[Webkit-unassigned] [Bug 25770] New: Possible Crash in FontFallbackList::determinePitch(const Font* font)?

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 13 17:06:01 PDT 2009


           Summary: Possible Crash in FontFallbackList::determinePitch(const
                    Font* font)?
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: eric at webkit.org
                CC: hyatt at apple.com

Chrome is seeing reports of a few crashes in:

void FontFallbackList::determinePitch(const Font* font) const
    const FontData* fontData = primaryFont(font);
    if (!fontData->isSegmented()) // CRASH RIGHT HERE
        m_pitch = static_cast<const SimpleFontData*>(fontData)->pitch();
    else {
        const SegmentedFontData* segmentedFontData = static_cast<const
        unsigned numRanges = segmentedFontData->numRanges();
        if (numRanges == 1)
            m_pitch = segmentedFontData->rangeAt(0).fontData()->pitch();
            m_pitch = VariablePitch;

is it ever possible/legal for primaryFont(font) to return null?  It certainly
looks like it can.  But I'm not sure if that's because Chrome is doing
something wrong, or if because determinePitch() is making bad assumptions about

If the primaryFont() assumption is wrong, then this crasher probably hits
Safari too, but I don't know how I would reproduce it.

For context:

    const SimpleFontData* primaryFont() const {
        if (!m_cachedPrimaryFont)
        return m_cachedPrimaryFont;

void Font::cachePrimaryFont() const
    m_cachedPrimaryFont = m_fontList->primaryFont(this)->fontDataForCharacter('

    const SimpleFontData* fontDataForCharacter(UChar32 c) const
        return m_glyphFontData[indexForCharacter(c)];

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list