33844 2010-01-19 08:10:46 -0800 [CHROMIUM] Crash on large TransparencyWin allocation 2010-01-19 13:21:31 -0800 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) PC Windows 7 RESOLVED FIXED P2 Normal --- 1 senorblanco senorblanco brettw kuchhal oldest_to_newest 182241 0 senorblanco 2010-01-19 08:10:46 -0800 When allocating the buffers in TransparencyWin for an OpaqueCompositeLayer, there are two allocations: one for the ImageBuffer, and one for the SkBitmap OwnedBuffers::m_referenceBitmap. If the allocation is small enough for the first one to pass, but big enough for the second one to fail, Chrome will crash in referenceCanvas.drawBitmap() in TransparencyWin::setupLayerForOpaqueCompositeLayer(). Reproduction URL: http://www.vandaag.be See http://crbug.com/28851. 182246 1 46910 senorblanco 2010-01-19 08:21:55 -0800 Created attachment 46910 Fix for TransparencyWin crash 182247 2 46911 senorblanco 2010-01-19 08:24:20 -0800 Created attachment 46911 Fix for crash v.2 (added bug ID) 182251 3 46912 senorblanco 2010-01-19 08:27:33 -0800 Created attachment 46912 Fix for crash v.3 (added *correct* bug ID. (I hate Bugzilla.)) 182283 4 brettw 2010-01-19 09:33:12 -0800 This looks good to me (but I'm not a WebKit reviewer). 182290 5 46912 dglazkov 2010-01-19 09:54:24 -0800 Comment on attachment 46912 Fix for crash v.3 (added *correct* bug ID. (I hate Bugzilla.)) r=me. 182412 6 senorblanco 2010-01-19 13:21:31 -0800 Landed as r53480, closing bug. 46910 2010-01-19 08:21:55 -0800 2010-01-19 08:24:20 -0800 Fix for TransparencyWin crash transparency_win_crash_fix.patch text/plain 1639 senorblanco SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1MzQ2OCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTkgQEAKKzIwMTAtMDEtMTkgIFN0ZXBoZW4gV2hpdGUgIDxzZW5vcmJsYW5jb0Bj aHJvbWl1bS5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAg ICAgICAgRml4IGZvciBjcmFzaCBvbiBsYXJnZSBUcmFuc3BhcmVuY3lXaW4gYWxsb2NhdGlvbi4g IFRoZSBmaXggaXMKKyAgICAgICAgdG8gbGVhdmUgbV9sYXllclZhbGlkIGZhbHNlIHdoZW4gdGhl IGFsbG9jUGl4ZWxzIG9mCisgICAgICAgIE93bmVkQnVmZmVyczo6bV9yZWZlcmVuY2VCaXRtYXAg ZmFpbHMuICBUaGVuIFRyYW5zcGFyZW5jeVdpbiB3b24ndAorICAgICAgICBhdHRlbXB0IHRvIHVz ZSBpdC4KKworICAgICAgICBXaWxsIGJlIGNvdmVyZWQgYnkgYSBuZXcgdW5pdCB0ZXN0IGluIENo cm9taXVtJ3MgdGVzdF9zaGVsbF90ZXN0cyAod2hlbgorICAgICAgICB0aGlzIGlzIHJvbGxlZCBp bnRvIENocm9taXVtKS4KKworICAgICAgICAqIHBsYXRmb3JtL2dyYXBoaWNzL2Nocm9taXVtL1Ry YW5zcGFyZW5jeVdpbi5jcHA6CisgICAgICAgIChXZWJDb3JlOjpUcmFuc3BhcmVuY3lXaW46Omlu aXRpYWxpemVOZXdDb250ZXh0KToKKyAgICAgICAgRWFybHkgcmV0dXJuIHdoZW4gbV9yZWZlcmVu Y2VCaXRtYXAgb3IgaXRzIHBpeGVscyBpcyBOVUxMLgorCiAyMDEwLTAxLTE5ICBZdXJ5IFNlbWlr aGF0c2t5ICA8eXVyeXNAY2hyb21pdW0ub3JnPgogCiAgICAgICAgIFJldmlld2VkIGJ5IFBhdmVs IEZlbGRtYW4uCkluZGV4OiBXZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2Nocm9taXVtL1RyYW5z cGFyZW5jeVdpbi5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGljcy9j aHJvbWl1bS9UcmFuc3BhcmVuY3lXaW4uY3BwCShyZXZpc2lvbiA1MzQ2OCkKKysrIFdlYkNvcmUv cGxhdGZvcm0vZ3JhcGhpY3MvY2hyb21pdW0vVHJhbnNwYXJlbmN5V2luLmNwcAkod29ya2luZyBj b3B5KQpAQCAtMzcxLDggKzM3MSwxMSBAQCB2b2lkIFRyYW5zcGFyZW5jeVdpbjo6aW5pdGlhbGl6 ZU5ld0NvbnRlCiAgICAgICAgICAgICByZXR1cm47CiAKICAgICAgICAgbV9kcmF3Q29udGV4dCA9 IG1fbGF5ZXJCdWZmZXItPmNvbnRleHQoKTsKLSAgICAgICAgaWYgKG5lZWRSZWZlcmVuY2VCaXRt YXApCisgICAgICAgIGlmIChuZWVkUmVmZXJlbmNlQml0bWFwKSB7CiAgICAgICAgICAgICBtX3Jl ZmVyZW5jZUJpdG1hcCA9IG1fb3duZWRCdWZmZXJzLT5yZWZlcmVuY2VCaXRtYXAoKTsKKyAgICAg ICAgICAgIGlmICghbV9yZWZlcmVuY2VCaXRtYXAgfHwgIW1fcmVmZXJlbmNlQml0bWFwLT5nZXRQ aXhlbHMoKSkgCisgICAgICAgICAgICAgICAgcmV0dXJuOworICAgICAgICB9CiAgICAgICAgIG1f dmFsaWRMYXllciA9IHRydWU7CiAgICAgICAgIHJldHVybjsKICAgICB9Cg== 46911 2010-01-19 08:24:20 -0800 2010-01-19 08:27:33 -0800 Fix for crash v.2 (added bug ID) transparency_win_crash_fix.patch text/plain 1733 senorblanco SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1MzQ2OCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjIgQEAKKzIwMTAtMDEtMTkgIFN0ZXBoZW4gV2hpdGUgIDxzZW5vcmJsYW5jb0Bj aHJvbWl1bS5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAg ICAgICAgRml4IGZvciBjcmFzaCBvbiBsYXJnZSBUcmFuc3BhcmVuY3lXaW4gYWxsb2NhdGlvbi4g IFRoZSBmaXggaXMKKyAgICAgICAgdG8gbGVhdmUgbV9sYXllclZhbGlkIGZhbHNlIHdoZW4gdGhl IGFsbG9jUGl4ZWxzIG9mCisgICAgICAgIE93bmVkQnVmZmVyczo6bV9yZWZlcmVuY2VCaXRtYXAg ZmFpbHMuICBUaGVuIFRyYW5zcGFyZW5jeVdpbiB3b24ndAorICAgICAgICBhdHRlbXB0IHRvIHVz ZSBpdC4KKworICAgICAgICBXaWxsIGJlIGNvdmVyZWQgYnkgYSBuZXcgdW5pdCB0ZXN0IGluIENo cm9taXVtJ3MgdGVzdF9zaGVsbF90ZXN0cyAod2hlbgorICAgICAgICB0aGlzIGlzIHJvbGxlZCBp bnRvIENocm9taXVtKS4KKworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1 Zy5jZ2k/aWQ9Mjg0MjYKKworICAgICAgICAqIHBsYXRmb3JtL2dyYXBoaWNzL2Nocm9taXVtL1Ry YW5zcGFyZW5jeVdpbi5jcHA6CisgICAgICAgIChXZWJDb3JlOjpUcmFuc3BhcmVuY3lXaW46Omlu aXRpYWxpemVOZXdDb250ZXh0KToKKyAgICAgICAgRWFybHkgcmV0dXJuIHdoZW4gbV9yZWZlcmVu Y2VCaXRtYXAgb3IgaXRzIHBpeGVscyBpcyBOVUxMLCBsZWF2aW5nCisgICAgICAgIG1fbGF5ZXJW YWxpZCBmYWxzZS4KKwogMjAxMC0wMS0xOSAgWXVyeSBTZW1pa2hhdHNreSAgPHl1cnlzQGNocm9t aXVtLm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBQYXZlbCBGZWxkbWFuLgpJbmRleDogV2Vi Q29yZS9wbGF0Zm9ybS9ncmFwaGljcy9jaHJvbWl1bS9UcmFuc3BhcmVuY3lXaW4uY3BwCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIFdlYkNvcmUvcGxhdGZvcm0vZ3JhcGhpY3MvY2hyb21pdW0vVHJhbnNwYXJlbmN5 V2luLmNwcAkocmV2aXNpb24gNTM0NjgpCisrKyBXZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2No cm9taXVtL1RyYW5zcGFyZW5jeVdpbi5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTM3MSw4ICszNzEs MTEgQEAgdm9pZCBUcmFuc3BhcmVuY3lXaW46OmluaXRpYWxpemVOZXdDb250ZQogICAgICAgICAg ICAgcmV0dXJuOwogCiAgICAgICAgIG1fZHJhd0NvbnRleHQgPSBtX2xheWVyQnVmZmVyLT5jb250 ZXh0KCk7Ci0gICAgICAgIGlmIChuZWVkUmVmZXJlbmNlQml0bWFwKQorICAgICAgICBpZiAobmVl ZFJlZmVyZW5jZUJpdG1hcCkgewogICAgICAgICAgICAgbV9yZWZlcmVuY2VCaXRtYXAgPSBtX293 bmVkQnVmZmVycy0+cmVmZXJlbmNlQml0bWFwKCk7CisgICAgICAgICAgICBpZiAoIW1fcmVmZXJl bmNlQml0bWFwIHx8ICFtX3JlZmVyZW5jZUJpdG1hcC0+Z2V0UGl4ZWxzKCkpIAorICAgICAgICAg ICAgICAgIHJldHVybjsKKyAgICAgICAgfQogICAgICAgICBtX3ZhbGlkTGF5ZXIgPSB0cnVlOwog ICAgICAgICByZXR1cm47CiAgICAgfQo= 46912 2010-01-19 08:27:33 -0800 2010-01-19 12:03:04 -0800 Fix for crash v.3 (added *correct* bug ID. (I hate Bugzilla.)) transparency_win_crash_fix.patch text/plain 1733 senorblanco SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1MzQ2OCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjIgQEAKKzIwMTAtMDEtMTkgIFN0ZXBoZW4gV2hpdGUgIDxzZW5vcmJsYW5jb0Bj aHJvbWl1bS5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAg ICAgICAgRml4IGZvciBjcmFzaCBvbiBsYXJnZSBUcmFuc3BhcmVuY3lXaW4gYWxsb2NhdGlvbi4g IFRoZSBmaXggaXMKKyAgICAgICAgdG8gbGVhdmUgbV9sYXllclZhbGlkIGZhbHNlIHdoZW4gdGhl IGFsbG9jUGl4ZWxzIG9mCisgICAgICAgIE93bmVkQnVmZmVyczo6bV9yZWZlcmVuY2VCaXRtYXAg ZmFpbHMuICBUaGVuIFRyYW5zcGFyZW5jeVdpbiB3b24ndAorICAgICAgICBhdHRlbXB0IHRvIHVz ZSBpdC4KKworICAgICAgICBXaWxsIGJlIGNvdmVyZWQgYnkgYSBuZXcgdW5pdCB0ZXN0IGluIENo cm9taXVtJ3MgdGVzdF9zaGVsbF90ZXN0cyAod2hlbgorICAgICAgICB0aGlzIGlzIHJvbGxlZCBp bnRvIENocm9taXVtKS4KKworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1 Zy5jZ2k/aWQ9MzM4NDQKKworICAgICAgICAqIHBsYXRmb3JtL2dyYXBoaWNzL2Nocm9taXVtL1Ry YW5zcGFyZW5jeVdpbi5jcHA6CisgICAgICAgIChXZWJDb3JlOjpUcmFuc3BhcmVuY3lXaW46Omlu aXRpYWxpemVOZXdDb250ZXh0KToKKyAgICAgICAgRWFybHkgcmV0dXJuIHdoZW4gbV9yZWZlcmVu Y2VCaXRtYXAgb3IgaXRzIHBpeGVscyBpcyBOVUxMLCBsZWF2aW5nCisgICAgICAgIG1fbGF5ZXJW YWxpZCBmYWxzZS4KKwogMjAxMC0wMS0xOSAgWXVyeSBTZW1pa2hhdHNreSAgPHl1cnlzQGNocm9t aXVtLm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBQYXZlbCBGZWxkbWFuLgpJbmRleDogV2Vi Q29yZS9wbGF0Zm9ybS9ncmFwaGljcy9jaHJvbWl1bS9UcmFuc3BhcmVuY3lXaW4uY3BwCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIFdlYkNvcmUvcGxhdGZvcm0vZ3JhcGhpY3MvY2hyb21pdW0vVHJhbnNwYXJlbmN5 V2luLmNwcAkocmV2aXNpb24gNTM0NjgpCisrKyBXZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2No cm9taXVtL1RyYW5zcGFyZW5jeVdpbi5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTM3MSw4ICszNzEs MTEgQEAgdm9pZCBUcmFuc3BhcmVuY3lXaW46OmluaXRpYWxpemVOZXdDb250ZQogICAgICAgICAg ICAgcmV0dXJuOwogCiAgICAgICAgIG1fZHJhd0NvbnRleHQgPSBtX2xheWVyQnVmZmVyLT5jb250 ZXh0KCk7Ci0gICAgICAgIGlmIChuZWVkUmVmZXJlbmNlQml0bWFwKQorICAgICAgICBpZiAobmVl ZFJlZmVyZW5jZUJpdG1hcCkgewogICAgICAgICAgICAgbV9yZWZlcmVuY2VCaXRtYXAgPSBtX293 bmVkQnVmZmVycy0+cmVmZXJlbmNlQml0bWFwKCk7CisgICAgICAgICAgICBpZiAoIW1fcmVmZXJl bmNlQml0bWFwIHx8ICFtX3JlZmVyZW5jZUJpdG1hcC0+Z2V0UGl4ZWxzKCkpIAorICAgICAgICAg ICAgICAgIHJldHVybjsKKyAgICAgICAgfQogICAgICAgICBtX3ZhbGlkTGF5ZXIgPSB0cnVlOwog ICAgICAgICByZXR1cm47CiAgICAgfQo=