[Webkit-unassigned] [Bug 32257] Safari/Chromium crashes on complicated @font-face rule
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 14 21:06:12 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=32257
--- Comment #4 from Yusuke Sato <yusukes at chromium.org> 2009-12-14 21:06:11 PST ---
Here is a memory checker log on Chromium Linux. This log shows that in
GlyphPageTreeNode::pruneCustomFontData(), a GlyphPageTreeNode object is deleted
regardless of whether it is still referred from instances of FontFallback
class.
Since a GlyphPageTreeNode object is shared among GlyphPageTreeNode's static
member variables and FontFallback instances, I think we should use reference
count.
==21519== Thread 16:
==21519== Invalid read of size 4
==21519== at 0x9846854: WTF::RefPtr<WebCore::GlyphPage>::get() const
(RefPtr.h:57)
==21519== by 0x9846481: WebCore::GlyphPageTreeNode::page() const
(GlyphPageTreeNode.h:203)
==21519== by 0x9845415: WebCore::Font::glyphDataForCharacter(int, bool,
bool) const (FontFastPath.cpp:75)
==21519== by 0x9859325: WebCore::WidthIterator::advance(int,
WebCore::GlyphBuffer*) (WidthIterator.cpp:116)
==21519== by 0x9845E74:
WebCore::Font::floatWidthForSimpleText(WebCore::TextRun const&,
WebCore::GlyphBuffer*, WTF::HashSet<WebCore::SimpleFontData const*,
WTF::PtrHash<WebCore::SimpleFontData const*>,
WTF::HashTraits<WebCore::SimpleFontData const*> >*) const
(FontFastPath.cpp:327)
==21519== by 0x9839394: WebCore::Font::floatWidth(WebCore::TextRun const&,
WTF::HashSet<WebCore::SimpleFontData const*,
WTF::PtrHash<WebCore::SimpleFontData const*>,
WTF::HashTraits<WebCore::SimpleFontData const*> >*) const (Font.cpp:198)
==21519== by 0x981E600: WebCore::Font::width(WebCore::TextRun const&,
WTF::HashSet<WebCore::SimpleFontData const*,
WTF::PtrHash<WebCore::SimpleFontData const*>,
WTF::HashTraits<WebCore::SimpleFontData const*> >*) const (Font.h:81)
==21519== by 0x98EF6BC: WebCore::textWidth(WebCore::RenderText*, unsigned
int, unsigned int, WebCore::Font const&, int, bool, bool)
(RenderBlockLineLayout.cpp:1582)
==21519== by 0x98F0942:
WebCore::RenderBlock::findNextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator,
WebCore::BidiRun>&, bool, bool&, bool&, WebCore::EClear*)
(RenderBlockLineLayout.cpp:1898)
==21519== by 0x98ECC01: WebCore::RenderBlock::layoutInlineChildren(bool,
int&, int&) (RenderBlockLineLayout.cpp:959)
==21519== Address 0x54db54c is 4 bytes inside a block of size 76 free'd
==21519== at 0x402454D: operator delete(void*) (vg_replace_malloc.c:346)
==21519== by 0x98496D1:
WebCore::GlyphPageTreeNode::pruneCustomFontData(WebCore::FontData const*)
(GlyphPageTreeNode.cpp:338)
==21519== by 0x9848983:
WebCore::GlyphPageTreeNode::pruneTreeCustomFontData(WebCore::FontData const*)
(GlyphPageTreeNode.cpp:104)
==21519== by 0x9C113B3: WebCore::CSSSegmentedFontFace::pruneTable()
(CSSSegmentedFontFace.cpp:57)
==21519== by 0x9C114F0:
WebCore::CSSSegmentedFontFace::fontLoaded(WebCore::CSSFontFace*)
(CSSSegmentedFontFace.cpp:84)
==21519== by 0x9C2A269:
WebCore::CSSFontFace::fontLoaded(WebCore::CSSFontFaceSource*)
(CSSFontFace.cpp:90)
==21519== by 0x9C2CA37:
WebCore::CSSFontFaceSource::fontLoaded(WebCore::CachedFont*)
(CSSFontFaceSource.cpp:96)
==21519== by 0x9769B0A: WebCore::CachedFont::checkNotify()
(CachedFont.cpp:196)
I'll submit a patch shortly.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list