[Webkit-unassigned] [Bug 46878] New: Combination of :first-letter and @font-face can cause crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 29 23:39:01 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=46878

           Summary: Combination of :first-letter and @font-face can cause
                    crash
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: P1
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: yuzo at google.com
                CC: mitz at webkit.org


Created an attachment (id=69316)
 --> (https://bugs.webkit.org/attachment.cgi?id=69316)
Reduced crash case

r68751 crashes when opening the following file (also available as the attachment).
The crash is easier to reproduce with a debug build. You may need to reload several times.

This also causes http://code.google.com/p/chromium/issues/detail?id=56035 .


<style>
@font-face {
  font-family:myfont1;
  src: url(http://themes.googleusercontent.com/font?kit=HGfsyCL5WASpHOFnouG-RKCWcynf_cDxXwCLxiixG1c)

}
#testid {
  font-family:myfont1;
  font-size:64px;
}
#testid:first-letter {
  color:blue;
}
</style>

<div id="testid">
<span>Hello</span>
</div>


The following is my analysis.

(gdb) r
Starting program: /Applications/Safari.app/Contents/MacOS/Safari 
Reading symbols for shared libraries .+++++++++++++++++++++++++++++......................................................................................................... done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries . done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
ASSERTION FAILED: pageNumber == m_pageNumber
(<SRC>/WebKit/WebCore/platform/graphics/GlyphPageTreeNode.cpp:318 WebCore::GlyphPageTreeNode* WebCore::GlyphPageTreeNode::getChild(const WebCore::FontData*, unsigned int))

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000000bbadbeef
0x0000000101893924 in WebCore::GlyphPageTreeNode::getChild (this=0x112a82000, fontData=0x112a1def0, pageNumber=0) at <SRC>/WebKit/WebCore/platform/graphics/GlyphPageTreeNode.cpp:318
318        ASSERT(pageNumber == m_pageNumber);
(gdb) where
#0  0x0000000101893924 in WebCore::GlyphPageTreeNode::getChild (this=0x112a82000, fontData=0x112a1def0, pageNumber=0) at <SRC>/WebKit/WebCore/platform/graphics/GlyphPageTreeNode.cpp:318
#1  0x000000010183fc90 in WebCore::Font::glyphDataForCharacter (this=0x112a0c658, c=72, mirror=false, forceSmallCaps=false) at <SRC>/WebKit/WebCore/platform/graphics/FontFastPath.cpp:84
#2  0x00000001021309cb in WebCore::WidthIterator::advance (this=0x7fff5fbfc4b0, offset=1, glyphBuffer=0x0) at <SRC>/WebKit/WebCore/platform/graphics/WidthIterator.cpp:127
#3  0x000000010183f408 in WebCore::Font::floatWidthForSimpleText (this=0x112a0c658, run=@0x7fff5fbfc600, glyphBuffer=0x0, fallbackFonts=0x7fff5fbfc790, glyphOverflow=0x0) at <SRC>/WebKit/WebCore/platform/graphics/FontFastPath.cpp:247
#4  0x000000010182f47a in WebCore::Font::floatWidth (this=0x112a0c658, run=@0x7fff5fbfc600, fallbackFonts=0x7fff5fbfc790, glyphOverflow=0x7fff5fbfc780) at <SRC>/WebKit/WebCore/platform/graphics/Font.cpp:171
#5  0x0000000101555b93 in WebCore::Font::width (this=0x112a0c658, run=@0x7fff5fbfc600, fallbackFonts=0x7fff5fbfc790, glyphOverflow=0x7fff5fbfc780) at Font.h:97
#6  0x0000000101efc9ac in WebCore::RenderText::widthFromCache (this=0x112a1c208, f=@0x112a0c658, start=0, len=1, xPos=0, fallbackFonts=0x7fff5fbfc790, glyphOverflow=0x7fff5fbfc780) at <SRC>/WebKit/WebCore/rendering/RenderText.cpp:570
#7  0x0000000101ef938a in WebCore::RenderText::computePreferredLogicalWidths (this=0x112a1c208, leadWidth=0, fallbackFonts=@0x7fff5fbfc790, glyphOverflow=@0x7fff5fbfc780) at <SRC>/WebKit/WebCore/rendering/RenderText.cpp:793
#8  0x0000000101ef9bfe in WebCore::RenderText::computePreferredLogicalWidths (this=0x112a1c208, leadWidth=0) at <SRC>/WebKit/WebCore/rendering/RenderText.cpp:687
#9  0x0000000101ef70fa in WebCore::RenderText::maxPreferredLogicalWidth (this=0x112a1c208) at <SRC>/WebKit/WebCore/rendering/RenderText.cpp:678
#10 0x0000000101ef9adb in WebCore::RenderText::width (this=0x112a1c208, from=0, len=1, f=@0x112a0c658, xPos=0, fallbackFonts=0x0, glyphOverflow=0x0) at <SRC>/WebKit/WebCore/rendering/RenderText.cpp:1259
#11 0x0000000101e15687 in WebCore::textWidth (text=0x112a1c208, from=0, len=1, font=@0x112a0c658, xPos=0, isFixedPitch=false, collapseWhiteSpace=true) at <SRC>/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp:1356
#12 0x0000000101e18d3f in WebCore::RenderBlock::findNextLineBreak (this=0x112a1e678, resolver=@0x7fff5fbfced0, firstLine=true, isLineEmpty=@0x7fff5fbfd2b5, previousLineBrokeCleanly=@0x7fff5fbfd2b9, hyphenated=@0x7fff5fbfd2b3, clear=0x7fff5fbfd258, lastFloatFromPreviousLine=0x0) at <SRC>/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp:1850
#13 0x0000000101e1c8ee in WebCore::RenderBlock::layoutInlineChildren (this=0x112a1e678, relayoutChildren=false, repaintTop=@0x7fff5fbfd48c, repaintBottom=@0x7fff5fbfd488) at <SRC>/WebKit/WebCore/rendering/RenderBlockLineLayout.cpp:657
#14 0x0000000101dfd7eb in WebCore::RenderBlock::layoutBlock (this=0x112a1e678, relayoutChildren=false, pageHeight=0) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1205
#15 0x0000000101dfc514 in WebCore::RenderBlock::layout (this=0x112a1e678) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1104
#16 0x0000000101dfbb82 in WebCore::RenderBlock::layoutBlockChild (this=0x112a20088, child=0x112a1e678, marginInfo=@0x7fff5fbfd670, previousFloatBottom=@0x7fff5fbfd6f4, maxFloatBottom=@0x7fff5fbfd844) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1872
#17 0x0000000101dfd1a6 in WebCore::RenderBlock::layoutBlockChildren (this=0x112a20088, relayoutChildren=false, maxFloatBottom=@0x7fff5fbfd844) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1809
#18 0x0000000101dfd804 in WebCore::RenderBlock::layoutBlock (this=0x112a20088, relayoutChildren=false, pageHeight=0) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1207
#19 0x0000000101dfc514 in WebCore::RenderBlock::layout (this=0x112a20088) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1104
#20 0x0000000101dfbb82 in WebCore::RenderBlock::layoutBlockChild (this=0x112937178, child=0x112a20088, marginInfo=@0x7fff5fbfda30, previousFloatBottom=@0x7fff5fbfdab4, maxFloatBottom=@0x7fff5fbfdc04) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1872
#21 0x0000000101dfd1a6 in WebCore::RenderBlock::layoutBlockChildren (this=0x112937178, relayoutChildren=false, maxFloatBottom=@0x7fff5fbfdc04) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1809
#22 0x0000000101dfd804 in WebCore::RenderBlock::layoutBlock (this=0x112937178, relayoutChildren=false, pageHeight=0) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1207
#23 0x0000000101dfc514 in WebCore::RenderBlock::layout (this=0x112937178) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1104
#24 0x0000000101dfbb82 in WebCore::RenderBlock::layoutBlockChild (this=0x1129362f8, child=0x112937178, marginInfo=@0x7fff5fbfddf0, previousFloatBottom=@0x7fff5fbfde74, maxFloatBottom=@0x7fff5fbfdfc4) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1872
#25 0x0000000101dfd1a6 in WebCore::RenderBlock::layoutBlockChildren (this=0x1129362f8, relayoutChildren=false, maxFloatBottom=@0x7fff5fbfdfc4) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1809
#26 0x0000000101dfd804 in WebCore::RenderBlock::layoutBlock (this=0x1129362f8, relayoutChildren=false, pageHeight=0) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1207
#27 0x0000000101dfc514 in WebCore::RenderBlock::layout (this=0x1129362f8) at <SRC>/WebKit/WebCore/rendering/RenderBlock.cpp:1104
#28 0x0000000101f1dfd3 in WebCore::RenderView::layout (this=0x1129362f8) at <SRC>/WebKit/WebCore/rendering/RenderView.cpp:122
#29 0x0000000101875637 in WebCore::FrameView::layout (this=0x1129356a0, allowSubtree=true) at <SRC>/WebKit/WebCore/page/FrameView.cpp:766
#30 0x0000000101875f74 in WebCore::FrameView::layoutTimerFired (this=0x1129356a0) at <SRC>/WebKit/WebCore/page/FrameView.cpp:1335
#31 0x00000001018790a3 in WebCore::Timer<WebCore::FrameView>::fired (this=0x1129357e0) at Timer.h:98
#32 0x00000001020e2ea4 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x10636ceb0) at <SRC>/WebKit/WebCore/platform/ThreadTimers.cpp:112
#33 0x00000001020e3033 in WebCore::ThreadTimers::sharedTimerFired () at <SRC>/WebKit/WebCore/platform/ThreadTimers.cpp:90
#34 0x0000000101faa0fe in WebCore::timerFired () at <SRC>/WebKit/WebCore/platform/mac/SharedTimerMac.mm:86
#35 0x00007fff81548678 in __CFRunLoopRun ()
#36 0x00007fff8154684f in CFRunLoopRunSpecific ()
#37 0x00007fff8192a91a in RunCurrentEventLoopInMode ()
#38 0x00007fff8192a71f in ReceiveNextEventCommon ()
#39 0x00007fff8192a5d8 in BlockUntilNextEventMatchingListInMode ()
#40 0x00007fff82a7629e in _DPSNextEvent ()
#41 0x00007fff82a75bed in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#42 0x00000001000165d8 in ?? ()
#43 0x00007fff82a3b8d3 in -[NSApplication run] ()
#44 0x00007fff82a345f8 in NSApplicationMain ()
#45 0x000000010000a4a4 in ?? ()
Current language:  auto; currently c++
(gdb) up 6
#6  0x0000000101efc9ac in WebCore::RenderText::widthFromCache (this=0x112a1c208, f=@0x112a0c658, start=0, len=1, xPos=0, fallbackFonts=0x7fff5fbfc790, glyphOverflow=0x7fff5fbfc780) at <SRC>/WebKit/WebCore/rendering/RenderText.cpp:570
570        return f.width(TextRun(text()->characters() + start, len, allowTabs(), xPos), fallbackFonts, glyphOverflow);
(gdb) call showRenderTree(this)
RenderView 0x1129362f8                     #document    0x107832400
  RenderBlock 0x112937178                  HTML    0x112934ea0
    RenderBody 0x112a20088                 BODY    0x112a13bc0
      RenderBlock 0x112a1e678              DIV    0x112a13c50
        RenderInline 0x112a1e288           SPAN    0x112a0d770
          RenderInline (generated) 0x112a1c838
*           RenderText 0x112a1c208         #text    0x112a1e300 "Hello"
          RenderText 0x112a1c3e8           #text    0x112a1e300 "Hello"
        RenderText 0x112a1d6d8             #text    0x112a1df70 "\n"
(gdb) 


After the web font is loaded, a new style is set to RenderBlock(DIV).
RenderBlock::styleDidChange calls RenderBlock::updateFirstLetter and
first letter style is determined from the stale style of RenderInline(SPAN) and
is cached in the style of RenderBlock(DIV).

When a new style is set to RenderInline(SPAN), the first letter style cached
in the style of RenderBlock(DIV) is used and not updated.

Then the stale first letter style causes the crash.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list