12083 2007-01-02 15:51:45 -0800 REGRESSION: Crash in CGBlt_copyBytes under WebCore::Font::drawGlyphs 2007-02-12 04:09:21 -0800 1 1 1 Unclassified WebKit CSS 420+ Mac OS X 10.4 RESOLVED FIXED HasReduction, InRadar, Regression P1 Major --- 1 mrowe webkit-unassigned ddkilzer mitz oldest_to_newest 37596 0 mrowe 2007-01-02 15:51:45 -0800 <html> <head> <title>Test HTML Page</title> <style type="text/css"> p { text-shadow: purple 683412032in 106602277cm 380056859pt; } </style> </head> <body> <p>p</p> </body> </html> crashes with: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x737c8de0 0x90388203 in CGBlt_copyBytes () (gdb) bt #0 0x90388203 in CGBlt_copyBytes () #1 0x942f13a0 in ripl_CreateWithLayer () #2 0x942ed45d in RIPLayerGaussianBlur () #3 0x942f0400 in rips_s_BltShape () #4 0x942f01d7 in rips_s_BltGlyph () #5 0x942e70c9 in ripc_DrawGlyphs () #6 0x9035204f in drawGlyphs () #7 0x90351b08 in CGContextShowGlyphsWithAdvances () #8 0x0121d6fb in WebCore::Font::drawGlyphs (this=0x18b8ac90, context=0xbfffd094, font=0x2137400, glyphBuffer=@0xbfff5654, from=0, numGlyphs=11, point=@0xbfffc678) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/platform/mac/FontMac.mm:594 #9 0x01216a6c in WebCore::Font::drawSimpleText (this=0x18b8ac90, context=0xbfffd094, run=@0xbfffc818, style=@0xbfffc790, point=@0xbfffc708) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/platform/Font.cpp:526 #10 0x01216abf in WebCore::Font::drawText (this=0x18b8ac90, context=0xbfffd094, run=@0xbfffc818, style=@0xbfffc790, point=@0xbfffc708) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/platform/Font.cpp:532 #11 0x0139af46 in WebCore::GraphicsContext::drawText (this=0xbfffd094, run=@0xbfffc818, point=@0xbfffc810, style=@0xbfffc790) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/platform/graphics/GraphicsContext.cpp:215 #12 0x0114a275 in WebCore::InlineTextBox::paint (this=0x18d58cbc, paintInfo=@0xbfffc93c, tx=8, ty=58) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/InlineTextBox.cpp:415 #13 0x012971d7 in WebCore::InlineFlowBox::paint (this=0x18d3d7fc, paintInfo=@0xbfffca30, tx=8, ty=58) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/InlineFlowBox.cpp:583 #14 0x0129817b in WebCore::RootInlineBox::paint (this=0x18d3d7fc, paintInfo=@0xbfffca30, tx=8, ty=58) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RootInlineBox.cpp:136 #15 0x011705af in WebCore::RenderFlow::paintLines (this=0x18d6c38c, paintInfo=@0xbfffcbe0, tx=8, ty=58) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderFlow.cpp:395 #16 0x01155452 in WebCore::RenderBlock::paintObject (this=0x18d6c38c, paintInfo=@0xbfffcbe0, tx=8, ty=58) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1367 #17 0x0114e069 in WebCore::RenderBlock::paint (this=0x18d6c38c, paintInfo=@0xbfffcbe0, tx=8, ty=58) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285 #18 0x0114e39f in WebCore::RenderBlock::paintChildren (this=0x185d1e2c, paintInfo=@0xbfffcd10, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1315 #19 0x01155474 in WebCore::RenderBlock::paintObject (this=0x185d1e2c, paintInfo=@0xbfffcd10, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1369 #20 0x0114e069 in WebCore::RenderBlock::paint (this=0x185d1e2c, paintInfo=@0xbfffcd10, tx=8, ty=8) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285 #21 0x0114e39f in WebCore::RenderBlock::paintChildren (this=0x18561d3c, paintInfo=@0xbfffce64, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1315 #22 0x01155474 in WebCore::RenderBlock::paintObject (this=0x18561d3c, paintInfo=@0xbfffce64, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1369 #23 0x0114e069 in WebCore::RenderBlock::paint (this=0x18561d3c, paintInfo=@0xbfffce64, tx=0, ty=0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:1285 #24 0x0117ce04 in WebCore::RenderLayer::paintLayer (this=0x18d71aec, rootLayer=0x18513d2c, p=0xbfffd094, paintDirtyRect=@0xbfffd09c, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1438 #25 0x0117cfc8 in WebCore::RenderLayer::paintLayer (this=0x18513d2c, rootLayer=0x18513d2c, p=0xbfffd094, paintDirtyRect=@0xbfffd09c, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1463 #26 0x0117d090 in WebCore::RenderLayer::paint (this=0x18513d2c, p=0xbfffd094, damageRect=@0xbfffd09c, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderLayer.cpp:1330 #27 0x010dbe77 in WebCore::Frame::paint (this=0x2964be0, p=0xbfffd094, rect=@0xbfffd09c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/Frame.cpp:1041 #28 0x010fc609 in -[WebCoreFrameBridge drawRect:] (self=0x2964760, _cmd=0x90aa2b6c, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 746}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/mac/WebCoreFrameBridge.mm:480 #29 0x00341fbf in -[WebHTMLView drawSingleRect:] (self=0x1855d620, _cmd=0x3c3308, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 746}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:2678 #30 0x00342395 in -[WebHTMLView drawRect:] (self=0x1855d620, _cmd=0x90aa2b6c, rect={origin = {x = 0, y = 0}, size = {width = 1400, height = 746}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:2729 #31 0x932ee3b1 in -[NSView _drawRect:clip:] () #32 0x932ed40b in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] () #33 0x0033bd2f in -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] (self=0x1855d620, _cmd=0x90a83574, needsLockFocus=1 '\001', visRect={origin = {x = 0, y = 0}, size = {width = 1400, height = 746}}) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLView.m:893 #34 0x932ff36f in _recursiveDisplayInRect2 () #35 0x9083af26 in CFArrayApplyFunction () #36 0x932ed613 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] () #37 0x932ff36f in _recursiveDisplayInRect2 () #38 0x9083af26 in CFArrayApplyFunction () #39 0x932ed613 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] () #40 0x932ec473 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #41 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #42 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #43 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #44 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #45 0x932ed041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #46 0x932ebb78 in -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #47 0x932eb362 in -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] () #48 0x932eac8e in -[NSView displayIfNeeded] () #49 0x932eaa32 in -[NSWindow displayIfNeeded] () #50 0x0001c394 in ?? () #51 0x9333ad6c in _handleWindowNeedsDisplay () #52 0x9082a155 in __CFRunLoopDoObservers () #53 0x908291f7 in CFRunLoopRunSpecific () #54 0x90828eb5 in CFRunLoopRunInMode () #55 0x92dcdb90 in RunCurrentEventLoopInMode () #56 0x92dcd297 in ReceiveNextEventCommon () #57 0x92dcd0ee in BlockUntilNextEventMatchingListInMode () #58 0x9326f465 in _DPSNextEvent () #59 0x9326f056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #60 0x00006f96 in ?? () #61 0x93268ddb in -[NSApplication run] () #62 0x9325cd2f in NSApplicationMain () #63 0x0005f7de in ?? () #64 0x0005f6f9 in ?? () (gdb) Under libgmalloc it traps into the debugger after stating: GuardMalloc[DumpRenderTree-26613]: Attempting excessively large memory allocation: 1863364908 bytes GuardMalloc[DumpRenderTree-26613]: If you really wanted to allocate so much memory, launch your executable with the environment variable MALLOC_PERMIT_INSANE_REQUESTS set to any value to circumvent this check. GuardMalloc[DumpRenderTree-26613]: Explicitly trapping into debugger!!! A very similar example: <html> <head> <title>Test HTML Page</title> <style type="text/css"> p { text-shadow: purple 683412032in 106602277cm 380056859pt; } </style> </head> <body> <p>P</p> </body> </html> (difference being <p>p</p> becomes <p>P</p>) does not crash but gets stuck in a loop spewing malloc-related errors: DumpRenderTree(26521,0xa000cfc0) malloc: *** vm_allocate(size=3890335744) failed (error code=3) DumpRenderTree(26521,0xa000cfc0) malloc: *** error: can't allocate region DumpRenderTree(26521,0xa000cfc0) malloc: *** set a breakpoint in szone_error to debug DumpRenderTree(26521,0xa000cfc0) malloc: *** vm_allocate(size=3890335744) failed (error code=3) DumpRenderTree(26521,0xa000cfc0) malloc: *** error: can't allocate region DumpRenderTree(26521,0xa000cfc0) malloc: *** set a breakpoint in szone_error to debug ... ... 37534 1 mrowe 2007-01-02 21:02:12 -0800 This does not crash with WebKit 418.9.1 34735 2 12479 darin 2007-01-16 00:21:00 -0800 Created attachment 12479 huge text shadow test case as described below 34736 3 darin 2007-01-16 00:23:03 -0800 Seems like we need to sanity-check the values for the shadow before we pass them in to the graphics layer. 34596 4 mrowe 2007-01-16 19:33:36 -0800 <rdar://problem/4928675> 12479 2007-01-16 00:21:00 -0800 2007-01-16 00:21:00 -0800 huge text shadow test case as described below huge-text-shadow.html text/html 200 darin PGh0bWw+CjxoZWFkPgogICAgPHRpdGxlPlRlc3QgSFRNTCBQYWdlPC90aXRsZT4KICAgIDxzdHls ZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBwIHsgdGV4dC1zaGFkb3c6IHB1cnBsZSA2ODM0MTIwMzJp biAxMDY2MDIyNzdjbSAzODAwNTY4NTlwdDsgfQogICAgPC9zdHlsZT4KPC9oZWFkPgo8Ym9keT4K ICAgIDxwPnA8L3A+CjwvYm9keT4KPC9odG1sPgo=