[Webkit-unassigned] [Bug 18378] CRASH at http://warrock.nexon.com

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Apr 27 21:11:20 PDT 2008


------- Comment #3 from minatoar at gmail.com  2008-04-27 21:11 PDT -------
Created an attachment (id=20860)
 --> (http://bugs.webkit.org/attachment.cgi?id=20860&action=view)
Object interaction causing crash

The problem is a free memory read when layout-out the page after the custom
font has finished loading.

The architecture of CSSFontFace doesn't allow it to be (safely) shared by more
than one CSSSegmentedFontFace, which is what happens in this case. Once the
CSSFontFaceSource destroys its temporary SimpleFontData, one of the
CSSSegmentedFontFace sharing it is left with a bad pointer.

(see attached diagram for precise interaction)

It is not clear to me from the spec what the correct behavior should be.

@font-face {
  font-family: x1, x2;
  src: url(...);

Should you be able to:
(a) reference the custom font as "x1" only
(b) reference the custom font as either "x1" or "x2"
(c) not referene the custom font at all, invalid format

It looks to me that IE is doing (a).

I've got some tentative patches, but I need someone to point me down which
outcome is the desired one.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list