[Webkit-unassigned] [Bug 221635] New: Crash in WebCore::RenderThemeMac::paintSearchFieldResultsDecorationPart() from large scale

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 9 15:03:02 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=221635

            Bug ID: 221635
           Summary: Crash in
                    WebCore::RenderThemeMac::paintSearchFieldResultsDecora
                    tionPart() from large scale
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: julian_a_gonzalez at apple.com
                CC: akeerthi at apple.com, bfulgham at webkit.org,
                    rniwa at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

On macOS, we are hitting an assertion inside CoreUI:

CoreUI: Value passed for rendition key attribute out of bounds for u_int16_t identifier:'kCRThemeScaleName:12' value:'1000000'

0   libsystem_kernel.dylib              0x00007fff2045a936 __pthread_kill + 10
1   libsystem_pthread.dylib             0x00007fff20489615 pthread_kill + 263
2   libsystem_c.dylib                   0x00007fff203de411 abort + 120
3   libsystem_c.dylib                   0x00007fff203dd7e8 __assert_rtn + 314
4   com.apple.coreui                    0x00007fff270c3f46 _CUIRenditionKeySetIntegerValueForAttribute.cold.1 + 74
5   com.apple.coreui                    0x00007fff26fe796a _CUIRenditionKeySetIntegerValueForAttribute + 39
...
25  com.apple.WebCore                   0x0000000361d3b1a1 WebCore::RenderThemeMac::paintSearchFieldResultsDecorationPart(WebCore::RenderBox const&, WebCore::PaintInfo const&, WebCore::IntRect const&) + 1233 (RenderThemeMac.mm:2065)
26  com.apple.WebCore                   0x0000000364d85888 WebCore::RenderTheme::paint(WebCore::RenderBox const&, WebCore::ControlStates&, WebCore::PaintInfo const&, WebCore::LayoutRect const&) + 3144
27  com.apple.WebCore                   0x0000000364a8d7a0 WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 928 (RenderBox.cpp:1450)
28  com.apple.WebCore                   0x00000003649fe448 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 424 (RenderBlock.cpp:1231)
29  com.apple.WebCore                   0x00000003649fce50 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 608 (RenderBlock.cpp:1108)
30  com.apple.WebCore                   0x0000000364bda723 WebCore::RenderLayer::paintBackgroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) + 1043 (RenderLayer.cpp:3706)

This is reproducible with large values for transform: scale()

<rdar://problem/73044285>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210209/fa818223/attachment.htm>

More information about the webkit-unassigned mailing list