>::operator()(const mpark::detail::alt<18,WebCore::DisplayList::DrawGlyphs> & alts) Line 1607 C++ [Inline Frame] WebCore.dll!mpark::lib::cpp17::detail::invoke(mpark::detail::visitation::variant::value_visitor<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>> && args, const mpark::detail::alt<18,WebCore::DisplayList::DrawGlyphs> &) Line 696 C++ [Inline Frame] WebCore.dll!mpark::lib::cpp17::invoke(mpark::detail::visitation::variant::value_visitor<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>> && args, const mpark::detail::alt<18,WebCore::DisplayList::DrawGlyphs> &) Line 704 C++ [Inline Frame] WebCore.dll!mpark::detail::visitation::base::visit_return_type_check<void,void>::invoke(mpark::detail::visitation::variant::value_visitor<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>> && alts, const mpark::detail::alt<18,WebCore::DisplayList::DrawGlyphs> &) Line 1212 C++ WebCore.dll!mpark::detail::visitation::base::make_fmatrix_impl<mpark::detail::visitation::variant::value_visitor<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>> &&,const mpark::detail::base<1,WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> &>::dispatch<18>(mpark::detail::visitation::variant::value_visitor<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>> && f, const mpark::detail::base<1,WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> & vs) Line 1413 C++ [Inline Frame] WebCore.dll!mpark::detail::visitation::alt::visit_alt(mpark::detail::visitation::variant::value_visitor<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>> && visitor, const mpark::detail::impl<WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> & vs) Line 1538 C++ [Inline Frame] WebCore.dll!mpark::detail::visitation::variant::visit_alt(mpark::detail::visitation::variant::value_visitor<WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'>> && visitor, const mpark::variant<WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> & vs) Line 1623 C++ [Inline Frame] WebCore.dll!mpark::detail::visitation::variant::visit_value(WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'> && visitor, const mpark::variant<WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> & vs) Line 1638 C++ [Inline Frame] WebCore.dll!mpark::visit(WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'> && visitor, const mpark::variant<WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> & vs) Line 2749 C++ [Inline Frame] WebCore.dll!WTF::visit(WTF::Visitor<`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:40:9',`lambda at S:\WebKit\Source\WebCore\platform\graphics\displaylists\DisplayListItem.cpp:42:12'> && v, const mpark::variant<WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> & values) Line 2927 C++ [Inline Frame] WebCore.dll!WTF::switchOn(const mpark::variant<WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> & v, WebCore::DisplayList::applyItem::<lambda_0> &&) Line 567 C++ WebCore.dll!WebCore::DisplayList::applyItem(WebCore::GraphicsContext & context, WebCore::ControlFactory & controlFactory, const mpark::variant<WebCore::DisplayList::ApplyDeviceScaleFactor,WebCore::DisplayList::BeginTransparencyLayer,WebCore::DisplayList::BeginTransparencyLayerWithCompositeMode,WebCore::DisplayList::ClearRect,WebCore::DisplayList::Clip,WebCore::DisplayList::ClipRoundedRect,WebCore::DisplayList::ClipOut,WebCore::DisplayList::ClipOutRoundedRect,WebCore::DisplayList::ClipOutToPath,WebCore::DisplayList::ClipPath,WebCore::DisplayList::ClipToImageBuffer,WebCore::DisplayList::ConcatenateCTM,WebCore::DisplayList::DrawControlPart,WebCore::DisplayList::DrawDotsForDocumentMarker,WebCore::DisplayList::DrawEllipse,WebCore::DisplayList::DrawFilteredImageBuffer,WebCore::DisplayList::DrawFocusRingPath,WebCore::DisplayList::DrawFocusRingRects,WebCore::DisplayList::DrawGlyphs,WebCore::DisplayList::DrawDisplayList,WebCore::DisplayList::DrawPlaceholder,WebCore::DisplayList::DrawImageBuffer,WebCore::DisplayList::DrawLine,WebCore::DisplayList::DrawLinesForText,WebCore::DisplayList::DrawNativeImage,WebCore::DisplayList::DrawPath,WebCore::DisplayList::DrawPatternNativeImage,WebCore::DisplayList::DrawPatternImageBuffer,WebCore::DisplayList::DrawRect,WebCore::DisplayList::DrawSystemImage,WebCore::DisplayList::EndTransparencyLayer,WebCore::DisplayList::FillCompositedRect,WebCore::DisplayList::FillEllipse,WebCore::DisplayList::FillPath,WebCore::DisplayList::FillRect,WebCore::DisplayList::FillRectWithColor,WebCore::DisplayList::FillRectWithGradient,WebCore::DisplayList::FillRectWithGradientAndSpaceTransform,WebCore::DisplayList::FillRectWithRoundedHole,WebCore::DisplayList::FillRoundedRect,WebCore::DisplayList::ResetClip,WebCore::DisplayList::Restore,WebCore::DisplayList::Rotate,WebCore::DisplayList::Save,WebCore::DisplayList::Scale,WebCore::DisplayList::SetCTM,WebCore::DisplayList::SetInlineFillColor,WebCore::DisplayList::SetInlineStroke,WebCore::DisplayList::SetLineCap,WebCore::DisplayList::SetLineDash,WebCore::DisplayList::SetLineJoin,WebCore::DisplayList::SetMiterLimit,WebCore::DisplayList::SetState,WebCore::DisplayList::StrokeEllipse,WebCore::DisplayList::StrokePath,WebCore::DisplayList::StrokeRect,WebCore::DisplayList::Translate,WebCore::DisplayList::BeginPage,WebCore::DisplayList::EndPage,WebCore::DisplayList::SetURLForRect> & item) Line 39 C++ WebCore.dll!WebCore::GraphicsContext::drawDisplayList(const WebCore::DisplayList::DisplayList & displayList, WebCore::ControlFactory & controlFactory) Line 563 C++ WebCore.dll!WebCore::DisplayList::Recorder::appendDisplayList(const WebCore::DisplayList::DisplayList & displayList) Line 71 C++ WebKit2.dll!WebKit::RemoteRenderingBackendProxy::cacheDisplayList(WTF::ObjectIdentifierGeneric<WebKit::RemoteDisplayListIdentifierType,WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>,unsigned long long> identifier, const WebCore::DisplayList::DisplayList & displayList) Line 477 C++ WebKit2.dll!WebKit::RemoteResourceCacheProxy::recordDisplayListUse(const WebCore::DisplayList::DisplayList & displayList) Line 213 C++ [Inline Frame] WebKit2.dll!WebKit::RemoteGraphicsContextProxy::recordResourceUse(const WebCore::DisplayList::DisplayList & displayList) Line 727 C++ WebKit2.dll!WebKit::RemoteGraphicsContextProxy::drawDisplayList(const WebCore::DisplayList::DisplayList & displayList, WebCore::ControlFactory &) Line 283 C++ WebCore.dll!WebCore::GraphicsContext::drawDisplayList(const WebCore::DisplayList::DisplayList & displayList) Line 557 C++ WebCore.dll!WebCore::TextPainter::paintTextOrEmphasisMarks(const WebCore::FontCascade & font, const WebCore::TextRun & textRun, const WTF::AtomString & emphasisMark, float emphasisMarkOffset, const WebCore::FloatPoint & textOrigin, unsigned int startOffset, unsigned int endOffset) Line 134 C++ WebCore.dll!WebCore::TextPainter::paintTextWithShadows(const WebCore::Style::Shadows<WebCore::Style::TextShadow> * shadows, const WebCore::Style::AppleColorFilter & colorFilter, const WebCore::FontCascade & font, const WebCore::TextRun & textRun, const WebCore::FloatRect & boxRect, const WebCore::FloatPoint & textOrigin, unsigned int startOffset, unsigned int endOffset, const WTF::AtomString & emphasisMark, float emphasisMarkOffset, bool stroked) Line 141 C++ WebCore.dll!WebCore::TextPainter::paintTextAndEmphasisMarksIfNeeded(const WebCore::TextRun & textRun, const WebCore::FloatRect & boxRect, const WebCore::FloatPoint & textOrigin, unsigned int startOffset, unsigned int endOffset, const WebCore::TextPaintStyle & paintStyle, const WebCore::Style::Shadows<WebCore::Style::TextShadow> & shadow, const WebCore::Style::AppleColorFilter & shadowColorFilter) Line 200 C++ WebCore.dll!WebCore::TextPainter::paintRange(const WebCore::TextRun & textRun, const WebCore::FloatRect & boxRect, const WebCore::FloatPoint & textOrigin, unsigned int start, unsigned int end) Line 224 C++ WebCore.dll!WebCore::TextBoxPainter::paintForeground(const WebCore::StyledMarkedText & markedText) Line 657 C++ WebCore.dll!WebCore::TextBoxPainter::paintForegroundAndDecorations() Line 408 C++ WebCore.dll!WebCore::TextBoxPainter::paint() Line 268 C++ WebCore.dll!WebCore::LayoutIntegration::InlineContentPainter::paintDisplayBox(const WebCore::InlineDisplay::Box & box) Line 119 C++ WebCore.dll!WebCore::LayoutIntegration::InlineContentPainter::paint() Line 174 C++ WebCore.dll!WebCore::LayoutIntegration::LineLayout::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, const WebCore::RenderInline * layerRenderer) Line 1151 C++ WebCore.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1216 C++ WebCore.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 954 C++ WebCore.dll!WebCore::RenderBlock::paintChild(WebCore::RenderBox & child, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect, WebCore::RenderBlock::PaintBlockType paintType) Line 1046 C++ WebCore.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect) Line 999 C++ WebCore.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 990 C++ WebCore.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1216 C++ WebCore.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 954 C++ WebCore.dll!WebCore::RenderBlock::paintChild(WebCore::RenderBox & child, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect, WebCore::RenderBlock::PaintBlockType paintType) Line 1046 C++ WebCore.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect) Line 999 C++ WebCore.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 990 C++ WebCore.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1216 C++ WebCore.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 954 C++ WebCore.dll!WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase phase, const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16,WTF::FastMalloc> & layerFragments, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, WTF::OptionSet<WebCore::PaintBehavior,0> paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer) Line 4393 C++ WebCore.dll!WebCore::RenderLayer::paintForegroundForFragments(const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16,WTF::FastMalloc> & layerFragments, WebCore::GraphicsContext & context, WebCore::GraphicsContext & contextForTransparencyLayer, const WebCore::LayoutRect & transparencyPaintDirtyRect, bool haveTransparency, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, WTF::OptionSet<WebCore::PaintBehavior,0> paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer) Line 4369 C++ WebCore.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag,0> paintFlags) Line 3688 C++ WebCore.dll!WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList layerIterator, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag,0> paintFlags) Line 4063 C++ WebCore.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag,0> paintFlags) Line 3684 C++ WebCore.dll!WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList layerIterator, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag,0> paintFlags) Line 4063 C++ WebCore.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag,0> paintFlags) Line 3684 C++ WebCore.dll!WebCore::RenderLayer::paint(WebCore::GraphicsContext & context, const WebCore::LayoutRect & damageRect, const WebCore::LayoutSize & subpixelOffset, WTF::OptionSet<WebCore::PaintBehavior,0> paintBehavior, WebCore::RenderObject * subtreePaintRoot, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag,0> paintFlags, WebCore::RenderLayer::SecurityOriginPaintPolicy paintPolicy, WebCore::RegionContext * regionContext) Line 3227 C++ WebCore.dll!WebCore::LocalFrameView::paintContents(WebCore::GraphicsContext & context, const WebCore::IntRect & dirtyRect, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy, WebCore::RegionContext * regionContext) Line 5560 C++ WebCore.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext & context, const WebCore::IntRect & rect, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy, WebCore::RegionContext * regionContext) Line 1433 C++ WebKit2.dll!WebKit::WebPage::drawRect(WebCore::GraphicsContext & graphicsContext, const WebCore::IntRect & rect) Line 2443 C++ WebKit2.dll!WebKit::DrawingAreaWC::sendUpdateNonAC() Line 366 C++ WebKit2.dll!WebKit::DrawingAreaWC::updateRendering() Line 253 C++ [Inline Frame] WebKit2.dll!WebCore::Timer::Timer<WebKit::DrawingAreaWC,WebKit::DrawingAreaWC>::<lambda_1>::operator()() Line 175 C++ WebKit2.dll!WTF::Detail::CallableWrapper<`lambda at S:\WebKit\WebKitBuild\Release\WebCore\PrivateHeaders\WebCore\Timer.h:173:22',void>::call() Line 53 C++ WebCore.dll!WebCore::ThreadTimers::sharedTimerFiredInternal() Line 142 C++ WebCore.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 89 C++ [External Code] JavaScriptCore.dll!WTF::RunLoop::run() Line 88 C++ [Inline Frame] WebKit2.dll!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run(int argc, char * * argv) Line 77 C++ [Inline Frame] WebKit2.dll!WebKit::AuxiliaryProcessMain(int argc, char * * argv) Line 103 C++ WebKit2.dll!WebKit::WebProcessMain(int argc, char * * argv) Line 44 C++ WebKitWebProcess.exe!main(int argc, char * * argv) Line 35 C++ 2149579 1 ian.grunert 2025-10-08 15:51:55 -0700 Can't read the __vfptr table of `this`, crashes on the `call` instruction for `this->onDrawTextBlob(blob, x, y, paint);`. 2149636 2 cgarcia 2025-10-08 22:02:17 -0700 You are rendering in the GPU process, right? So, your graphics context is the display list one, not a GraphicsContextSkia. We are assuming it's the only possible graphics context when replaying the glyphs cache display list. 2149692 3 cgarcia 2025-10-09 03:51:55 -0700 Pull request: https://github.com/WebKit/WebKit/pull/52061 2149693 4 cgarcia 2025-10-09 03:52:19 -0700 Could you try the PR, please? 2149737 5 ian.grunert 2025-10-09 11:11:40 -0700 I can confirm this fixes the crash, thanks! 2150029 6 ews-feeder 2025-10-10 11:52:51 -0700 Committed 301321@main (a1fe0eb97823): <https://commits.webkit.org/301321@main> Reviewed commits have been landed. Closing PR #52061 and removing active labels. 2150030 7 webkit-bug-importer 2025-10-10 11:53:11 -0700 <rdar://problem/162384119> 2150031 8 webkit-bug-importer 2025-10-10 11:53:11 -0700 <rdar://problem/162384066>