48707 2010-10-29 19:37:03 -0700 [Qt][WK2] Crash in drawUpdateChunkIntoBackingStore 2010-10-30 07:50:12 -0700 1 1 1 Unclassified WebKit WebKit2 528+ (Nightly build) All All RESOLVED FIXED Qt, QtTriaged P2 Normal --- 1 kling webkit-qt-unassigned oldest_to_newest 302237 0 kling 2010-10-29 19:37:03 -0700 UpdateChunk images should be created using the QImage constructor that takes a bytesPerLine value, or the data length won't match UpdateChunk::size(). Crashiness is easily reproduced by manually resizing MiniBrowser. 302238 1 72429 kling 2010-10-29 19:37:47 -0700 Created attachment 72429 Proposed patch 302239 2 kling 2010-10-29 19:40:12 -0700 Valgrind stack from such a crash (Invalid read of size 1): memcpy (mc_replace_strmem.c:497) qt_blend_rgb32_on_rgb32(unsigned char*, int, unsigned char const*, int, int, int, int) (string3.h:52) QRasterPaintEngine::drawImage(QPointF const&, QImage const&) (qpaintengine_raster.cpp:2490) QPainter::drawImage(QPointF const&, QImage const&) (qpainter.cpp:5618) WebKit::ChunkedUpdateDrawingAreaProxy::drawUpdateChunkIntoBackingStore(WebKit::UpdateChunk*) (qpainter.h:923) WebKit::ChunkedUpdateDrawingAreaProxy::didSetSize(WebKit::UpdateChunk*) (ChunkedUpdateDrawingAreaProxy.cpp:130) WebKit::ChunkedUpdateDrawingAreaProxy::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) (ChunkedUpdateDrawingAreaProxy.cpp:168) WebKit::ChunkedUpdateDrawingAreaProxy::paint(WebCore::IntRect const&, QPainter*) (ChunkedUpdateDrawingAreaProxy.cpp:70) QWKPagePrivate::paint(QPainter*, QRect) (qwkpage.cpp:149) _q_paintItem(QGraphicsItem*, QPainter*, QStyleOptionGraphicsItem const*, QWidget*, bool, bool) (qgraphicsscene.cpp:4314) QGraphicsScenePrivate::drawItemHelper(QGraphicsItem*, QPainter*, QStyleOptionGraphicsItem const*, QWidget*, bool) (qgraphicsscene.cpp:4427) QGraphicsScenePrivate::draw(QGraphicsItem*, QPainter*, QTransform const*, QTransform const*, QRegion*, QWidget*, double, QTransform const*, bool, bool) (qgraphicsscene.cpp:4962) QGraphicsScenePrivate::drawSubtreeRecursive(QGraphicsItem*, QPainter*, QTransform const*, QRegion*, QWidget*, double, QTransform const*) (qgraphicsscene.cpp:4853) QGraphicsScenePrivate::drawItems(QPainter*, QTransform const*, QRegion*, QWidget*) (qgraphicsscene.cpp:4735) QGraphicsView::paintEvent(QPaintEvent*) (qgraphicsview.cpp:3472) QWidget::event(QEvent*) (qwidget.cpp:8407) QFrame::event(QEvent*) (qframe.cpp:557) QGraphicsView::viewportEvent(QEvent*) (qgraphicsview.cpp:2867) QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (qcoreapplication.cpp:870) QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4443) QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4326) QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:760) QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) (qcoreapplication.h:234) QWidgetBackingStore::sync() (qbackingstore.cpp:1325) QWidgetPrivate::syncBackingStore() (qwidget.cpp:1842) QWidget::event(QEvent*) (qwidget.cpp:8554) QMainWindow::event(QEvent*) (qmainwindow.cpp:1480) QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4447) QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4326) QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:760) QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.h:231) QGraphicsScenePrivate::_q_processDirtyItems() (qgraphicsview_p.h:200) QGraphicsScene::qt_metacall(QMetaObject::Call, int, void**) (moc_qgraphicsscene.cpp:130) QObject::event(QEvent*) (qobject.cpp:1192) QGraphicsScene::event(QEvent*) (qgraphicsscene.cpp:3545) QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4447) QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4326) QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:760) QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.h:231) postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qcoreapplication.h:236) g_main_context_dispatch (in /lib/libglib-2.0.so.0.2600.0) ??? (in /lib/libglib-2.0.so.0.2600.0) g_main_context_iteration (in /lib/libglib-2.0.so.0.2600.0) QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:417) QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204) QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149) QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:201) QCoreApplication::exec() (qcoreapplication.cpp:1032) main (main.cpp:53) 302267 3 72429 kenneth 2010-10-30 00:53:36 -0700 Comment on attachment 72429 Proposed patch What size does it get by default? 302283 4 kling 2010-10-30 04:20:27 -0700 (In reply to comment #3) > What size does it get by default? It would allocate width * height * 4 bytes, (UpdateChunk::size() returns this) but the default QImage ctor will prefer making every scanline 32-bit aligned. 302305 5 72429 kling 2010-10-30 07:50:03 -0700 Comment on attachment 72429 Proposed patch Clearing flags on attachment: 72429 Committed r70981: <http://trac.webkit.org/changeset/70981> 302306 6 kling 2010-10-30 07:50:12 -0700 All reviewed patches have been landed. Closing bug. 72429 2010-10-29 19:37:47 -0700 2010-10-30 07:50:03 -0700 Proposed patch bug-48707.diff text/plain 1280 kling ZGlmZiAtLWdpdCBhL1dlYktpdDIvQ2hhbmdlTG9nIGIvV2ViS2l0Mi9DaGFuZ2VMb2cKaW5kZXgg ZTUzMDVlNy4uYjMyNTQwNSAxMDA2NDQKLS0tIGEvV2ViS2l0Mi9DaGFuZ2VMb2cKKysrIGIvV2Vi S2l0Mi9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNyBAQAorMjAxMC0xMC0yOSAgQW5kcmVhcyBLbGlu ZyAgPGtsaW5nQHdlYmtpdC5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BT ISkuCisKKyAgICAgICAgW1F0XVtXSzJdIENyYXNoIGluIGRyYXdVcGRhdGVDaHVua0ludG9CYWNr aW5nU3RvcmUKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTQ4NzA3CisKKyAgICAgICAgVXBkYXRlQ2h1bmsgaW1hZ2VzIGhhdmUgdG8gYmUgY3JlYXRlZCB1 c2luZyB0aGUgUUltYWdlIGNvbnN0cnVjdG9yCisgICAgICAgIHRoYXQgdGFrZXMgYSBieXRlc1Bl ckxpbmUgKHN0cmlkZSkgdmFsdWUsIG9yIHRoZSBkYXRhIGxlbmd0aCB3b24ndAorICAgICAgICBt YXRjaCBVcGRhdGVDaHVuazo6c2l6ZSgpLgorCisgICAgICAgICogU2hhcmVkL3F0L1VwZGF0ZUNo dW5rLmNwcDoKKyAgICAgICAgKFdlYktpdDo6VXBkYXRlQ2h1bms6OmNyZWF0ZUltYWdlKToKKwog MjAxMC0xMC0yOSAgQWRhbSBSb2JlbiAgPGFyb2JlbkBhcHBsZS5jb20+CiAKICAgICAgICAgU3Rv cCB1c2luZyBlbmNvZGUvZGVjb2RlQnl0ZXMgZm9yIFdlYkV2ZW50IHN1YmNsYXNzZXMKZGlmZiAt LWdpdCBhL1dlYktpdDIvU2hhcmVkL3F0L1VwZGF0ZUNodW5rLmNwcCBiL1dlYktpdDIvU2hhcmVk L3F0L1VwZGF0ZUNodW5rLmNwcAppbmRleCBjNzc3NmFiLi4zZDJjZTMxIDEwMDY0NAotLS0gYS9X ZWJLaXQyL1NoYXJlZC9xdC9VcGRhdGVDaHVuay5jcHAKKysrIGIvV2ViS2l0Mi9TaGFyZWQvcXQv VXBkYXRlQ2h1bmsuY3BwCkBAIC05Miw3ICs5Miw3IEBAIGJvb2wgVXBkYXRlQ2h1bms6OmRlY29k ZShDb3JlSVBDOjpBcmd1bWVudERlY29kZXIqIGRlY29kZXIsIFVwZGF0ZUNodW5rJiBjaHVuaykK IAogUUltYWdlIFVwZGF0ZUNodW5rOjpjcmVhdGVJbWFnZSgpCiB7Ci0gICAgcmV0dXJuIFFJbWFn ZShkYXRhKCksIG1fcmVjdC53aWR0aCgpLCBtX3JlY3QuaGVpZ2h0KCksIFFJbWFnZTo6Rm9ybWF0 X1JHQjMyKTsKKyAgICByZXR1cm4gUUltYWdlKGRhdGEoKSwgbV9yZWN0LndpZHRoKCksIG1fcmVj dC5oZWlnaHQoKSwgbV9yZWN0LndpZHRoKCkgKiA0LCBRSW1hZ2U6OkZvcm1hdF9SR0IzMik7CiB9 CiAKIH0gLy8gbmFtZXNwYWNlIFdlYktpdAo=