136948 – Crash in WebCore::FontGlyphs::primarySimpleFontData

Bug 136948 - Crash in WebCore::FontGlyphs::primarySimpleFontData

Summary: Crash in WebCore::FontGlyphs::primarySimpleFontData

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2014-09-19 03:23 PDT by Renata Hodovan
Modified:	2016-08-03 17:12 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Test case (93 bytes, text/html) 2014-09-19 03:23 PDT, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2014-09-19 03:23:34 PDT

Created attachment 238367 [details]
Test case

The crashing test case (if you put more line breaks into it then the crash disappears):

<!DOCTYPE html>
<font>a<style> * {
    font:small-caps normal 800% Minion;
}
</style><source>


Backtrace:

Program received signal SIGSEGV, Segmentation fault.

0x00007ffff33729a2 in WebCore::FontGlyphs::primarySimpleFontData (this=0x8343b0, description=...) at ../../Source/WebCore/platform/graphics/FontGlyphs.h:127
127	        m_cachedPrimarySimpleFontData = primaryFontData(description)->fontDataForCharacter(' ');
#0  0x00007ffff33729a2 in WebCore::FontGlyphs::primarySimpleFontData (this=0x8343b0, description=...) at ../../Source/WebCore/platform/graphics/FontGlyphs.h:127
#1  0x00007ffff3372a5c in WebCore::Font::primaryFont (this=0x99ea88) at ../../Source/WebCore/platform/graphics/Font.h:362
#2  0x00007ffff33729ee in WebCore::Font::fontMetrics (this=0x99ea88) at ../../Source/WebCore/platform/graphics/Font.h:175
#3  0x00007ffff397270f in WebCore::requiresLineBoxForContent (flow=..., lineInfo=...) at ../../Source/WebCore/rendering/line/LineInlineHeaders.h:59
#4  0x00007ffff3b4cabd in WebCore::BreakingContext::handleEmptyInline (this=0x7fffffffa910) at ../../Source/WebCore/rendering/line/BreakingContextInlineHeaders.h:386
#5  0x00007ffff3b4a9f0 in WebCore::LineBreaker::nextSegmentBreak (this=0x7fffffffac70, resolver=..., lineInfo=..., renderTextInfo=..., lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0x0, wordMeasurements=...) at ../../Source/WebCore/rendering/line/LineBreaker.cpp:111
#6  0x00007ffff3b4a6ff in WebCore::LineBreaker::nextLineBreak (this=0x7fffffffac70, resolver=..., lineInfo=..., renderTextInfo=..., lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0x0, wordMeasurements=...) at ../../Source/WebCore/rendering/line/LineBreaker.cpp:82
#7  0x00007ffff396b130 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange (this=0xaa6ae0, layoutState=..., resolver=..., cleanLineStart=..., cleanLineBidiStatus=..., consecutiveHyphenatedLines=0x0) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1087
#8  0x00007ffff396aca3 in WebCore::RenderBlockFlow::layoutRunsAndFloats (this=0xaa6ae0, layoutState=..., hasInlineChild=0x1) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1031
#9  0x00007ffff396d520 in WebCore::RenderBlockFlow::layoutLineBoxes (this=0xaa6ae0, relayoutChildren=0x1, repaintLogicalTop=..., repaintLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1448
#10 0x00007ffff394e2d4 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0xaa6ae0, relayoutChildren=0x1, repaintLogicalTop=..., repaintLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:653
#11 0x00007ffff394d5ca in WebCore::RenderBlockFlow::layoutBlock (this=0xaa6ae0, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:484
#12 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0xaa6ae0) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#13 0x00007ffff394e6b0 in WebCore::RenderBlockFlow::layoutBlockChild (this=0xaa6380, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:712
#14 0x00007ffff394e1d1 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0xaa6380, relayoutChildren=0x1, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:633
#15 0x00007ffff394d5ee in WebCore::RenderBlockFlow::layoutBlock (this=0xaa6380, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#16 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0xaa6380) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#17 0x00007ffff394e6b0 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8a7d20, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:712
#18 0x00007ffff394e1d1 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8a7d20, relayoutChildren=0x1, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:633
#19 0x00007ffff394d5ee in WebCore::RenderBlockFlow::layoutBlock (this=0x8a7d20, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#20 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0x8a7d20) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#21 0x00007ffff3b1aaa9 in WebCore::RenderView::layoutContent (this=0x8a7d20, state=...) at ../../Source/WebCore/rendering/RenderView.cpp:230
#22 0x00007ffff3b1b179 in WebCore::RenderView::layout (this=0x8a7d20) at ../../Source/WebCore/rendering/RenderView.cpp:355
#23 0x00007ffff369240f in WebCore::FrameView::layout (this=0xa390f0, allowSubtree=0x1) at ../../Source/WebCore/page/FrameView.cpp:1301
#24 0x00007ffff30613d5 in WebCore::Document::implicitClose (this=0xabf430) at ../../Source/WebCore/dom/Document.cpp:2441
#25 0x00007ffff3540b63 in WebCore::FrameLoader::checkCallImplicitClose (this=0xa83bc8) at ../../Source/WebCore/loader/FrameLoader.cpp:898
#26 0x00007ffff35408cb in WebCore::FrameLoader::checkCompleted (this=0xa83bc8) at ../../Source/WebCore/loader/FrameLoader.cpp:844
#27 0x00007ffff3540634 in WebCore::FrameLoader::finishedParsing (this=0xa83bc8) at ../../Source/WebCore/loader/FrameLoader.cpp:764
#28 0x00007ffff3069e57 in WebCore::Document::finishedParsing (this=0xabf430) at ../../Source/WebCore/dom/Document.cpp:4524
#29 0x00007ffff33bd667 in WebCore::HTMLConstructionSite::finishedParsing (this=0x85a618) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395
#30 0x00007ffff33fb1dd in WebCore::HTMLTreeBuilder::finished (this=0x85a600) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2997
#31 0x00007ffff33c60d0 in WebCore::HTMLDocumentParser::end (this=0x85a760) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:439
#32 0x00007ffff33c61bb in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x85a760) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:450
#33 0x00007ffff33c4c69 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x85a760) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
#34 0x00007ffff33c61fe in WebCore::HTMLDocumentParser::attemptToEnd (this=0x85a760) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
#35 0x00007ffff33c62b5 in WebCore::HTMLDocumentParser::finish (this=0x85a760) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:490
#36 0x00007ffff35322d1 in WebCore::DocumentWriter::end (this=0xabac90) at ../../Source/WebCore/loader/DocumentWriter.cpp:246
#37 0x00007ffff351d9ad in WebCore::DocumentLoader::finishedLoading (this=0xababf0, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441
#38 0x00007ffff351d716 in WebCore::DocumentLoader::notifyFinished (this=0xababf0, resource=0x882ab0) at ../../Source/WebCore/loader/DocumentLoader.cpp:375
#39 0x00007ffff35d47c4 in WebCore::CachedResource::checkNotify (this=0x882ab0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:347
#40 0x00007ffff35d48ce in WebCore::CachedResource::finishLoading (this=0x882ab0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:363
#41 0x00007ffff35d11f4 in WebCore::CachedRawResource::finishLoading (this=0x882ab0, data=0xa840c0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:101
#42 0x00007ffff3580a50 in WebCore::SubresourceLoader::didFinishLoading (this=0x883020, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.c

Comment 1 Brent Fulgham 2016-08-03 17:12:52 PDT

This problem does not reproduce under GuardMalloc or ASAN under r204037. If you believe there is still a problem, please reopen this bug and provide an updated test case.