Bug 25100 - [Chromium] Crash in WebCore::ImageBuffer::context when rendering semi-transparent RTL text
Summary: [Chromium] Crash in WebCore::ImageBuffer::context when rendering semi-transpa...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Critical
Assignee: Darin Fisher (:fishd, Google)
URL: http://www.filgoal.com/
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-08 13:21 PDT by Darin Fisher (:fishd, Google)
Modified: 2009-04-08 16:26 PDT (History)
3 users (show)

See Also:


Attachments
v1 patch (68.06 KB, patch)
2009-04-08 15:22 PDT, Darin Fisher (:fishd, Google)
eric: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Darin Fisher (:fishd, Google) 2009-04-08 13:21:35 PDT
[Chromium] Crash in WebCore::ImageBuffer::context when rendering semi-transparent RTL text

Call stack:

chrome_23f0000!WebCore::ImageBuffer::context [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\platform\graphics\skia\imagebuffers
kia.cpp @ 84]
chrome_23f0000!WebCore::TransparencyWin::initializeNewContext+0x178 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\transpar
encywin.cpp @ 378]
chrome_23f0000!WebCore::TransparencyWin::setupLayerForOpaqueCompositeLayer+
0x11 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\transpar
encywin.cpp @ 246]
chrome_23f0000!WebCore::TransparencyWin::init+0xa1 [c:\b\slave\chromium-
rel-
xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\transpar
encywin.cpp @ 199]
chrome_23f0000!WebCore::`anonymous 
namespace'::TransparencyAwareFontPainter::initializeForGDI+0x121 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\fontchro
miumwin.cpp @ 152]
chrome_23f0000!WebCore::Font::drawComplexText+0xc5 [c:\b\slave\chromium-
rel-
xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\fontchro
miumwin.cpp @ 433]
chrome_23f0000!WebCore::Font::drawText+0x98 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\platform\graphics\font.cpp @ 199]
chrome_23f0000!WebCore::GraphicsContext::drawText+0x36 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\platform\graphics\graphicscontext.c
pp @ 329]
chrome_23f0000!WebCore::paintTextWithShadows+0x147 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\inlinetextbox.cpp @ 
273]
chrome_23f0000!WebCore::InlineTextBox::paint+0x601 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\inlinetextbox.cpp @ 
434]
chrome_23f0000!WebCore::InlineFlowBox::paint+0x329 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp @ 
632]
chrome_23f0000!WebCore::InlineFlowBox::paint+0x329 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp @ 
632]
chrome_23f0000!WebCore::InlineFlowBox::paint+0x329 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp @ 
632]
chrome_23f0000!WebCore::RootInlineBox::paint+0x19 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\rootinlinebox.cpp @ 198]
chrome_23f0000!WebCore::RenderLineBoxList::paint+0x2b7 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderlineboxlist.cpp @ 
203]
chrome_23f0000!WebCore::RenderBlock::paintContents+0x40 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1678]
chrome_23f0000!WebCore::RenderBlock::paintObject+0xe2 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 
1772]
chrome_23f0000!WebCore::RenderBlock::paint+0xae [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1572]
chrome_23f0000!WebCore::RenderBlock::paintChildren+0xe6 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1709]
chrome_23f0000!WebCore::RenderBlock::paintContents+0x4c 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1680]
chrome_23f0000!WebCore::RenderBlock::paintObject+0xe2 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 
1772]
chrome_23f0000!WebCore::RenderBlock::paint+0xae [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1572]
chrome_23f0000!WebCore::RenderLayer::paintLayer+0x519 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 
2053]
chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 
2078]
chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 
2078]
chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 
2078]
chrome_23f0000!WebCore::RenderLayer::paint+0x1f [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 1893]
chrome_23f0000!WebCore::FrameView::paintContents+0xa7 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\page\frameview.cpp @ 1346]
chrome_23f0000!WebCore::ScrollView::paint+0x199 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\platform\scrollview.cpp @ 695]
chrome_23f0000!WebCore::RenderWidget::paint+0x16f [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderwidget.cpp @ 216]
chrome_23f0000!WebCore::InlineBox::paint+0xc4 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\inlinebox.cpp @ 166]
chrome_23f0000!WebCore::InlineFlowBox::paint+0x329 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp @ 
632]
chrome_23f0000!WebCore::RootInlineBox::paint+0x19 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\rootinlinebox.cpp @ 198]
chrome_23f0000!WebCore::RenderLineBoxList::paint+0x2b7 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderlineboxlist.cpp @ 
203]
chrome_23f0000!WebCore::RenderBlock::paintContents+0x40 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1678]
chrome_23f0000!WebCore::RenderBlock::paintObject+0xe2 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 
1772]
chrome_23f0000!WebCore::RenderBlock::paint+0xae [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1572]
chrome_23f0000!WebCore::RenderTableCell::paint+0xd5 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\rendertablecell.cpp @ 
654]
chrome_23f0000!WebCore::RenderTableSection::paintObject+0x36a 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\rendertablesection.cpp @ 
1065]
chrome_23f0000!WebCore::RenderTableSection::paint+0x54 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\rendertablesection.cpp @ 
963]
chrome_23f0000!WebCore::RenderTable::paintObject+0x134 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\rendertable.cpp @ 484]
chrome_23f0000!WebCore::RenderTable::paint+0xf2 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\rendertable.cpp @ 455]
chrome_23f0000!WebCore::RenderBlock::paintChildren+0xe6 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1709]
chrome_23f0000!WebCore::RenderBlock::paintContents+0x4c 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1680]
chrome_23f0000!WebCore::RenderBlock::paintObject+0xe2 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 
1772]
chrome_23f0000!WebCore::RenderBlock::paint+0xae [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1572]
chrome_23f0000!WebCore::RenderLayer::paintLayer+0x519 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 
2053]
chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 
2078]
chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 
2078]
chrome_23f0000!WebCore::RenderLayer::paint+0x1f [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 1893]
chrome_23f0000!WebCore::FrameView::paintContents+0xa7 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\page\frameview.cpp @ 1346]
chrome_23f0000!WebCore::ScrollView::paint+0x199 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\platform\scrollview.cpp @ 695]
chrome_23f0000!WebFrameImpl::CaptureImage+0x17d [c:\b\slave\chromium-rel-
xp\build\src\webkit\glue\webframe_impl.cc @ 1644]
chrome_23f0000!RenderView::CaptureThumbnail+0x25 [c:\b\slave\chromium-rel-
xp\build\src\chrome\renderer\render_view.cc @ 719]
chrome_23f0000!RenderView::SendThumbnail+0xc6 [c:\b\slave\chromium-rel-
xp\build\src\chrome\renderer\render_view.cc @ 459]
chrome_23f0000!RenderView::CapturePageInfo+0xf8 [c:\b\slave\chromium-rel-
xp\build\src\chrome\renderer\render_view.cc @ 667]
chrome_23f0000!ScopedTaskFactory<ScopedRunnableMethodFactory<RenderView>::R
unnableMethod<void (__thiscall RenderView::*)(int,bool),Tuple2<int,bool> > 
>::TaskWrapper::Run+0x2f [c:\b\slave\chromium-rel-xp\build\src\base\task.h 
@ 92]
chrome_23f0000!MessageLoop::RunTask+0x80 [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 309]
chrome_23f0000!MessageLoop::DeferOrRunPendingTask+0x2e 
[c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 319]
chrome_23f0000!MessageLoop::DoDelayedWork+0x113 [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 443]
chrome_23f0000!base::MessagePumpDefault::Run+0x8e [c:\b\slave\chromium-rel-
xp\build\src\base\message_pump_default.cc @ 27]
chrome_23f0000!MessageLoop::RunInternal+0xb7 [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 197]
chrome_23f0000!MessageLoop::RunHandler+0xa0 [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 181]
chrome_23f0000!MessageLoop::Run+0x3d [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 155]
chrome_23f0000!base::Thread::ThreadMain+0x8a [c:\b\slave\chromium-rel-
xp\build\src\base\thread.cc @ 159]
chrome_23f0000!`anonymous namespace'::ThreadFunc+0xd [c:\b\slave\chromium-
rel-xp\build\src\base\platform_thread_win.cc @ 27]
Comment 1 Darin Fisher (:fishd, Google) 2009-04-08 14:51:12 PDT
The corresponding chromium bug:
http://code.google.com/p/chromium/issues/detail?id=9796
Comment 2 Darin Fisher (:fishd, Google) 2009-04-08 15:22:51 PDT
Created attachment 29349 [details]
v1 patch

Brett already reviewed this.  See http://codereview.chromium.org/62158
Comment 3 Eric Seidel (no email) 2009-04-08 15:24:19 PDT
Comment on attachment 29349 [details]
v1 patch

LGTM.
Comment 4 Eric Seidel (no email) 2009-04-08 15:24:48 PDT
CCing mitz just so he sees this fly by.
Comment 5 Darin Fisher (:fishd, Google) 2009-04-08 16:26:27 PDT
Landed as:  http://trac.webkit.org/changeset/42340