Status: Untriaged Owner: ---- Labels: Type-Bug Pri-1 OS-Mac Area-Misc Size-Medium Valgrind
New issue 20514 by [email protected]: Use-after-free in -[DownloadItemCell drawInteriorWithFrame:inView:] ? http://code.google.com/p/chromium/issues/detail?id=20514 I thought this was a dup of bug 20508, but on second look, it appears to be our fault. http://build.chromium.org/buildbot/waterfall.fyi/builders/Mac%20UI%201%20of%203%20(valgrind)/builds/949/steps/valgrind%20test:%20ui/logs/stdio Here's a more complete stack: Invalid read of size 4 _eATSFontGetGlyphIDsForGlyphNames ATSFontGetGlyphIDsForGlyphNames ats_font_get_glyphs_for_glyph_names get_glyphs_for_glyph_names TFont::GetGlyphWithName(__CFString const*) const CTFontGetGlyphWithName -[NSFont glyphWithName:] gfx::Font::calculateMetrics() (app/gfx/font_mac.mm:38) gfx::Font::Font(std::basic_string<wchar_t, ...) (app/gfx/font_mac.mm:23) gfx::Font::CreateFont(std::basic_string<wchar_t, ...) (app/gfx/font_mac.mm:16) -[DownloadItemCell elideTitle:] (chrome/browser/cocoa/download_item_cell.mm:296) -[DownloadItemCell drawInteriorWithFrame:inView:] (chrome/browser/cocoa/download_item_cell.mm:356) -[DownloadItemCell drawWithFrame:inView:] (chrome/browser/cocoa/download_item_cell.mm:350) -[NSControl drawRect:] Address 0x137a869c is 1,644 bytes inside a block of size 6,084 free'd free (vg_replace_malloc.c:325) sk_free(void*) (skia/ext/SkMemory_new_handler.cpp:43) SkMallocPixelRef::~SkMallocPixelRef() (third_party/skia/src/core/SkBitmap.cpp:387) SkRefCnt::unref() const (SkRefCnt.h:62) SkBitmap::freePixels() (core/SkBitmap.cpp:349) SkBitmap::~SkBitmap() (third_party/skia/src/core/SkBitmap.cpp:97) SkDevice::~SkDevice() (SkDevice.h:30) skia::PlatformDevice::~PlatformDevice() (platform_device_mac.h:23) skia::BitmapPlatformDevice::~BitmapPlatformDevice() (skia/ext/bitmap_platform_device_mac.cc:273) SkRefCnt::unref() const (SkRefCnt.h:62) DeviceCM::~DeviceCM() (third_party/skia/src/core/SkCanvas.cpp:93) SkCanvas::internalRestore() (third_party/skia/src/core/SkCanvas.cpp:711) SkCanvas::~SkCanvas() (third_party/skia/src/core/SkCanvas.cpp:422) skia::PlatformCanvas::~PlatformCanvas() (src/skia/ext/platform_canvas_mac.cc:37) gfx::Canvas::~Canvas() (app/gfx/canvas_mac.mm:26) skia::CanvasPaintT<gfx::Canvas>::~CanvasPaintT() (canvas_paint_mac.h:62) -[DownloadItemCell drawInteriorWithFrame:inView:] (chrome/browser/cocoa/download_item_cell.mm:419) -[DownloadItemCell drawWithFrame:inView:] (chrome/browser/cocoa/download_item_cell.mm:350) -[NSControl drawRect:] -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
