Bug 241540

Summary:

[WinCairo] TextPainter::setGlyphDisplayListIfNeeded → GlyphDisplayListCache::get → WTF::equal → SEGV

Product:

WebKit

Reporter:

Fujii Hironori <fujii.hironori>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

heycam

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
CrashLog_0928_2022-06-13_05-16-12-308.txt	none

Fujii Hironori

Reported 2022-06-12 13:38:59 PDT

Created attachment 460190 [details] CrashLog_0928_2022-06-13_05-16-12-308.txt [WinCairo] TextPainter::setGlyphDisplayListIfNeeded → GlyphDisplayListCache::get → WTF::equal → SEGV I observed WebKitWebProcess.exe crashes twice today while browsing some web sites with WinCairo 251482@main Release build. The crash happened in the following pages. But, they are not reproducible. https://news.google.com/topstories?hl=ja&gl=JP&ceid=JP:ja https://www.apple.com/ # Child-SP RetAddr Call Site 00 (Inline Function) --------`-------- WTF!WTF::equalCommon(void) [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\text\StringCommon.h @ 300] 01 00000027`964fb3e8 00007ffc`e4f403cc WTF!WTF::equal(class WTF::StringImpl * a = 0x8c00a800`1ea35da0, class WTF::StringImpl * b = 0x0000016b`431587d0) [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\text\StringImpl.cpp @ 1471] 02 (Inline Function) --------`-------- WebKit2!WTF::operator==(void)+0xc [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\text\WTFString.h @ 339] 03 00000027`964fb3f0 00007ffc`e4f489a4 WebKit2!WebCore::TextRun::operator==(class WebCore::TextRun * other = 0x00000027`964fbfb8)+0x1c [C:\jenkins_slave\WinCairo-master\Source\WebCore\platform\graphics\TextRunHash.h @ 47] 04 (Inline Function) --------`-------- WebKit2!WebCore::GlyphDisplayListCacheKeyTranslator::equal(void)+0xe [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\GlyphDisplayListCache.cpp @ 135] 05 (Inline Function) --------`-------- WebKit2!WTF::HashSetTranslatorAdapter<WebCore::GlyphDisplayListCacheKeyTranslator>::equal(void)+0xe [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashSet.h @ 172] 06 (Inline Function) --------`-------- WebKit2!WTF::HashTable<WebCore::GlyphDisplayListCacheEntry *,WebCore::GlyphDisplayListCacheEntry *,WTF::IdentityExtractor,WTF::DefaultHash<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *> >::inlineLookup(void)+0x4e [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashTable.h @ 714] 07 (Inline Function) --------`-------- WebKit2!WTF::HashTable<WebCore::GlyphDisplayListCacheEntry *,WebCore::GlyphDisplayListCacheEntry *,WTF::IdentityExtractor,WTF::DefaultHash<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *> >::lookup(void)+0x4e [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashTable.h @ 673] 08 (Inline Function) --------`-------- WebKit2!WTF::HashTable<WebCore::GlyphDisplayListCacheEntry *,WebCore::GlyphDisplayListCacheEntry *,WTF::IdentityExtractor,WTF::DefaultHash<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *> >::find(void)+0xd3 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashTable.h @ 1091] 09 (Inline Function) --------`-------- WebKit2!WTF::HashSet<WebCore::GlyphDisplayListCacheEntry *,WTF::DefaultHash<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTraits<WebCore::GlyphDisplayListCacheEntry *>,WTF::HashTableTraits>::find(void)+0xd3 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\HashSet.h @ 247] 0a 00000027`964fb420 00007ffc`e50e0f2c WebKit2!WebCore::GlyphDisplayListCache::get(void * run = 0x0000016b`42be3a48, class WebCore::FontCascade * font = <Value unavailable error>, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::TextRun * textRun = 0x00000027`964fbfb8)+0x204 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\GlyphDisplayListCache.cpp @ 180] 0b (Inline Function) --------`-------- WebKit2!WebCore::GlyphDisplayListCache::get(void)+0x1e [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\GlyphDisplayListCache.h @ 108] 0c (Inline Function) --------`-------- WebKit2!WebCore::TextPainter::setGlyphDisplayListIfNeeded(void)+0x4c [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\TextPainter.h @ 69] 0d 00000027`964fb820 00007ffc`e50e21b1 WebKit2!WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintForeground(struct WebCore::StyledMarkedText * markedText = 0x00000027`964fba78)+0x30c [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\TextBoxPainter.cpp @ 409] 0e 00000027`964fb960 00007ffc`e50db3c8 WebKit2!WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintForegroundAndDecorations(void)+0x2c1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\TextBoxPainter.cpp @ 209] 0f 00000027`964fbdf0 00007ffc`e4cb5e9e WebKit2!WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paint(void)+0x1d8 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\TextBoxPainter.cpp @ 121] 10 00000027`964fbef0 00007ffc`e4fc3cf4 WebKit2!WebCore::LayoutIntegration::LineLayout::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc540, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc180)+0x25e [C:\jenkins_slave\WinCairo-master\Source\WebCore\layout\integration\inline\LayoutIntegrationLineLayout.cpp @ 804] 11 (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0x32 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1161] 12 00000027`964fc0a0 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc540, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc2c0)+0x414 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1341] 13 00000027`964fc270 00007ffc`e5005a91 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc540, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141] 14 (Inline Function) --------`-------- WebKit2!WebCore::paintPhase(void)+0x16 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1073] 15 00000027`964fc300 00007ffc`e4fc0b92 WebKit2!WebCore::RenderElement::paintAsInlineBlock(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc540, class WebCore::LayoutPoint * childPoint = 0x00000027`964fc370)+0xc1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1089] 16 00000027`964fc330 00007ffc`e5005b23 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`77a3c2d0, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc890, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc500, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fc540, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsInlineBlock (0n1))+0x282 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1218] 17 00000027`964fc3c0 00007ffc`e4fc3db6 WebKit2!WebCore::RenderFlexibleBox::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc890, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc500, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fc540, bool usePrintRect = false)+0x63 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderFlexibleBox.cpp @ 457] 18 (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177] 19 00000027`964fc420 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc890, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc640)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345] 1a 00000027`964fc5f0 00007ffc`e4fc0b9d WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fc890, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141] 1b 00000027`964fc680 00007ffc`e4fc0d70 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`774e0c60, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc850, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fc890, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsBlock (0n0))+0x28d [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1224] 1c 00000027`964fc710 00007ffc`e4fc3db6 WebKit2!WebCore::RenderBlock::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc850, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fc890, bool usePrintRect = false)+0x70 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1184] 1d (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177] 1e 00000027`964fc770 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fc990)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345] 1f 00000027`964fc940 00007ffc`e5005a91 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141] 20 (Inline Function) --------`-------- WebKit2!WebCore::paintPhase(void)+0x16 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1073] 21 00000027`964fc9d0 00007ffc`e4fc0b92 WebKit2!WebCore::RenderElement::paintAsInlineBlock(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcc10, class WebCore::LayoutPoint * childPoint = 0x00000027`964fca40)+0xc1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1089] 22 00000027`964fca00 00007ffc`e5005b23 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`77a3c710, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcbd0, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fcc10, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsInlineBlock (0n1))+0x282 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1218] 23 00000027`964fca90 00007ffc`e4fc3db6 WebKit2!WebCore::RenderFlexibleBox::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcbd0, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fcc10, bool usePrintRect = false)+0x63 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderFlexibleBox.cpp @ 457] 24 (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177] 25 00000027`964fcaf0 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcd10)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345] 26 00000027`964fccc0 00007ffc`e5005a91 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141] 27 (Inline Function) --------`-------- WebKit2!WebCore::paintPhase(void)+0x16 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1073] 28 00000027`964fcd50 00007ffc`e4fc0b92 WebKit2!WebCore::RenderElement::paintAsInlineBlock(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fcf90, class WebCore::LayoutPoint * childPoint = 0x00000027`964fcdc0)+0xc1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1089] 29 00000027`964fcd80 00007ffc`e5005b23 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`75f446b0, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcf50, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fcf90, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsInlineBlock (0n1))+0x282 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1218] 2a 00000027`964fce10 00007ffc`e4fc3db6 WebKit2!WebCore::RenderFlexibleBox::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fcf50, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fcf90, bool usePrintRect = false)+0x63 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderFlexibleBox.cpp @ 457] 2b (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177] 2c 00000027`964fce70 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fd090)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345] 2d 00000027`964fd040 00007ffc`e5005a91 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141] 2e (Inline Function) --------`-------- WebKit2!WebCore::paintPhase(void)+0x16 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1073] 2f 00000027`964fd0d0 00007ffc`e4fc0b92 WebKit2!WebCore::RenderElement::paintAsInlineBlock(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd310, class WebCore::LayoutPoint * childPoint = 0x00000027`964fd140)+0xc1 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderElement.cpp @ 1089] 30 00000027`964fd100 00007ffc`e5005b23 WebKit2!WebCore::RenderBlock::paintChild(class WebCore::RenderBox * child = 0x0000016b`75f43840, struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd4f0, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fd2d0, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fd310, bool usePrintRect = false, WebCore::RenderBlock::PaintBlockType paintType = PaintAsInlineBlock (0n1))+0x282 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1218] 31 00000027`964fd190 00007ffc`e4fc3db6 WebKit2!WebCore::RenderFlexibleBox::paintChildren(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd4f0, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fd2d0, struct WebCore::PaintInfo * paintInfoForChild = 0x00000027`964fd310, bool usePrintRect = false)+0x63 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderFlexibleBox.cpp @ 457] 32 (Inline Function) --------`-------- WebKit2!WebCore::RenderBlock::paintContents(void)+0xf4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1177] 33 00000027`964fd1f0 00007ffc`e4fbd4e0 WebKit2!WebCore::RenderBlock::paintObject(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd4f0, class WebCore::LayoutPoint * paintOffset = 0x00000027`964fd410)+0x4d6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1345] 34 00000027`964fd3c0 00007ffc`e5040394 WebKit2!WebCore::RenderBlock::paint(struct WebCore::PaintInfo * paintInfo = 0x00000027`964fd4f0, class WebCore::LayoutPoint * paintOffset = <Value unavailable error>)+0x170 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderBlock.cpp @ 1141] 35 00000027`964fd450 00007ffc`e50400d7 WebKit2!WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase phase = BlockBackground (0n0), class WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16,WTF::FastMalloc> * layerFragments = <Value unavailable error>, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * localPaintingInfo = 0x00000027`964fd720, class WTF::OptionSet<enum WebCore::PaintBehavior> paintBehavior = class WTF::OptionSet<enum WebCore::PaintBehavior>, class WebCore::RenderObject * subtreePaintRootForRenderer = 0x00000000`00000000)+0x244 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3975] 36 00000027`964fd5a0 00007ffc`e5042741 WebKit2!WebCore::RenderLayer::paintForegroundForFragments(class WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16,WTF::FastMalloc> * layerFragments = 0x00000027`964fd790, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::GraphicsContext * contextForTransparencyLayer = <Value unavailable error>, class WebCore::LayoutRect * transparencyPaintDirtyRect = 0x00000027`964fdbf0, bool haveTransparency = false, struct WebCore::RenderLayer::LayerPaintingInfo * localPaintingInfo = 0x00000027`964fd720, class WTF::OptionSet<enum WebCore::PaintBehavior> paintBehavior = class WTF::OptionSet<enum WebCore::PaintBehavior>, class WebCore::RenderObject * subtreePaintRootForRenderer = 0x00000000`00000000)+0x207 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3952] 37 00000027`964fd640 00007ffc`e5042cf6 WebKit2!WebCore::RenderLayer::paintLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fdbe0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x841 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3524] 38 00000027`964fd8e0 00007ffc`e5042ffe WebKit2!WebCore::RenderLayer::paintLayerContentsAndReflection(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fdbe0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = <Value unavailable error>)+0xa6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3230] 39 00000027`964fd930 00007ffc`e5041a82 WebKit2!WebCore::RenderLayer::paintLayerWithEffects(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fdbe0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x2de [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3211] 3a 00000027`964fdab0 00007ffc`e5042823 WebKit2!WebCore::RenderLayer::paintLayer(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fdbe0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x102 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3133] 3b (Inline Function) --------`-------- WebKit2!WebCore::RenderLayer::paintList(class WebCore::RenderLayer::LayerList layerIterator = <Value unavailable error>)+0x3a [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3649] 3c 00000027`964fdb00 00007ffc`e5042cf6 WebKit2!WebCore::RenderLayer::paintLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe0a0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x923 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3535] 3d 00000027`964fdda0 00007ffc`e5042ffe WebKit2!WebCore::RenderLayer::paintLayerContentsAndReflection(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe0a0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = <Value unavailable error>)+0xa6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3230] 3e 00000027`964fddf0 00007ffc`e5041a82 WebKit2!WebCore::RenderLayer::paintLayerWithEffects(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe0a0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x2de [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3211] 3f 00000027`964fdf70 00007ffc`e5042823 WebKit2!WebCore::RenderLayer::paintLayer(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe0a0, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x102 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3133] 40 (Inline Function) --------`-------- WebKit2!WebCore::RenderLayer::paintList(class WebCore::RenderLayer::LayerList layerIterator = <Value unavailable error>)+0x3a [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3649] 41 00000027`964fdfc0 00007ffc`e5042cf6 WebKit2!WebCore::RenderLayer::paintLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe560, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x923 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3535] 42 00000027`964fe260 00007ffc`e5042ffe WebKit2!WebCore::RenderLayer::paintLayerContentsAndReflection(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe560, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = <Value unavailable error>)+0xa6 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3230] 43 00000027`964fe2b0 00007ffc`e5041a82 WebKit2!WebCore::RenderLayer::paintLayerWithEffects(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe560, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x2de [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3211] 44 00000027`964fe430 00007ffc`e5042823 WebKit2!WebCore::RenderLayer::paintLayer(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe560, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x102 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3133] 45 (Inline Function) --------`-------- WebKit2!WebCore::RenderLayer::paintList(class WebCore::RenderLayer::LayerList layerIterator = <Value unavailable error>)+0x3a [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3649] 46 00000027`964fe480 00007ffc`e501c818 WebKit2!WebCore::RenderLayer::paintLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, struct WebCore::RenderLayer::LayerPaintingInfo * paintingInfo = 0x00000027`964fe760, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag>)+0x923 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayer.cpp @ 3535] 47 00000027`964fe720 00007ffc`e5040804 WebKit2!`WebCore::RenderLayerBacking::paintIntoLayer'::`2'::<lambda_1>::operator()(class WebCore::RenderLayer * layer = 0x0000016b`739e6b70, class WTF::OptionSet<enum WebCore::RenderLayer::PaintLayerFlag> paintFlags = <Value unavailable error>)+0x138 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayerBacking.cpp @ 3239] 48 00000027`964fe7d0 00007ffc`e503f926 WebKit2!WebCore::RenderLayerBacking::paintIntoLayer(class WebCore::GraphicsLayer * graphicsLayer = 0x0000016b`75f874a0, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::IntRect * paintDirtyRect = 0x00000027`964fe990, class WTF::OptionSet<enum WebCore::PaintBehavior> paintBehavior = class WTF::OptionSet<enum WebCore::PaintBehavior>, class WebCore::EventRegionContext * eventRegionContext = 0x00000000`00000000)+0xd4 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayerBacking.cpp @ 3258] 49 00000027`964fe8e0 00007ffc`e4ea3e67 WebKit2!WebCore::RenderLayerBacking::paintContents(class WebCore::GraphicsLayer * graphicsLayer = 0x0000016b`75f874a0, class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::FloatRect * clip = <Value unavailable error>, unsigned int layerPaintBehavior = 0)+0x306 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayerBacking.cpp @ 3535] 4a 00000027`964fe9f0 00007ffc`e3a588bb WebKit2!WebCore::GraphicsLayer::paintGraphicsLayerContents(class WebCore::GraphicsContext * context = 0x0000016b`7e771b90, class WebCore::FloatRect * clip = 0x00000027`964feab8, unsigned int layerPaintBehavior = 0)+0xd7 [C:\jenkins_slave\WinCairo-master\Source\WebCore\platform\graphics\GraphicsLayer.cpp @ 545] 4b 00000027`964fea80 00007ffc`e3a57c94 WebKit2!WebKit::WCTiledBacking::paintAndFlush(struct WebKit::WCLayerUpateInfo * update = 0x00000027`964feb90)+0x2cb [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 64] 4c 00000027`964feb60 00007ffc`e3a58b31 WebKit2!WebKit::GraphicsLayerWC::flushCompositingStateForThisLayerOnly(void)+0x284 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 551] 4d 00000027`964fee20 00007ffc`e3a58b80 WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0xe1 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 701] 4e 00000027`964fef80 00007ffc`e3a58b80 WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0x130 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 706] 4f 00000027`964ff0e0 00007ffc`e3a58b80 WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0x130 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 706] 50 00000027`964ff240 00007ffc`e3a58b80 WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0x130 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 706] 51 00000027`964ff3a0 00007ffc`e3a579dd WebKit2!WebKit::GraphicsLayerWC::recursiveCommitChanges(class WebCore::TransformState * state = <Value unavailable error>)+0x130 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 706] 52 00000027`964ff500 00007ffc`e5032d81 WebKit2!WebKit::GraphicsLayerWC::flushCompositingState(class WebCore::FloatRect * passedVisibleRect = <Value unavailable error>)+0x12d [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\GraphicsLayerWC.cpp @ 503] 53 00000027`964ff5f0 00007ffc`e4d8e3ee WebKit2!WebCore::RenderLayerCompositor::flushPendingLayerChanges(bool isFlushRoot = true)+0x81 [C:\jenkins_slave\WinCairo-master\Source\WebCore\rendering\RenderLayerCompositor.cpp @ 641] 54 00000027`964ff640 00007ffc`e4d8e418 WebKit2!WebCore::FrameView::flushCompositingStateForThisFrame(class WebCore::Frame * rootFrameForFlush = 0x0000016b`73923830)+0x9e [C:\jenkins_slave\WinCairo-master\Source\WebCore\page\FrameView.cpp @ 1035] 55 00000027`964ff670 00007ffc`e4dd06af WebKit2!WebCore::FrameView::flushCompositingStateIncludingSubframes(void)+0x18 [C:\jenkins_slave\WinCairo-master\Source\WebCore\page\FrameView.cpp @ 1200] 56 00000027`964ff6b0 00007ffc`e3ee2f72 WebKit2!WebCore::Page::finalizeRenderingUpdate(class WTF::OptionSet<enum WebCore::FinalizeRenderingUpdateFlags> flags = <Value unavailable error>)+0x4f [C:\jenkins_slave\WinCairo-master\Source\WebCore\page\Page.cpp @ 1848] 57 00000027`964ff6e0 00007ffc`e3a564ce WebKit2!WebKit::WebPage::finalizeRenderingUpdate(class WTF::OptionSet<enum WebCore::FinalizeRenderingUpdateFlags> flags = <Value unavailable error>)+0x12 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\WebPage.cpp @ 4438] 58 00000027`964ff710 00007ffc`e4e4c226 WebKit2!WebKit::DrawingAreaWC::updateRendering(void)+0x4e [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\WebPage\wc\DrawingAreaWC.cpp @ 231] 59 00000027`964ff740 00007ffc`e3f3b84f WebKit2!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0x126 [C:\jenkins_slave\WinCairo-master\Source\WebCore\platform\ThreadTimers.cpp @ 130] 5a 00000027`964ff7d0 00007ffd`3e07e858 WebKit2!WebCore::TimerWindowWndProc(struct HWND__ * hWnd = <Value unavailable error>, unsigned int message = <Value unavailable error>, unsigned int64 wParam = <Value unavailable error>, int64 lParam = <Value unavailable error>)+0x8f [C:\jenkins_slave\WinCairo-master\Source\WebCore\platform\win\MainThreadSharedTimerWin.cpp @ 89] 5b 00000027`964ff800 00007ffd`3e07e299 USER32!UserCallWinProcCheckWow+0x2f8 5c 00000027`964ff990 00007ffd`015b0f3b USER32!DispatchMessageWorker+0x249 5d 00000027`964ffa10 00007ffc`e3a5b6a0 WTF!WTF::RunLoop::run(void)+0x4b [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\win\RunLoopWin.cpp @ 73] 5e (Inline Function) --------`-------- WebKit2!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run(void)+0x81 [C:\jenkins_slave\WinCairo-master\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 70] 5f (Inline Function) --------`-------- WebKit2!WebKit::AuxiliaryProcessMain(void)+0xc2 [C:\jenkins_slave\WinCairo-master\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 96] 60 00000027`964ffa80 00007ff7`60a1100a WebKit2!WebKit::WebProcessMain(int argc = 0n7, char ** argv = 0x0000016b`6fcbf4f0)+0x100 [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\win\WebProcessMainWin.cpp @ 57] 61 00000027`964ffb10 00007ff7`60a11204 WebKitWebProcess!main(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0xa [C:\jenkins_slave\WinCairo-master\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35] 62 (Inline Function) --------`-------- WebKitWebProcess!invoke_main(void)+0x22 [d:\a01\_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 63 00000027`964ffb40 00007ffd`3cd17034 WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [d:\a01\_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 64 00000027`964ffb80 00007ffd`3e502651 KERNEL32!BaseThreadInitThunk+0x14 65 00000027`964ffbb0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Attachments
CrashLog_0928_2022-06-13_05-16-12-308.txt (191.42 KB, text/plain) 2022-06-12 13:38 PDT, Fujii Hironori	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Fujii Hironori

Comment 1 2022-06-12 13:57:24 PDT

GlyphDisplayListCacheKeyTranslator was added by 251381@main (Bug 240497).

Fujii Hironori

Comment 2 2022-06-12 14:32:38 PDT

https://github.com/WebKit/WebKit/blob/79ad9ed64760e9fb1d02e26be2ff69b849907061/Source/WebCore/rendering/GlyphDisplayListCache.h#L127-L128 > HashMap<const void*, Ref<GlyphDisplayListCacheEntry>> m_entriesForLayoutRun; > HashSet<GlyphDisplayListCacheEntry*> m_entries; m_entries is a HashSet of GlyphDisplayListCacheEntry raw pointer. m_entriesForLayoutRun retains GlyphDisplayListCacheEntry ref-counters. https://github.com/WebKit/WebKit/blob/79ad9ed64760e9fb1d02e26be2ff69b849907061/Source/WebCore/rendering/GlyphDisplayListCache.cpp#L202 GlyphDisplayListCache::remove removes the item of m_entriesForLayoutRun. Who retains GlyphDisplayListCacheEntry ref-counters for m_entries?

Cameron McCormack (:heycam)

Comment 3 2022-06-12 15:34:40 PDT

*** This bug has been marked as a duplicate of bug 241523 ***

Note You need to log in before you can comment on or make changes to this bug.