167631 2017-01-30 23:50:09 -0800 [CoordinatedGraphics] WebCoordinatedSurface::create should do null-check of the return value of ShareableBitmap::createShareable 2017-01-31 01:15:11 -0800 1 1 1 Unclassified WebKit WebKit2 WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 fujii fujii cgarcia commit-queue darin dbates gyuyoung.kim sabouhallawa zan oldest_to_newest 1271600 0 fujii 2017-01-30 23:50:09 -0800 WebCoordinatedSurface::create does not do null-check of the return value of ShareableBitmap::createShareable. WebCoordinatedSurface.cpp is used only in EFL port at the moment. This causes a crash with following call stack in case of out of shared memory: > Thread 1 "WebKitWebProces" received signal SIGSEGV, Segmentation fault. > 0x00007f5dca7311c0 in WebKit::ShareableBitmap::data() const () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > (gdb) bt > #0 0x00007f5dca7311c0 in WebKit::ShareableBitmap::data() const () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #1 0x00007f5dca991312 in WebKit::ShareableBitmap::createCairoSurface() () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #2 0x00007f5dca991393 in WebKit::ShareableBitmap::createGraphicsContext() () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #3 0x00007f5dca98b3e8 in WebKit::WebCoordinatedSurface::createGraphicsContext(WebCore::IntRect const&) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #4 0x00007f5dca98b469 in WebKit::WebCoordinatedSurface::paintToSurface(WebCore::IntRect const&, WebCore::CoordinatedSurface::Client&) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #5 0x00007f5dca9eef98 in WebKit::UpdateAtlas::paintOnAvailableBuffer(WebCore::IntSize const&, unsigned int&, WebCore::IntPoint&, WebCore::CoordinatedSurface::Client&) () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #6 0x00007f5dcb835ff3 in WebCore::Tile::updateBackBuffer() () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #7 0x00007f5dcb4e2319 in WebCore::TiledBackingStore::updateTileBuffers() () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #8 0x00007f5dcb4e3fad in WebCore::TiledBackingStore::createTiles(WebCore::IntRect const&, WebCore::IntRect const&) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #9 0x00007f5dcb4e41ff in WebCore::TiledBackingStore::createTilesIfNeeded(WebCore::IntRect const&, WebCore::IntRect const&) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #10 0x00007f5dcb4e0966 in WebCore::CoordinatedGraphicsLayer::updateContentBuffers() () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #11 0x00007f5dcb4e09d3 in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #12 0x00007f5dcb4e09fc in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #13 0x00007f5dcb4e09fc in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #14 0x00007f5dcb4e09fc in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #15 0x00007f5dca9ea278 in WebKit::CompositingCoordinator::flushPendingLayerChanges() () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #16 0x00007f5dca9e3764 in WebKit::AcceleratedDrawingArea::sendDidUpdateBackingStoreState() () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #17 0x00007f5dca9e3e3c in WebKit::AcceleratedDrawingArea::updateBackingStoreState(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #18 0x00007f5dcaa3b15e in WebKit::DrawingArea::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #19 0x00007f5dca7202e9 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #20 0x00007f5dca866e76 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #21 0x00007f5dca71da8b in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #22 0x00007f5dca71e848 in IPC::Connection::dispatchOneMessage() () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #23 0x00007f5dcb94d6d1 in WTF::RunLoop::performWork() () from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #24 0x00007f5dc852eb2e in _ecore_pipe_handler_call (p=p@entry=0x1f26ac0, buf=0x2217be0 "W^\"\002", len=<optimized out>) > at /home/fujii/work/webkit/ga/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_pipe.c:511 > #25 0x00007f5dc852f1e9 in _ecore_pipe_read (data=0x1f26ac0, fd_handler=<optimized out>) > at /home/fujii/work/webkit/ga/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_pipe.c:637 > #26 0x00007f5dc852cb82 in _ecore_call_fd_cb (fd_handler=0x1f1cab0, data=<optimized out>, func=<optimized out>) > at /home/fujii/work/webkit/ga/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_private.h:333 > #27 _ecore_main_fd_handlers_call () at /home/fujii/work/webkit/ga/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_main.c:1974 > #28 _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) > at /home/fujii/work/webkit/ga/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_main.c:2339 > #29 0x00007f5dc852cf67 in ecore_main_loop_begin () at /home/fujii/work/webkit/ga/WebKitBuild/DependenciesEFL/Source/efl-1.18.4/src/lib/ecore/ecore_main.c:1286 > #30 0x00007f5dca9f08cd in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) () > from /home/fujii/work/webkit/ga/WebKitBuild/Release/lib/libewebkit2.so.1 > #31 0x00007f5dc931b830 in __libc_start_main (main=0x400760 <main>, argc=2, argv=0x7ffdd6abb108, init=<optimized out>, fini=<optimized out>, > rtld_fini=<optimized out>, stack_end=0x7ffdd6abb0f8) at ../csu/libc-start.c:291 > #32 0x00000000004007b9 in _start () 1271603 1 300191 fujii 2017-01-30 23:55:32 -0800 Created attachment 300191 Patch 1271610 2 300191 cgarcia 2017-01-31 00:12:16 -0800 Comment on attachment 300191 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=300191&action=review > Source/WebKit2/Shared/CoordinatedGraphics/WebCoordinatedSurface.cpp:84 > + RefPtr<ShareableBitmap> bitmap = ShareableBitmap::createShareable(size, (flags & SupportsAlpha) ? ShareableBitmap::SupportsAlpha : ShareableBitmap::NoFlags); > + if (!bitmap) > + return nullptr; > + surface = create(size, flags, WTFMove(bitmap)); So, here we don't need the surface anymore. I think this method could be simplified with something like: #if USE(GRAPHICS_SURFACE) if (auto surface = createWithSurface(size, flags)) return surface; #endif if (auto bitmap = ShareableBitmap::createShareable(size, (flags & SupportsAlpha) ? ShareableBitmap::SupportsAlpha : ShareableBitmap::NoFlags)) return create(size, flags, WTFMove(bitmap)); return nullptr; 1271620 3 300196 fujii 2017-01-31 00:52:47 -0800 Created attachment 300196 Patch Thank you for reviewing my patch. Revised the patch. 1271626 4 300196 commit-queue 2017-01-31 01:15:06 -0800 Comment on attachment 300196 Patch Clearing flags on attachment: 300196 Committed r211414: <http://trac.webkit.org/changeset/211414> 1271627 5 commit-queue 2017-01-31 01:15:11 -0800 All reviewed patches have been landed. Closing bug. 300191 2017-01-30 23:55:32 -0800 2017-01-31 00:52:41 -0800 Patch bug-167631-20170201015305.patch text/plain 2026 fujii U3VidmVyc2lvbiBSZXZpc2lvbjogMjExMzk2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViS2l0Mi9DaGFuZ2VMb2cKaW5kZXggNjUyMTZlMzVjMjU4MmM4 YTI4MDI4ZTg0YzI1MzQ2OTJiNjVmYzUxMS4uMjdlMDc1M2VjYWE5OWIzNmExNDNkMjhlZGNiMDkw MTQ4ZTVmZmRmYSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJLaXQyL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE0IEBACisyMDE3LTAxLTMxICBGdWpp aSBIaXJvbm9yaSAgPEhpcm9ub3JpLkZ1amlpQHNvbnkuY29tPgorCisgICAgICAgIFtDb29yZGlu YXRlZEdyYXBoaWNzXSBXZWJDb29yZGluYXRlZFN1cmZhY2U6OmNyZWF0ZSBzaG91bGQgZG8gbnVs bC1jaGVjayBvZiB0aGUgcmV0dXJuIHZhbHVlIG9mIFNoYXJlYWJsZUJpdG1hcDo6Y3JlYXRlU2hh cmVhYmxlCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0x Njc2MzEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAq IFNoYXJlZC9Db29yZGluYXRlZEdyYXBoaWNzL1dlYkNvb3JkaW5hdGVkU3VyZmFjZS5jcHA6Cisg ICAgICAgIChXZWJLaXQ6OldlYkNvb3JkaW5hdGVkU3VyZmFjZTo6Y3JlYXRlKTogRG8gbnVsbC1j aGVjayBvZiB0aGUKKyAgICAgICAgcmV0dXJuIHZhbHVlIG9mIFNoYXJlYWJsZUJpdG1hcDo6Y3Jl YXRlU2hhcmVhYmxlLgorCiAyMDE3LTAxLTMwICBBbmRlcnMgQ2FybHNzb24gIDxhbmRlcnNjYUBh cHBsZS5jb20+CiAKICAgICAgICAgQWRkIHNvbWUgbW9yZSBjcmFzaCByZXBvcnRlciBpbmZvcm1h dGlvbiB0byBkaWFnbm9zZSBhIGZhaWxlZCBtYWNoX21zZwpkaWZmIC0tZ2l0IGEvU291cmNlL1dl YktpdDIvU2hhcmVkL0Nvb3JkaW5hdGVkR3JhcGhpY3MvV2ViQ29vcmRpbmF0ZWRTdXJmYWNlLmNw cCBiL1NvdXJjZS9XZWJLaXQyL1NoYXJlZC9Db29yZGluYXRlZEdyYXBoaWNzL1dlYkNvb3JkaW5h dGVkU3VyZmFjZS5jcHAKaW5kZXggMmM1YzEyZjYwN2ZmNTVmNDNhMjZlMmIxNGFmYzAyNTA2OWYz OTBiMC4uZWI0YmI4ODJkNGI3OWFhYzNhZTU3ZjhjNWYwYjMxNmY2ZWY0MzdjOSAxMDA2NDQKLS0t IGEvU291cmNlL1dlYktpdDIvU2hhcmVkL0Nvb3JkaW5hdGVkR3JhcGhpY3MvV2ViQ29vcmRpbmF0 ZWRTdXJmYWNlLmNwcAorKysgYi9Tb3VyY2UvV2ViS2l0Mi9TaGFyZWQvQ29vcmRpbmF0ZWRHcmFw aGljcy9XZWJDb29yZGluYXRlZFN1cmZhY2UuY3BwCkBAIC03NCwxMCArNzQsMTQgQEAgUmVmUHRy PFdlYkNvb3JkaW5hdGVkU3VyZmFjZT4gV2ViQ29vcmRpbmF0ZWRTdXJmYWNlOjpjcmVhdGUoY29u c3QgSW50U2l6ZSYgc2l6ZSwKICAgICBSZWZQdHI8V2ViQ29vcmRpbmF0ZWRTdXJmYWNlPiBzdXJm YWNlOwogI2lmIFVTRShHUkFQSElDU19TVVJGQUNFKQogICAgIHN1cmZhY2UgPSBjcmVhdGVXaXRo U3VyZmFjZShzaXplLCBmbGFncyk7CisgICAgaWYgKHN1cmZhY2UpCisgICAgICAgIHJldHVybiBz dXJmYWNlOwogI2VuZGlmCiAKLSAgICBpZiAoIXN1cmZhY2UpCi0gICAgICAgIHN1cmZhY2UgPSBj cmVhdGUoc2l6ZSwgZmxhZ3MsIFNoYXJlYWJsZUJpdG1hcDo6Y3JlYXRlU2hhcmVhYmxlKHNpemUs IChmbGFncyAmIFN1cHBvcnRzQWxwaGEpID8gU2hhcmVhYmxlQml0bWFwOjpTdXBwb3J0c0FscGhh IDogU2hhcmVhYmxlQml0bWFwOjpOb0ZsYWdzKSk7CisgICAgUmVmUHRyPFNoYXJlYWJsZUJpdG1h cD4gYml0bWFwID0gU2hhcmVhYmxlQml0bWFwOjpjcmVhdGVTaGFyZWFibGUoc2l6ZSwgKGZsYWdz ICYgU3VwcG9ydHNBbHBoYSkgPyBTaGFyZWFibGVCaXRtYXA6OlN1cHBvcnRzQWxwaGEgOiBTaGFy ZWFibGVCaXRtYXA6Ok5vRmxhZ3MpOworICAgIGlmICghYml0bWFwKQorICAgICAgICByZXR1cm4g bnVsbHB0cjsKKyAgICBzdXJmYWNlID0gY3JlYXRlKHNpemUsIGZsYWdzLCBXVEZNb3ZlKGJpdG1h cCkpOwogCiAgICAgcmV0dXJuIHN1cmZhY2U7CiB9Cg== 300196 2017-01-31 00:52:47 -0800 2017-01-31 01:15:06 -0800 Patch bug-167631-20170201025011.patch text/plain 2183 fujii U3VidmVyc2lvbiBSZXZpc2lvbjogMjExMzk2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViS2l0Mi9DaGFuZ2VMb2cKaW5kZXggNjUyMTZlMzVjMjU4MmM4 YTI4MDI4ZTg0YzI1MzQ2OTJiNjVmYzUxMS4uZThiNjk5N2Y0NzUxZWQwNWU2NTQ3NDkwM2ZjNDRi ODBjMmRiNjUyYyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJLaXQyL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE0IEBACisyMDE3LTAxLTMxICBGdWpp aSBIaXJvbm9yaSAgPEhpcm9ub3JpLkZ1amlpQHNvbnkuY29tPgorCisgICAgICAgIFtDb29yZGlu YXRlZEdyYXBoaWNzXSBXZWJDb29yZGluYXRlZFN1cmZhY2U6OmNyZWF0ZSBzaG91bGQgZG8gbnVs bC1jaGVjayBvZiB0aGUgcmV0dXJuIHZhbHVlIG9mIFNoYXJlYWJsZUJpdG1hcDo6Y3JlYXRlU2hh cmVhYmxlCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0x Njc2MzEKKworICAgICAgICBSZXZpZXdlZCBieSBDYXJsb3MgR2FyY2lhIENhbXBvcy4KKworICAg ICAgICAqIFNoYXJlZC9Db29yZGluYXRlZEdyYXBoaWNzL1dlYkNvb3JkaW5hdGVkU3VyZmFjZS5j cHA6CisgICAgICAgIChXZWJLaXQ6OldlYkNvb3JkaW5hdGVkU3VyZmFjZTo6Y3JlYXRlKTogRG8g bnVsbC1jaGVjayBvZiB0aGUKKyAgICAgICAgcmV0dXJuIHZhbHVlIG9mIFNoYXJlYWJsZUJpdG1h cDo6Y3JlYXRlU2hhcmVhYmxlLgorCiAyMDE3LTAxLTMwICBBbmRlcnMgQ2FybHNzb24gIDxhbmRl cnNjYUBhcHBsZS5jb20+CiAKICAgICAgICAgQWRkIHNvbWUgbW9yZSBjcmFzaCByZXBvcnRlciBp bmZvcm1hdGlvbiB0byBkaWFnbm9zZSBhIGZhaWxlZCBtYWNoX21zZwpkaWZmIC0tZ2l0IGEvU291 cmNlL1dlYktpdDIvU2hhcmVkL0Nvb3JkaW5hdGVkR3JhcGhpY3MvV2ViQ29vcmRpbmF0ZWRTdXJm YWNlLmNwcCBiL1NvdXJjZS9XZWJLaXQyL1NoYXJlZC9Db29yZGluYXRlZEdyYXBoaWNzL1dlYkNv b3JkaW5hdGVkU3VyZmFjZS5jcHAKaW5kZXggMmM1YzEyZjYwN2ZmNTVmNDNhMjZlMmIxNGFmYzAy NTA2OWYzOTBiMC4uZmRiYzg3OWYwOGRmNDBlZThmN2YwZTU3YWJkZGFmNTYxYTY5M2NmNiAxMDA2 NDQKLS0tIGEvU291cmNlL1dlYktpdDIvU2hhcmVkL0Nvb3JkaW5hdGVkR3JhcGhpY3MvV2ViQ29v cmRpbmF0ZWRTdXJmYWNlLmNwcAorKysgYi9Tb3VyY2UvV2ViS2l0Mi9TaGFyZWQvQ29vcmRpbmF0 ZWRHcmFwaGljcy9XZWJDb29yZGluYXRlZFN1cmZhY2UuY3BwCkBAIC03MSwxNSArNzEsMTUgQEAg Ym9vbCBXZWJDb29yZGluYXRlZFN1cmZhY2U6OkhhbmRsZTo6ZGVjb2RlKElQQzo6RGVjb2RlciYg ZGVjb2RlciwgSGFuZGxlJiBoYW5kbGUKIAogUmVmUHRyPFdlYkNvb3JkaW5hdGVkU3VyZmFjZT4g V2ViQ29vcmRpbmF0ZWRTdXJmYWNlOjpjcmVhdGUoY29uc3QgSW50U2l6ZSYgc2l6ZSwgQ29vcmRp bmF0ZWRTdXJmYWNlOjpGbGFncyBmbGFncykKIHsKLSAgICBSZWZQdHI8V2ViQ29vcmRpbmF0ZWRT dXJmYWNlPiBzdXJmYWNlOwogI2lmIFVTRShHUkFQSElDU19TVVJGQUNFKQotICAgIHN1cmZhY2Ug PSBjcmVhdGVXaXRoU3VyZmFjZShzaXplLCBmbGFncyk7CisgICAgaWYgKGF1dG8gc3VyZmFjZSA9 IGNyZWF0ZVdpdGhTdXJmYWNlKHNpemUsIGZsYWdzKSkKKyAgICAgICAgcmV0dXJuIHN1cmZhY2U7 CiAjZW5kaWYKIAotICAgIGlmICghc3VyZmFjZSkKLSAgICAgICAgc3VyZmFjZSA9IGNyZWF0ZShz aXplLCBmbGFncywgU2hhcmVhYmxlQml0bWFwOjpjcmVhdGVTaGFyZWFibGUoc2l6ZSwgKGZsYWdz ICYgU3VwcG9ydHNBbHBoYSkgPyBTaGFyZWFibGVCaXRtYXA6OlN1cHBvcnRzQWxwaGEgOiBTaGFy ZWFibGVCaXRtYXA6Ok5vRmxhZ3MpKTsKKyAgICBpZiAoYXV0byBiaXRtYXAgPSBTaGFyZWFibGVC aXRtYXA6OmNyZWF0ZVNoYXJlYWJsZShzaXplLCAoZmxhZ3MgJiBTdXBwb3J0c0FscGhhKSA/IFNo YXJlYWJsZUJpdG1hcDo6U3VwcG9ydHNBbHBoYSA6IFNoYXJlYWJsZUJpdG1hcDo6Tm9GbGFncykp CisgICAgICAgIHJldHVybiBjcmVhdGUoc2l6ZSwgZmxhZ3MsIFdURk1vdmUoYml0bWFwKSk7CiAK LSAgICByZXR1cm4gc3VyZmFjZTsKKyAgICByZXR1cm4gbnVsbHB0cjsKIH0KIAogI2lmIFVTRShH UkFQSElDU19TVVJGQUNFKQo=