In Font::drawTextUsingSVGFont() a variable of type SVGTextRunWalkerDrawTextData is created on the stack (called data). One of its fields, charsConsumed, is unitialized, leading to random values after calling walk() on the SVGTextRunWalker created with it. Patch will be attached
Created attachment 25926 [details] Patch to fix This patch adds initialization of the charsConsumed field
Created attachment 25952 [details] Patch to fix
Comment on attachment 25952 [details] Patch to fix Just nits: 1 2008-12-11 davemoore <davemoore@google.com> Should be: 1 2008-12-11 David Moore <davemoore@google.com> (See my email on changelog entries sent to chrome-team last week.) WARNING: NO TEST CASES ADDED OR CHANGED can be removed and replaced when an explanation as to why it's untestable. 5 Fixed https://bugs.webkit.org/show_bug.cgi?id=22798 Looks like a tab (or maybe just bad indentation) Looks fine. We could also have fixed this by adding a constructor to SVGTextRunWalkerMeasuredLengthData (which would have possibly prevented future such UMRs. Marking r- for the nits. Post another copy and I'll be happy to review and land it for you. Thanks for the fix!
Created attachment 25956 [details] Patch to fix Fixed review issues
Comment on attachment 25956 [details] Patch to fix Looks fine.
Only snag I hit was one tab in the ChangeLog (we have a pre-commit script which fails if tabs are in any file). Otherwise the patch was great! Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/svg/SVGFont.cpp Committed r39260