RESOLVED WORKSFORME 18378
CRASH at http://warrock.nexon.com 
https://bugs.webkit.org/show_bug.cgi?id=18378
Summary CRASH at http://warrock.nexon.com
Eric Roman
Reported 2008-04-08 23:27:37 PDT
Navigate to the URL -- crashes on me
Attachments
Crash dump (69.88 KB, application/octet-stream)
2008-04-08 23:28 PDT, Eric Roman 		no flags
Details
Crash for bad font-face (287 bytes, text/html)
2008-04-21 12:40 PDT, Eric Roman 		no flags
Details
Object interaction causing crash (62.34 KB, image/png)
2008-04-27 21:11 PDT, Eric Roman 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Eric Roman
Comment 1 2008-04-08 23:28:26 PDT
Created attachment 20420 [details] Crash dump
Eric Roman
Comment 2 2008-04-21 12:40:13 PDT
Created attachment 20736 [details] Crash for bad font-face Crashes when the font-family: value has more than 1 comma separated entry. Reduced from http://warrock.nexon.com/. Reproducible crash on Safari windows.
Eric Roman
Comment 3 2008-04-27 21:11:19 PDT
Created attachment 20860 [details] Object interaction causing crash The problem is a free memory read when layout-out the page after the custom font has finished loading. The architecture of CSSFontFace doesn't allow it to be (safely) shared by more than one CSSSegmentedFontFace, which is what happens in this case. Once the CSSFontFaceSource destroys its temporary SimpleFontData, one of the CSSSegmentedFontFace sharing it is left with a bad pointer. (see attached diagram for precise interaction) It is not clear to me from the spec what the correct behavior should be. Scenario: @font-face { font-family: x1, x2; src: url(...); } Should you be able to: (a) reference the custom font as "x1" only (b) reference the custom font as either "x1" or "x2" (c) not referene the custom font at all, invalid format It looks to me that IE is doing (a). I've got some tentative patches, but I need someone to point me down which outcome is the desired one.
Eric Seidel (no email)
Comment 4 2008-04-28 11:26:15 PDT
I agree with IE's behavior. The spec is unclear: http://www.w3.org/TR/css3-webfonts/#font-family Hyatt would be best to ask here, but his response will probably be that "Web Fonts are in the middle of being re-thought for CSS3".
Dave Hyatt
Comment 5 2008-04-28 11:37:28 PDT
If you list multiple fonts in the font-family list, then any one of them should be usable (not just the first one). It is not a "fallback" list in that case.... it's a specified list of family names that can all be used to reference the font. See http://www.w3.org/TR/2002/WD-css3-webfonts-20020802/#select Specifically the following text: The values within that list are, except as explicitly noted, the same as those for the corresponding CSS3 property. If there is a single value, that is the value that must be matched. If there is a list, any list item constitutes a match.
Eric Seidel (no email)
Comment 6 2008-07-23 16:02:38 PDT
We should be able to just hack CSSFontSelector to force familyLength = 1; and avoid the crash.
mitz
Comment 7 2008-07-23 16:39:32 PDT
I cannot reproduce the crash on Mac OS X with TOT WebKit using attachment 20736 [details]. What does the top of the backtrace look like?
Eric Seidel (no email)
Comment 8 2008-08-07 16:17:26 PDT
Just curious what the status of this issue is?
mitz
Comment 9 2008-08-07 16:19:47 PDT
(In reply to comment #8) > Just curious what the status of this issue is? Still can't repro in TOT. Can repro in older builds. Is this still crashing in TOT?
Eric Roman
Comment 10 2008-08-11 10:12:51 PDT
Looks to be fixed. Doesn't repro for me on (WebKit-r35661)
Note You need to log in before you can comment on or make changes to this bug.