[Webkit-unassigned] [Bug 25770] New: Possible Crash in FontFallbackList::determinePitch(const Font* font)?

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 13 17:06:01 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=25770

           Summary: Possible Crash in FontFallbackList::determinePitch(const
                    Font* font)?
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: eric at webkit.org
                CC: hyatt at apple.com


Chrome is seeing reports of a few crashes in:

void FontFallbackList::determinePitch(const Font* font) const
{
    const FontData* fontData = primaryFont(font);
    if (!fontData->isSegmented()) // CRASH RIGHT HERE
        m_pitch = static_cast<const SimpleFontData*>(fontData)->pitch();
    else {
        const SegmentedFontData* segmentedFontData = static_cast<const
SegmentedFontData*>(fontData);
        unsigned numRanges = segmentedFontData->numRanges();
        if (numRanges == 1)
            m_pitch = segmentedFontData->rangeAt(0).fontData()->pitch();
        else
            m_pitch = VariablePitch;
    }
}

is it ever possible/legal for primaryFont(font) to return null?  It certainly
looks like it can.  But I'm not sure if that's because Chrome is doing
something wrong, or if because determinePitch() is making bad assumptions about
primaryFont()?

If the primaryFont() assumption is wrong, then this crasher probably hits
Safari too, but I don't know how I would reproduce it.


For context:

    const SimpleFontData* primaryFont() const {
        if (!m_cachedPrimaryFont)
            cachePrimaryFont();
        return m_cachedPrimaryFont;
    }

void Font::cachePrimaryFont() const
{
    ASSERT(m_fontList);
    ASSERT(!m_cachedPrimaryFont);
    m_cachedPrimaryFont = m_fontList->primaryFont(this)->fontDataForCharacter('
');
}

    const SimpleFontData* fontDataForCharacter(UChar32 c) const
    {
        return m_glyphFontData[indexForCharacter(c)];
    }


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list