[Webkit-unassigned] [Bug 200340] [WinCairo] Specifying huge font-size causes crashing
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Aug 4 21:17:52 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=200340
--- Comment #4 from Fujii Hironori <Hironori.Fujii at sony.com> ---
Created attachment 375518
--> https://bugs.webkit.org/attachment.cgi?id=375518&action=review
float-append-child-crash-crash-log.txt
In Relese build, the crash happens in FontCache::lastResortFallbackFont.
Callstack:
> WebKit2!WTF::RefCountedBase::ref [C:\webkit\gc\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h @ 46]
> WebKit2!WTF::Ref<WebCore::Font,WTF::DumbPtrTraits<WebCore::Font> >::Ref+0x7 [C:\webkit\gc\WebKitBuild\Release\WTF\Headers\wtf\Ref.h @ 66]
> WebKit2!WebCore::FontCache::lastResortFallbackFont(class WebCore::FontDescription * fontDescription = 0x000001ff`e98f5cc0)+0x4fc [C:\webkit\gc\Source\WebCore\platform\graphics\win\FontCacheWin.cpp @ 398]
> WebKit2!WebCore::FontCascadeFonts::realizeFallbackRangesAt(class WebCore::FontCascadeDescription * description = 0x000001ff`e98f5cc0, unsigned int index = <Value unavailable error>)+0x571 [C:\webkit\gc\Source\WebCore\platform\graphics\FontCascadeFonts.cpp @ 188]
> WebKit2!WebCore::FontCascadeFonts::primaryFont(class WebCore::FontCascadeDescription * description = 0x000001ff`e98f5cc0)+0x37 [C:\webkit\gc\WebKitBuild\Release\WebCore\PrivateHeaders\WebCore\FontCascadeFonts.h @ 128]
> WebKit2!WebCore::FontCascade::primaryFont+0xd [C:\webkit\gc\Source\WebCore\platform\graphics\FontCascade.h @ 337]
> WebKit2!WebCore::SimpleLineLayout::canUseForFontAndText+0x18 [C:\webkit\gc\Source\WebCore\rendering\SimpleLineLayout.cpp @ 162]
> WebKit2!WebCore::SimpleLineLayout::canUseForWithReason(class WebCore::RenderBlockFlow * flow = 0x000001ff`e9c2be40, WebCore::SimpleLineLayout::IncludeReasons includeReasons = First (0n0))+0x9bb [C:\webkit\gc\Source\WebCore\rendering\SimpleLineLayout.cpp @ 347]
> WebKit2!WebCore::SimpleLineLayout::canUseFor(class WebCore::RenderBlockFlow * flow = 0xe43796b5`a6f60000)+0xb [C:\webkit\gc\Source\WebCore\rendering\SimpleLineLayout.cpp @ 355]
> WebKit2!WebCore::RenderBlockFlow::layoutInlineChildren(class WebCore::LayoutUnit * repaintLogicalTop = 0x000000bb`1c7cd770, class WebCore::LayoutUnit * repaintLogicalBottom = 0x000000bb`1c7cd768)+0x28 [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 669]
> WebKit2!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren = <Value unavailable error>, class WebCore::LayoutUnit pageLogicalHeight = class WebCore::LayoutUnit)+0x35f [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 511]
> WebKit2!WebCore::RenderBlock::layout(void)+0x36 [C:\webkit\gc\Source\WebCore\rendering\RenderBlock.cpp @ 603]
> WebKit2!WebCore::RenderBlockFlow::layoutBlockChild(class WebCore::RenderBox * child = 0x000001ff`e9c2be40, class WebCore::RenderBlockFlow::MarginInfo * marginInfo = 0x000000bb`00208894, class WebCore::LayoutUnit * previousFloatLogicalBottom = 0x000000bb`1c7cd9c8, class WebCore::LayoutUnit * maxFloatLogicalBottom = 0x000000bb`1c7cda70)+0x481 [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 738]
> WebKit2!WebCore::RenderBlockFlow::layoutBlockChildren(class WebCore::LayoutUnit * maxFloatLogicalBottom = 0x000000bb`1c7cda70)+0x1ef [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 637]
> WebKit2!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren = <Value unavailable error>, class WebCore::LayoutUnit pageLogicalHeight = class WebCore::LayoutUnit)+0x34b [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 510]
> WebKit2!WebCore::RenderBlock::layout(void)+0x36 [C:\webkit\gc\Source\WebCore\rendering\RenderBlock.cpp @ 603]
> WebKit2!WebCore::RenderBlockFlow::layoutBlockChild(class WebCore::RenderBox * child = 0x000001ff`e9c2bae0, class WebCore::RenderBlockFlow::MarginInfo * marginInfo = 0x000000bb`00008a94, class WebCore::LayoutUnit * previousFloatLogicalBottom = 0x000000bb`1c7cdcd8, class WebCore::LayoutUnit * maxFloatLogicalBottom = 0x000000bb`1c7cdd80)+0x481 [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 738]
> WebKit2!WebCore::RenderBlockFlow::layoutBlockChildren(class WebCore::LayoutUnit * maxFloatLogicalBottom = 0x000000bb`1c7cdd80)+0x1ef [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 637]
> WebKit2!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren = <Value unavailable error>, class WebCore::LayoutUnit pageLogicalHeight = class WebCore::LayoutUnit)+0x34b [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 510]
> WebKit2!WebCore::RenderBlock::layout(void)+0x36 [C:\webkit\gc\Source\WebCore\rendering\RenderBlock.cpp @ 603]
> WebKit2!WebCore::RenderBlockFlow::layoutBlockChild(class WebCore::RenderBox * child = 0x000001ff`e7868e40, class WebCore::RenderBlockFlow::MarginInfo * marginInfo = 0x000000bb`00088894, class WebCore::LayoutUnit * previousFloatLogicalBottom = 0x000000bb`1c7cdfe8, class WebCore::LayoutUnit * maxFloatLogicalBottom = 0x000000bb`1c7ce090)+0x481 [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 738]
> WebKit2!WebCore::RenderBlockFlow::layoutBlockChildren(class WebCore::LayoutUnit * maxFloatLogicalBottom = 0x000000bb`1c7ce090)+0x1ef [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 637]
> WebKit2!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren = <Value unavailable error>, class WebCore::LayoutUnit pageLogicalHeight = class WebCore::LayoutUnit)+0x34b [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 510]
> WebKit2!WebCore::RenderBlock::layout(void)+0x36 [C:\webkit\gc\Source\WebCore\rendering\RenderBlock.cpp @ 603]
> WebKit2!WebCore::RenderBlockFlow::layoutBlockChild(class WebCore::RenderBox * child = 0x000001ff`e7868780, class WebCore::RenderBlockFlow::MarginInfo * marginInfo = 0x000000bb`40018894, class WebCore::LayoutUnit * previousFloatLogicalBottom = 0x000000bb`1c7ce2f8, class WebCore::LayoutUnit * maxFloatLogicalBottom = 0x000000bb`1c7ce3a0)+0x481 [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 738]
> WebKit2!WebCore::RenderBlockFlow::layoutBlockChildren(class WebCore::LayoutUnit * maxFloatLogicalBottom = 0x000000bb`1c7ce3a0)+0x1ef [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 637]
> WebKit2!WebCore::RenderBlockFlow::layoutBlock(bool relayoutChildren = <Value unavailable error>, class WebCore::LayoutUnit pageLogicalHeight = class WebCore::LayoutUnit)+0x34b [C:\webkit\gc\Source\WebCore\rendering\RenderBlockFlow.cpp @ 510]
> WebKit2!WebCore::RenderBlock::layout(void)+0x36 [C:\webkit\gc\Source\WebCore\rendering\RenderBlock.cpp @ 603]
> WebKit2!WebCore::RenderView::layout(void)+0x350 [C:\webkit\gc\Source\WebCore\rendering\RenderView.cpp @ 191]
> WebKit2!WebCore::FrameViewLayoutContext::layout(void)+0x48a [C:\webkit\gc\Source\WebCore\page\FrameViewLayoutContext.cpp @ 221]
> WebKit2!WebCore::Document::updateLayout(void)+0xf0 [C:\webkit\gc\Source\WebCore\dom\Document.cpp @ 2080]
> WebKit2!WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks runPostLayoutTasks = Asynchronously (0n0))+0x56 [C:\webkit\gc\Source\WebCore\dom\Document.cpp @ 2095]
> WebKit2!WebCore::Element::offsetTop+0xf [C:\webkit\gc\Source\WebCore\dom\Element.cpp @ 1078]
> WebKit2!WebCore::Element::offsetTopForBindings(void)+0x3b [C:\webkit\gc\Source\WebCore\dom\Element.cpp @ 1057]
> WebKit2!WebCore::jsHTMLElementOffsetTopGetter+0x9 [C:\webkit\gc\WebKitBuild\Release\WebCore\DerivedSources\JSHTMLElement.cpp @ 1046]
> WebKit2!WebCore::IDLAttribute<WebCore::JSHTMLElement>::get+0x9 [C:\webkit\gc\Source\WebCore\bindings\js\JSDOMAttribute.h @ 69]
> WebKit2!WebCore::jsHTMLElementOffsetTop(class JSC::ExecState * state = <Value unavailable error>, int64 thisValue = <Value unavailable error>)+0x13 [C:\webkit\gc\WebKitBuild\Release\WebCore\DerivedSources\JSHTMLElement.cpp @ 1052]
> JavaScriptCore!JSC::PropertySlot::customGetter(class JSC::ExecState * exec = <Value unavailable error>, class JSC::PropertyName propertyName = <Value unavailable error>)+0x96 [C:\webkit\gc\Source\JavaScriptCore\runtime\PropertySlot.cpp @ 50]
> JavaScriptCore!JSC::PropertySlot::getValue+0x194 [C:\webkit\gc\Source\JavaScriptCore\runtime\PropertySlot.h @ 414]
> JavaScriptCore!JSC::JSValue::get+0x9ee [C:\webkit\gc\Source\JavaScriptCore\runtime\JSCJSValueInlines.h @ 873]
> JavaScriptCore!llint_slow_path_get_by_id(class JSC::ExecState * exec = 0x000000bb`1c7cea30, struct JSC::Instruction * pc = 0x000001ff`e992793a)+0xba4 [C:\webkit\gc\Source\JavaScriptCore\llint\LLIntSlowPaths.cpp @ 762]
> JavaScriptCore!llint_entry+0xa166
> 0x1
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190805/dcc5c354/attachment.html>
More information about the webkit-unassigned
mailing list