Bug 264728

Summary: Crash under TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox
Product: WebKit Reporter: Antti Koivisto <koivisto>
Component: CSSAssignee: Antti Koivisto <koivisto>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Antti Koivisto 2023-11-13 01:21:32 PST 
50 WTF::CrashOnOverflow::crash() <==
        50 WTF::CrashOnOverflow::overflowed()
          50 WTF::Vector<WebCore::InlineDisplay::Box, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) const
            50 WTF::Vector<WebCore::InlineDisplay::Box, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long) const
              50 WebCore::InlineIterator::BoxModernPath::box() const
                50 WebCore::InlineIterator::BoxModernPath::renderer() const
                  50 WebCore::RenderObject const& WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)::operator()<WebCore::InlineIterator::BoxModernPath const>(auto&) const
                    50 decltype(std::declval<auto>()(std::declval<WebCore::InlineIterator::BoxModernPath const&>())) std::__1::__invoke[abi:v160006]<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>, WebCore::InlineIterator::BoxModernPath const&>(auto&&, WebCore::InlineIterator::BoxModernPath const&)
                      50 decltype(auto) std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>::operator()[abi:v160006]<std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&>(std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&) const
                        50 decltype(std::declval<auto>()(std::declval<std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&>())) std::__1::__invoke[abi:v160006]<std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>, std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&>(auto&&, std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&)
                          50 decltype(auto) std::__1::__variant_detail::__visitation::__base::__dispatcher<0ul>::__dispatch[abi:v160006]<std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>&&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&>(auto, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&)
                            50 decltype(auto) std::__1::__variant_detail::__visitation::__base::__visit_alt[abi:v160006]<std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>, std::__1::__variant_detail::__impl<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&>(auto&&, std::__1::__variant_detail::__impl<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&)
                              50 decltype(auto) std::__1::__variant_detail::__visitation::__variant::__visit_alt[abi:v160006]<std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&>(auto&&, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&)
                                50 decltype(auto) std::__1::__variant_detail::__visitation::__variant::__visit_value[abi:v160006]<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&>(auto&&, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&)
                                  50 decltype(auto) std::__1::visit[abi:v160006]<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&, void>(auto&&, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&)
                                    50 decltype(std::visit(makeVisitor(std::forward<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>(fp0)), std::forward<auto>(fp))) WTF::switchOn<std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&, WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>(auto&&, WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)&&)
                                      50 WebCore::InlineIterator::Box::renderer() const
                                        50 WebCore::InlineIterator::InlineBox::renderer() const
                                          50 auto WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox(WTF::Vector<WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::DecoratingBox, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::InlineIterator::TextBoxIterator const&, WebCore::FloatPoint, WebCore::TextDecorationPainter::Styles const&)::'lambda'(auto&, auto)::operator()<WebCore::InlineIterator::InlineBoxIterator, WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox(WTF::Vector<WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::DecoratingBox, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::InlineIterator::TextBoxIterator const&, WebCore::FloatPoint, WebCore::TextDecorationPainter::Styles const&)::UseOverriderDecorationStyle>(auto&, auto) const
                                            50 WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox(WTF::Vector<WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::DecoratingBox, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::InlineIterator::TextBoxIterator const&, WebCore::FloatPoint, WebCore::TextDecorationPainter::Styles const&)
                                              50 WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintBackgroundDecorations(WebCore::TextDecorationPainter&, WebCore::StyledMarkedText const&, WebCore::FloatRect const&)
                                                50 WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintForegroundAndDecorations()
                                                  50 WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paint()
Comment 1 Antti Koivisto 2023-11-13 01:21:50 PST 
rdar://117897402
Comment 2 Antti Koivisto 2023-11-13 01:26:37 PST 
Pull request: https://github.com/WebKit/WebKit/pull/20408
Comment 3 EWS 2023-11-13 06:12:55 PST 
Committed 270634@main (f9ec06b716a3): <https://commits.webkit.org/270634@main>

Reviewed commits have been landed. Closing PR #20408 and removing active labels.