Bug 241540

Summary:

[WinCairo] TextPainter::setGlyphDisplayListIfNeeded → GlyphDisplayListCache::get → WTF::equal → SEGV

Product:

WebKit

Reporter:

Fujii Hironori <Hironori.Fujii>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

heycam

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
CrashLog_0928_2022-06-13_05-16-12-308.txt	none

Description Fujii Hironori 2022-06-12 13:38:59 PDT

Created attachment 460190 [details]
CrashLog_0928_2022-06-13_05-16-12-308.txt

[WinCairo] TextPainter::setGlyphDisplayListIfNeeded → GlyphDisplayListCache::get → WTF::equal → SEGV

I observed WebKitWebProcess.exe crashes twice today while browsing some web sites with WinCairo 251482@main Release build.
The crash happened in the following pages. But, they are not reproducible.

https://news.google.com/topstories?hl=ja&gl=JP&ceid=JP:ja
https://www.apple.com/

 # Child-SP          RetAddr           Call Site
00 (Inline Function) --------`-------- WTF!WTF::equalCommon(void) [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\text\StringCommon.h @ 300]
01 00000027`964fb3e8 00007ffc`e4f403cc WTF!WTF::equal(class WTF::StringImpl * a = 0x8c00a800`1ea35da0, class WTF::StringImpl * b = 0x0000016b`431587d0) [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\text\StringImpl.cpp @ 1471]
02 (Inline Function) --------`-------- WebKit2!WTF::operator==(void)+0xc [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\text\WTFString.h @ 339]
03 00000027`964fb3f0 00007ffc`e4f489a4 WebKit2!WebCore::TextRun::operator==(class WebCore::TextRun * other = 0x00000027`964fbfb8)+0x1c [C:\jenkins_slave\WinCairo-master\Source\WebCore\platform\graphics\TextRunHash.h @ 47]
04 (Inline Function) --------`-------- WebKit2!WebCore::GlyphDisplayListCacheKeyTranslator::equal(void)+0xe [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\GlyphDisplayListCache.cpp @ 135]
05 (Inline Function) --------`-------- WebKit2!WTF::HashSetTranslatorAdapter<WebCore::GlyphDisplayListCacheKeyTranslator>::equal(void)+0xe [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashSet.h @ 172]
06 (Inline Function) --------`-------- WebKit2!WTF::HashTable<WebCore::GlyphDisplayListCacheEntry *,WebCore::GlyphDisplayListCacheEntry *,WTF::IdentityExtractor,WTF::DefaultHash<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *> >::inlineLookup(void)+0x4e [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashTable.h @ 714]
07 (Inline Function) --------`-------- WebKit2!WTF::HashTable<WebCore::GlyphDisplayListCacheEntry *,WebCore::GlyphDisplayListCacheEntry *,WTF::IdentityExtractor,WTF::DefaultHash<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *> >::lookup(void)+0x4e [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashTable.h @ 673]
08 (Inline Function) --------`-------- WebKit2!WTF::HashTable<WebCore::GlyphDisplayListCacheEntry *,WebCore::GlyphDisplayListCacheEntry *,WTF::IdentityExtractor,WTF::DefaultHash<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *> >::find(void)+0xd3 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashTable.h @ 1091]
09 (Inline Function) --------`-------- WebKit2!WTF::HashSet<WebCore::GlyphDisplayListCacheEntry *,WTF::DefaultHash<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTableTraits>::find(void)+0xd3 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashSet.h @ 247]
0a 00000027`964fb420 00007ffc`e50e0f2c WebKit2!WebCore::GlyphDisplayListCache::get(void * run = 0x0000016b`42be3a48, class WebCore::FontCascade * font = <Value unavailable error>, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::TextRun * textRun = 0x00000027`964fbfb8)+0x204 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\GlyphDisplayListCache.cpp @ 180]
0b (Inline Function) --------`-------- WebKit2!WebCore::GlyphDisplayListCache::get(void)+0x1e [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\GlyphDisplayListCache.h @ 108]
0c (Inline Function) --------`-------- WebKit2!WebCore::TextPainter::setGlyphDisplayListIfNeeded(void)+0x4c [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\TextPainter.h @ 69]
0d 00000027`964fb820 00007ffc`e50e21b1 WebKit2!WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintForeground(struct WebCore::StyledMarkedText * markedText = 0x00000027`964fba78)+0x30c [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\TextBoxPainter.cpp @ 409]
0e 00000027`964fb960 00007ffc`e50db3c8 WebKit2!WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintForegroundAndDecorations(void)+0x2c1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\TextBoxPainter.cpp @ 209]
0f 00000027`964fbdf0 00007ffc`e4cb5e9e WebKit2!WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paint(void)+0x1d8 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\TextBoxPainter.cpp @ 121]
10 00000027`964fbef0 00007ffc`e4fc3cf4 WebKit2!WebCore::LayoutIntegration::LineLayout::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc540, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc180)+0x25e [C:\jenkins_slave\WinCairo-master\Source\WebCore\layout\integration\inline\LayoutIntegrationLineLayout.cpp @ 804]
11 (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0x32 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1161]
12 00000027`964fc0a0 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc540, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc2c0)+0x414 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1341]
13 00000027`964fc270 00007ffc`e5005a91 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc540, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141]
14 (Inline Function) --------`-------- WebKit2!WebCore::paintPhase(void)+0x16 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1073]
15 00000027`964fc300 00007ffc`e4fc0b92 WebKit2!WebCore::RenderElement::paintAsInlineBlock(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc540, class WebCore::LayoutPoint * childPoint = 0x00000027`964fc370)+0xc1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1089]
16 00000027`964fc330 00007ffc`e5005b23 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`77a3c2d0, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc890, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc500, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fc540, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsInlineBlock (0n1))+0x282 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1218]
17 00000027`964fc3c0 00007ffc`e4fc3db6 WebKit2!WebCore::RenderFlexibleBox::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc890, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc500, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fc540, bool usePrintRect = false)+0x63 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderFlexibleBox.cpp @ 457]
18 (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177]
19 00000027`964fc420 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc890, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc640)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345]
1a 00000027`964fc5f0 00007ffc`e4fc0b9d WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc890, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141]
1b 00000027`964fc680 00007ffc`e4fc0d70 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`774e0c60, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc850, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fc890, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsBlock (0n0))+0x28d [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1224]
1c 00000027`964fc710 00007ffc`e4fc3db6 WebKit2!WebCore::RenderBlock::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc850, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fc890, bool usePrintRect = false)+0x70 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1184]
1d (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177]
1e 00000027`964fc770 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc990)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345]
1f 00000027`964fc940 00007ffc`e5005a91 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141]
20 (Inline Function) --------`-------- WebKit2!WebCore::paintPhase(void)+0x16 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1073]
21 00000027`964fc9d0 00007ffc`e4fc0b92 WebKit2!WebCore::RenderElement::paintAsInlineBlock(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * childPoint = 0x00000027`964fca40)+0xc1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1089]
22 00000027`964fca00 00007ffc`e5005b23 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`77a3c710, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcbd0, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fcc10, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsInlineBlock (0n1))+0x282 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1218]
23 00000027`964fca90 00007ffc`e4fc3db6 WebKit2!WebCore::RenderFlexibleBox::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcbd0, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fcc10, bool usePrintRect = false)+0x63 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderFlexibleBox.cpp @ 457]
24 (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177]
25 00000027`964fcaf0 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcd10)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345]
26 00000027`964fccc0 00007ffc`e5005a91 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141]
27 (Inline Function) --------`-------- WebKit2!WebCore::paintPhase(void)+0x16 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1073]
28 00000027`964fcd50 00007ffc`e4fc0b92 WebKit2!WebCore::RenderElement::paintAsInlineBlock(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * childPoint = 0x00000027`964fcdc0)+0xc1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1089]
29 00000027`964fcd80 00007ffc`e5005b23 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`75f446b0, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcf50, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fcf90, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsInlineBlock (0n1))+0x282 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1218]
2a 00000027`964fce10 00007ffc`e4fc3db6 WebKit2!WebCore::RenderFlexibleBox::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcf50, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fcf90, bool usePrintRect = false)+0x63 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderFlexibleBox.cpp @ 457]
2b (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177]
2c 00000027`964fce70 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fd090)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345]
2d 00000027`964fd040 00007ffc`e5005a91 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141]
2e (Inline Function) --------`-------- WebKit2!WebCore::paintPhase(void)+0x16 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1073]
2f 00000027`964fd0d0 00007ffc`e4fc0b92 WebKit2!WebCore::RenderElement::paintAsInlineBlock(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * childPoint = 0x00000027`964fd140)+0xc1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1089]
30 00000027`964fd100 00007ffc`e5005b23 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`75f43840, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd4f0, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fd2d0, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fd310, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsInlineBlock (0n1))+0x282 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1218]
31 00000027`964fd190 00007ffc`e4fc3db6 WebKit2!WebCore::RenderFlexibleBox::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd4f0, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fd2d0, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fd310, bool usePrintRect = false)+0x63 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderFlexibleBox.cpp @ 457]
32 (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177]
33 00000027`964fd1f0 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd4f0, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fd410)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345]
34 00000027`964fd3c0 00007ffc`e5040394 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd4f0, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141]
35 00000027`964fd450 00007ffc`e50400d7 WebKit2!WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase phase = BlockBackground (0n0), class WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16,WTF::FastMalloc> * layerFragments = <Value unavailable error>, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * localPaintingInfo = 0x00000027`964fd720, class WTF::OptionSet<enum WebCore::PaintBehavior> paintBehavior = class WTF::OptionSet<enum WebCore::PaintBehavior>, class WebCore::RenderObject * subtreePaintRootForRenderer = 0x00000000`00000000)+0x244 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3975]
36 00000027`964fd5a0 00007ffc`e5042741 WebKit2!WebCore::RenderLayer::paintForegroundForFragments(class WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16,WTF::FastMalloc> * layerFragments = 0x00000027`964fd790, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::GraphicsContext * contextForTransparencyLayer = <Value unavailable error>, class WebCore::LayoutRect * transparencyPaintDirtyRect = 0x00000027`964fdbf0, bool haveTransparency = false, struct WebCore::RenderLayer::LayerPaintingInfo * localPaintingInfo = 0x00000027`964fd720, class WTF::OptionSet<enum WebCore::PaintBehavior> paintBehavior = class WTF::OptionSet<enum WebCore::PaintBehavior>, class WebCore::RenderObject * subtreePaintRootForRenderer = 0x00000000`00000000)+0x207 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3952]
37 00000027`964fd640 00007ffc`e5042cf6 WebKit2!WebCore::RenderLayer::paintLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fdbe0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x841 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3524]
38 00000027`964fd8e0 00007ffc`e5042ffe WebKit2!WebCore::RenderLayer::paintLayerContentsAndReflection(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fdbe0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = <Value unavailable error>)+0xa6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3230]
39 00000027`964fd930 00007ffc`e5041a82 WebKit2!WebCore::RenderLayer::paintLayerWithEffects(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fdbe0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x2de [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3211]
3a 00000027`964fdab0 00007ffc`e5042823 WebKit2!WebCore::RenderLayer::paintLayer(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fdbe0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x102 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3133]
3b (Inline Function) --------`-------- WebKit2!WebCore::RenderLayer::paintList(class WebCore::RenderLayer::LayerList layerIterator = <Value unavailable error>)+0x3a [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3649]
3c 00000027`964fdb00 00007ffc`e5042cf6 WebKit2!WebCore::RenderLayer::paintLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe0a0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x923 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3535]
3d 00000027`964fdda0 00007ffc`e5042ffe WebKit2!WebCore::RenderLayer::paintLayerContentsAndReflection(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe0a0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = <Value unavailable error>)+0xa6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3230]
3e 00000027`964fddf0 00007ffc`e5041a82 WebKit2!WebCore::RenderLayer::paintLayerWithEffects(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe0a0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x2de [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3211]
3f 00000027`964fdf70 00007ffc`e5042823 WebKit2!WebCore::RenderLayer::paintLayer(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe0a0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x102 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3133]
40 (Inline Function) --------`-------- WebKit2!WebCore::RenderLayer::paintList(class WebCore::RenderLayer::LayerList layerIterator = <Value unavailable error>)+0x3a [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3649]
41 00000027`964fdfc0 00007ffc`e5042cf6 WebKit2!WebCore::RenderLayer::paintLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe560, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x923 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3535]
42 00000027`964fe260 00007ffc`e5042ffe WebKit2!WebCore::RenderLayer::paintLayerContentsAndReflection(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe560, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = <Value unavailable error>)+0xa6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3230]
43 00000027`964fe2b0 00007ffc`e5041a82 WebKit2!WebCore::RenderLayer::paintLayerWithEffects(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe560, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x2de [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3211]
44 00000027`964fe430 00007ffc`e5042823 WebKit2!WebCore::RenderLayer::paintLayer(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe560, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x102 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3133]
45 (Inline Function) --------`-------- WebKit2!WebCore::RenderLayer::paintList(class WebCore::RenderLayer::LayerList layerIterator = <Value unavailable error>)+0x3a [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3649]
46 00000027`964fe480 00007ffc`e501c818 WebKit2!WebCore::RenderLayer::paintLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe760, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x923 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3535]
47 00000027`964fe720 00007ffc`e5040804 WebKit2!`WebCore::RenderLayerBacking::paintIntoLayer'::`2'::<lambda_1>::operator()(class WebCore::RenderLayer * layer = 0x0000016b`739e6b70, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = <Value unavailable error>)+0x138 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayerBacking.cpp @ 3239]
48 00000027`964fe7d0 00007ffc`e503f926 WebKit2!WebCore::RenderLayerBacking::paintIntoLayer(class WebCore::GraphicsLayer * graphicsLayer = 0x0000016b`75f874a0, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::IntRect * paintDirtyRect = 0x00000027`964fe990, class WTF::OptionSet<enum WebCore::PaintBehavior> paintBehavior = class WTF::OptionSet<enum WebCore::PaintBehavior>, class WebCore::EventRegionContext * eventRegionContext = 0x00000000`00000000)+0xd4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayerBacking.cpp @ 3258]
49 00000027`964fe8e0 00007ffc`e4ea3e67 WebKit2!WebCore::RenderLayerBacking::paintContents(class WebCore::GraphicsLayer * graphicsLayer = 0x0000016b`75f874a0, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::FloatRect * clip = <Value unavailable error>, unsigned int layerPaintBehavior = 0)+0x306 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayerBacking.cpp @ 3535]
4a 00000027`964fe9f0 00007ffc`e3a588bb WebKit2!WebCore::GraphicsLayer::paintGraphicsLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::FloatRect * clip = 0x00000027`964feab8, unsigned int layerPaintBehavior = 0)+0xd7 [C:\jenkins_slave\WinCairo-master\Source\WebCore\platform\graphics\GraphicsLayer.cpp @ 545]
4b 00000027`964fea80 00007ffc`e3a57c94 WebKit2!WebKit::WCTiledBacking::paintAndFlush(struct WebKit::WCLayerUpateInfo * update = 0x00000027`964feb90)+0x2cb [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 64]
4c 00000027`964feb60 00007ffc`e3a58b31 WebKit2!WebKit::GraphicsLayerWC::flushCompositingStateForThisLayerOnly(void)+0x284 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 551]
4d 00000027`964fee20 00007ffc`e3a58b80 WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0xe1 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 701]
4e 00000027`964fef80 00007ffc`e3a58b80 WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0x130 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 706]
4f 00000027`964ff0e0 00007ffc`e3a58b80 WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0x130 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 706]
50 00000027`964ff240 00007ffc`e3a58b80 WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0x130 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 706]
51 00000027`964ff3a0 00007ffc`e3a579dd WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0x130 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 706]
52 00000027`964ff500 00007ffc`e5032d81 WebKit2!WebKit::GraphicsLayerWC::flushCompositingState(class WebCore::FloatRect * passedVisibleRect = <Value unavailable error>)+0x12d [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 503]
53 00000027`964ff5f0 00007ffc`e4d8e3ee WebKit2!WebCore::RenderLayerCompositor::flushPendingLayerChanges(bool isFlushRoot = true)+0x81 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayerCompositor.cpp @ 641]
54 00000027`964ff640 00007ffc`e4d8e418 WebKit2!WebCore::FrameView::flushCompositingStateForThisFrame(class WebCore::Frame * rootFrameForFlush = 0x0000016b`73923830)+0x9e [C:\jenkins_slave\WinCairo-master\Source\WebCore\page\FrameView.cpp @ 1035]
55 00000027`964ff670 00007ffc`e4dd06af WebKit2!WebCore::FrameView::flushCompositingStateIncludingSubframes(void)+0x18 [C:\jenkins_slave\WinCairo-master\Source\WebCore\page\FrameView.cpp @ 1200]
56 00000027`964ff6b0 00007ffc`e3ee2f72 WebKit2!WebCore::Page::finalizeRenderingUpdate(class WTF::OptionSet<enum WebCore::FinalizeRenderingUpdateFlags> flags = <Value unavailable error>)+0x4f [C:\jenkins_slave\WinCairo-master\Source\WebCore\page\Page.cpp @ 1848]
57 00000027`964ff6e0 00007ffc`e3a564ce WebKit2!WebKit::WebPage::finalizeRenderingUpdate(class WTF::OptionSet<enum WebCore::FinalizeRenderingUpdateFlags> flags = <Value unavailable error>)+0x12 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\WebPage.cpp @ 4438]
58 00000027`964ff710 00007ffc`e4e4c226 WebKit2!WebKit::DrawingAreaWC::updateRendering(void)+0x4e [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\DrawingAreaWC.cpp @ 231]
59 00000027`964ff740 00007ffc`e3f3b84f WebKit2!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0x126 [C:\jenkins_slave\WinCairo-master\Source\WebCore\platform\ThreadTimers.cpp @ 130]
5a 00000027`964ff7d0 00007ffd`3e07e858 WebKit2!WebCore::TimerWindowWndProc(struct HWND__ * hWnd = <Value unavailable error>, unsigned int message = <Value unavailable error>, unsigned int64 wParam = <Value unavailable error>, int64 lParam = <Value unavailable error>)+0x8f [C:\jenkins_slave\WinCairo-master\Source\WebCore\platform\win\MainThreadSharedTimerWin.cpp @ 89]
5b 00000027`964ff800 00007ffd`3e07e299 USER32!UserCallWinProcCheckWow+0x2f8
5c 00000027`964ff990 00007ffd`015b0f3b USER32!DispatchMessageWorker+0x249
5d 00000027`964ffa10 00007ffc`e3a5b6a0 WTF!WTF::RunLoop::run(void)+0x4b [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\win\RunLoopWin.cpp @ 73]
5e (Inline Function) --------`-------- WebKit2!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run(void)+0x81 [C:\jenkins_slave\WinCairo-master\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 70]
5f (Inline Function) --------`-------- WebKit2!WebKit::AuxiliaryProcessMain(void)+0xc2 [C:\jenkins_slave\WinCairo-master\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 96]
60 00000027`964ffa80 00007ff7`60a1100a WebKit2!WebKit::WebProcessMain(int argc = 0n7, char ** argv = 0x0000016b`6fcbf4f0)+0x100 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\win\WebProcessMainWin.cpp @ 57]
61 00000027`964ffb10 00007ff7`60a11204 WebKitWebProcess!main(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0xa [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35]
62 (Inline Function) --------`-------- WebKitWebProcess!invoke_main(void)+0x22 [d:\a01\_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
63 00000027`964ffb40 00007ffd`3cd17034 WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [d:\a01\_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
64 00000027`964ffb80 00007ffd`3e502651 KERNEL32!BaseThreadInitThunk+0x14
65 00000027`964ffbb0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Comment 1 Fujii Hironori 2022-06-12 13:57:24 PDT

GlyphDisplayListCacheKeyTranslator was added by 251381@main (Bug 240497).

Comment 2 Fujii Hironori 2022-06-12 14:32:38 PDT

https://github.com/WebKit/WebKit/blob/79ad9ed64760e9fb1d02e26be2ff69b849907061/Source/WebCore/rendering/GlyphDisplayListCache.h#L127-L128

>    HashMap<const void*, Ref<GlyphDisplayListCacheEntry>> m_entriesForLayoutRun;
>    HashSet<GlyphDisplayListCacheEntry*> m_entries;

m_entries is a HashSet of GlyphDisplayListCacheEntry raw pointer.
m_entriesForLayoutRun retains GlyphDisplayListCacheEntry ref-counters.

https://github.com/WebKit/WebKit/blob/79ad9ed64760e9fb1d02e26be2ff69b849907061/Source/WebCore/rendering/GlyphDisplayListCache.cpp#L202

GlyphDisplayListCache::remove removes the item of m_entriesForLayoutRun.
Who retains GlyphDisplayListCacheEntry ref-counters for m_entries?

Comment 3 Cameron McCormack (:heycam) 2022-06-12 15:34:40 PDT


*** This bug has been marked as a duplicate of bug 241523 ***