[Chromium] Crash in WebCore::ImageBuffer::context when rendering semi-transparent RTL text Call stack: chrome_23f0000!WebCore::ImageBuffer::context [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\platform\graphics\skia\imagebuffers kia.cpp @ 84] chrome_23f0000!WebCore::TransparencyWin::initializeNewContext+0x178 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\transpar encywin.cpp @ 378] chrome_23f0000!WebCore::TransparencyWin::setupLayerForOpaqueCompositeLayer+ 0x11 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\transpar encywin.cpp @ 246] chrome_23f0000!WebCore::TransparencyWin::init+0xa1 [c:\b\slave\chromium- rel- xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\transpar encywin.cpp @ 199] chrome_23f0000!WebCore::`anonymous namespace'::TransparencyAwareFontPainter::initializeForGDI+0x121 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\fontchro miumwin.cpp @ 152] chrome_23f0000!WebCore::Font::drawComplexText+0xc5 [c:\b\slave\chromium- rel- xp\build\src\third_party\webkit\webcore\platform\graphics\chromium\fontchro miumwin.cpp @ 433] chrome_23f0000!WebCore::Font::drawText+0x98 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\platform\graphics\font.cpp @ 199] chrome_23f0000!WebCore::GraphicsContext::drawText+0x36 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\platform\graphics\graphicscontext.c pp @ 329] chrome_23f0000!WebCore::paintTextWithShadows+0x147 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\inlinetextbox.cpp @ 273] chrome_23f0000!WebCore::InlineTextBox::paint+0x601 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\inlinetextbox.cpp @ 434] chrome_23f0000!WebCore::InlineFlowBox::paint+0x329 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp @ 632] chrome_23f0000!WebCore::InlineFlowBox::paint+0x329 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp @ 632] chrome_23f0000!WebCore::InlineFlowBox::paint+0x329 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp @ 632] chrome_23f0000!WebCore::RootInlineBox::paint+0x19 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\rootinlinebox.cpp @ 198] chrome_23f0000!WebCore::RenderLineBoxList::paint+0x2b7 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderlineboxlist.cpp @ 203] chrome_23f0000!WebCore::RenderBlock::paintContents+0x40 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1678] chrome_23f0000!WebCore::RenderBlock::paintObject+0xe2 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1772] chrome_23f0000!WebCore::RenderBlock::paint+0xae [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1572] chrome_23f0000!WebCore::RenderBlock::paintChildren+0xe6 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1709] chrome_23f0000!WebCore::RenderBlock::paintContents+0x4c [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1680] chrome_23f0000!WebCore::RenderBlock::paintObject+0xe2 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1772] chrome_23f0000!WebCore::RenderBlock::paint+0xae [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1572] chrome_23f0000!WebCore::RenderLayer::paintLayer+0x519 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 2053] chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 2078] chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 2078] chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 2078] chrome_23f0000!WebCore::RenderLayer::paint+0x1f [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 1893] chrome_23f0000!WebCore::FrameView::paintContents+0xa7 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\page\frameview.cpp @ 1346] chrome_23f0000!WebCore::ScrollView::paint+0x199 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\platform\scrollview.cpp @ 695] chrome_23f0000!WebCore::RenderWidget::paint+0x16f [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderwidget.cpp @ 216] chrome_23f0000!WebCore::InlineBox::paint+0xc4 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\inlinebox.cpp @ 166] chrome_23f0000!WebCore::InlineFlowBox::paint+0x329 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\inlineflowbox.cpp @ 632] chrome_23f0000!WebCore::RootInlineBox::paint+0x19 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\rootinlinebox.cpp @ 198] chrome_23f0000!WebCore::RenderLineBoxList::paint+0x2b7 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderlineboxlist.cpp @ 203] chrome_23f0000!WebCore::RenderBlock::paintContents+0x40 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1678] chrome_23f0000!WebCore::RenderBlock::paintObject+0xe2 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1772] chrome_23f0000!WebCore::RenderBlock::paint+0xae [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1572] chrome_23f0000!WebCore::RenderTableCell::paint+0xd5 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\rendertablecell.cpp @ 654] chrome_23f0000!WebCore::RenderTableSection::paintObject+0x36a [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\rendertablesection.cpp @ 1065] chrome_23f0000!WebCore::RenderTableSection::paint+0x54 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\rendertablesection.cpp @ 963] chrome_23f0000!WebCore::RenderTable::paintObject+0x134 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\rendertable.cpp @ 484] chrome_23f0000!WebCore::RenderTable::paint+0xf2 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\rendertable.cpp @ 455] chrome_23f0000!WebCore::RenderBlock::paintChildren+0xe6 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1709] chrome_23f0000!WebCore::RenderBlock::paintContents+0x4c [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1680] chrome_23f0000!WebCore::RenderBlock::paintObject+0xe2 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1772] chrome_23f0000!WebCore::RenderBlock::paint+0xae [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderblock.cpp @ 1572] chrome_23f0000!WebCore::RenderLayer::paintLayer+0x519 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 2053] chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 2078] chrome_23f0000!WebCore::RenderLayer::paintLayer+0x6e3 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 2078] chrome_23f0000!WebCore::RenderLayer::paint+0x1f [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\rendering\renderlayer.cpp @ 1893] chrome_23f0000!WebCore::FrameView::paintContents+0xa7 [c:\b\slave\chromium- rel-xp\build\src\third_party\webkit\webcore\page\frameview.cpp @ 1346] chrome_23f0000!WebCore::ScrollView::paint+0x199 [c:\b\slave\chromium-rel- xp\build\src\third_party\webkit\webcore\platform\scrollview.cpp @ 695] chrome_23f0000!WebFrameImpl::CaptureImage+0x17d [c:\b\slave\chromium-rel- xp\build\src\webkit\glue\webframe_impl.cc @ 1644] chrome_23f0000!RenderView::CaptureThumbnail+0x25 [c:\b\slave\chromium-rel- xp\build\src\chrome\renderer\render_view.cc @ 719] chrome_23f0000!RenderView::SendThumbnail+0xc6 [c:\b\slave\chromium-rel- xp\build\src\chrome\renderer\render_view.cc @ 459] chrome_23f0000!RenderView::CapturePageInfo+0xf8 [c:\b\slave\chromium-rel- xp\build\src\chrome\renderer\render_view.cc @ 667] chrome_23f0000!ScopedTaskFactory<ScopedRunnableMethodFactory<RenderView>::R unnableMethod<void (__thiscall RenderView::*)(int,bool),Tuple2<int,bool> > >::TaskWrapper::Run+0x2f [c:\b\slave\chromium-rel-xp\build\src\base\task.h @ 92] chrome_23f0000!MessageLoop::RunTask+0x80 [c:\b\slave\chromium-rel- xp\build\src\base\message_loop.cc @ 309] chrome_23f0000!MessageLoop::DeferOrRunPendingTask+0x2e [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 319] chrome_23f0000!MessageLoop::DoDelayedWork+0x113 [c:\b\slave\chromium-rel- xp\build\src\base\message_loop.cc @ 443] chrome_23f0000!base::MessagePumpDefault::Run+0x8e [c:\b\slave\chromium-rel- xp\build\src\base\message_pump_default.cc @ 27] chrome_23f0000!MessageLoop::RunInternal+0xb7 [c:\b\slave\chromium-rel- xp\build\src\base\message_loop.cc @ 197] chrome_23f0000!MessageLoop::RunHandler+0xa0 [c:\b\slave\chromium-rel- xp\build\src\base\message_loop.cc @ 181] chrome_23f0000!MessageLoop::Run+0x3d [c:\b\slave\chromium-rel- xp\build\src\base\message_loop.cc @ 155] chrome_23f0000!base::Thread::ThreadMain+0x8a [c:\b\slave\chromium-rel- xp\build\src\base\thread.cc @ 159] chrome_23f0000!`anonymous namespace'::ThreadFunc+0xd [c:\b\slave\chromium- rel-xp\build\src\base\platform_thread_win.cc @ 27]
The corresponding chromium bug: http://code.google.com/p/chromium/issues/detail?id=9796
Created attachment 29349 [details] v1 patch Brett already reviewed this. See http://codereview.chromium.org/62158
Comment on attachment 29349 [details] v1 patch LGTM.
CCing mitz just so he sees this fly by.
Landed as: http://trac.webkit.org/changeset/42340