53830 2011-02-04 18:15:28 -0800 Crashes in ShadowBlur via WebKit2 FindController 2011-02-04 20:59:40 -0800 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 1 simon.fraser simon.fraser simon.fraser oldest_to_newest 345977 0 simon.fraser 2011-02-04 18:15:28 -0800 The FindController code uses a GraphicsContext to draw shadowed boxes, which triggers a re-entrant code path in ShadowBlur. 345985 1 simon.fraser 2011-02-04 18:25:04 -0800 Bad stack is: -> WebCore::ScratchBuffer::getScratchBuffer(WebCore::IntSize const&) -> WebCore::ShadowBlur::drawRectShadowWithTiling(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&, WebCore::IntSize const&) -> WebCore::ShadowBlur::drawRectShadow(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&) -> WebCore::GraphicsContext::fillRect(WebCore::FloatRect const&) -> WebCore::ShadowBlur::drawRectShadowWithTiling(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&, WebCore::IntSize const&) -> WebCore::ShadowBlur::drawRectShadow(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&) -> WebCore::GraphicsContext::fillRect(WebCore::FloatRect const&) -> WebKit::FindController::drawRect(WebKit::PageOverlay*, WebCore::GraphicsContext&, WebCore::IntRect const&) -> WebKit::PageOverlay::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&) -> WebKit::WebPage::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&) -> WebKit::DrawingAreaImpl::display(WebKit::UpdateInfo&) -> WebKit::DrawingAreaImpl::display() -> RunLoop::Timer<WebKit::DrawingAreaImpl>::fired() -> RunLoop::TimerBase::timerFired(__CFRunLoopTimer*, void*) 346047 2 81346 simon.fraser 2011-02-04 20:47:17 -0800 Created attachment 81346 Patch 346054 3 simon.fraser 2011-02-04 20:59:07 -0800 http://trac.webkit.org/changeset/77729 346055 4 simon.fraser 2011-02-04 20:59:40 -0800 <rdar://problem/8962505> 81346 2011-02-04 20:47:17 -0800 2011-02-04 20:49:11 -0800 Patch bug-53830-20110204204715.patch text/plain 4219 simon.fraser ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBiY2Y4YTY3YTU5NWY1NWQ1N2I0YzA1YTAzY2M4OGZjMDE3MmMyNjZlLi5h NTYwMDdjM2JmYzBmMGEwYjk3NmNkMjMzMmQ3NTNiNzcxMDRjNDVjIDEwMDY0NAotLS0gYS9Tb3Vy Y2UvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0x LDMgKzEsMzIgQEAKKzIwMTEtMDItMDQgIFNpbW9uIEZyYXNlciAgPHNpbW9uLmZyYXNlckBhcHBs ZS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgRGFuIEJlcm5zdGVpbi4KKworICAgICAgICBD cmFzaGVzIGluIFNoYWRvd0JsdXIgdmlhIFdlYktpdDIgRmluZENvbnRyb2xsZXIKKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTUzODMwCisgICAgICAgIAor ICAgICAgICBGaXggYSBjcmFzaCBjYXVzZSBieSByZS1lbnRlcmluZyBTaGFkb3dCbHVyLCBhbmQg YWRkIGFzc2VydGlvbnMgdG8KKyAgICAgICAgZGV0ZWN0IHdoZW4gaXQgaGFwcGVucy4KKyAgICAg ICAgCisgICAgICAgIFRoZSByZS1lbnRyYW5jeSBvY2N1cnJlZCB3aGVuIGRyYXdSZWN0U2hhZG93 V2l0aFRpbGluZygpIGZpbGxlZAorICAgICAgICB0aGUgaW50ZXJpb3Igb2YgdGhlIHNoYWRvdyB3 aXRoIGZpbGxSZWN0KCkgb24gdGhlIGNvbnRleHQKKyAgICAgICAgd2hpY2ggc3RpbGwgaGFkIHRo ZSBzaGFkb3cgc3RhdGUgc2V0LiBUaGlzIHdvdWxkIG1ha2UgYW5vdGhlciBTaGFkb3dCbHVyCisg ICAgICAgIG9uIHRoZSBzdGFjayBhbmQgY2FsbCBpbnRvIHRoZSBjb2RlIGFnYWluLCBwb3RlbnRp YWxseSBibG93aW5nIGF3YXkKKyAgICAgICAgdGhlIGltYWdlIGJ1ZmZlci4KKyAgICAgICAgCisg ICAgICAgIEZpeCBieSB0dXJuaW5nIG9mZiBzaGFkb3dzIGluIHRoZSBkZXN0aW5hdGlvbiBjb250 ZXh0IHdoaWxlIHdlJ3JlCisgICAgICAgIGRyYXdpbmcgdGhlIHRpbGVkIHNoYWRvdy4gVGhlIG5v bi10aWxlZCBjb2RlIHBhdGggYWxyZWFkeSBkaWQgdGhpcy4KKworICAgICAgICBOb3QgdGVzdGFi bGUgYmVjYXVzZSBDU1Mgc2hhZG93cyBjbGlwIG91dCB0aGUgaW5zaWRlIG9mIHRoZSByZWN0Cisg ICAgICAgIGJlaW5nIHNoYWRvd2VkLCBhbmQgU1ZHIHVzZXMgZmlsbFBhdGgsIGV2ZW4gZm9yIHJl Y3RzLgorCisgICAgICAgICogcGxhdGZvcm0vZ3JhcGhpY3MvU2hhZG93Qmx1ci5jcHA6CisgICAg ICAgIChXZWJDb3JlOjpTY3JhdGNoQnVmZmVyOjpTY3JhdGNoQnVmZmVyKToKKyAgICAgICAgKFdl YkNvcmU6OlNjcmF0Y2hCdWZmZXI6OmdldFNjcmF0Y2hCdWZmZXIpOgorICAgICAgICAoV2ViQ29y ZTo6U2NyYXRjaEJ1ZmZlcjo6c2NoZWR1bGVTY3JhdGNoQnVmZmVyUHVyZ2UpOgorICAgICAgICAo V2ViQ29yZTo6U2hhZG93Qmx1cjo6U2hhZG93Qmx1cik6CisgICAgICAgIChXZWJDb3JlOjpTaGFk b3dCbHVyOjpkcmF3UmVjdFNoYWRvd1dpdGhUaWxpbmcpOgorCiAyMDExLTAyLTA0ICBDYXJsb3Mg R2FyY2lhIENhbXBvcyAgPGNnYXJjaWFAaWdhbGlhLmNvbT4KIAogICAgICAgICBSZXZpZXdlZCBi eSBNYXJ0aW4gUm9iaW5zb24uCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9n cmFwaGljcy9TaGFkb3dCbHVyLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNz L1NoYWRvd0JsdXIuY3BwCmluZGV4IGQzODYwOWEyNjI5ZTlmMzA5NDVlYjUwNjg0MGQzMGNlNDI3 NTE3NDQuLjYwYTY5OWJjZmQyYjEwZDI4YWI2OWIzZDY5ZThmZGZkNTM3ODI4NjggMTAwNjQ0Ci0t LSBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL1NoYWRvd0JsdXIuY3BwCisrKyBi L1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL1NoYWRvd0JsdXIuY3BwCkBAIC01Mywx MSArNTMsMTggQEAgY2xhc3MgU2NyYXRjaEJ1ZmZlciB7CiBwdWJsaWM6CiAgICAgU2NyYXRjaEJ1 ZmZlcigpCiAgICAgICAgIDogbV9wdXJnZVRpbWVyKHRoaXMsICZTY3JhdGNoQnVmZmVyOjp0aW1l ckZpcmVkKQorI2lmICFBU1NFUlRfRElTQUJMRUQKKyAgICAgICAgLCBtX2J1ZmZlckluVXNlKGZh bHNlKQorI2VuZGlmCiAgICAgewogICAgIH0KICAgICAKICAgICBJbWFnZUJ1ZmZlciogZ2V0U2Ny YXRjaEJ1ZmZlcihjb25zdCBJbnRTaXplJiBzaXplKQogICAgIHsKKyAgICAgICAgQVNTRVJUKCFt X2J1ZmZlckluVXNlKTsKKyNpZiAhQVNTRVJUX0RJU0FCTEVECisgICAgICAgIG1fYnVmZmVySW5V c2UgPSB0cnVlOworI2VuZGlmCiAgICAgICAgIC8vIFdlIGRvIG5vdCBuZWVkIHRvIHJlY3JlYXRl IHRoZSBidWZmZXIgaWYgdGhlIGN1cnJlbnQgYnVmZmVyIGlzIGxhcmdlIGVub3VnaC4KICAgICAg ICAgaWYgKG1faW1hZ2VCdWZmZXIgJiYgbV9pbWFnZUJ1ZmZlci0+d2lkdGgoKSA+PSBzaXplLndp ZHRoKCkgJiYgbV9pbWFnZUJ1ZmZlci0+aGVpZ2h0KCkgPj0gc2l6ZS5oZWlnaHQoKSkKICAgICAg ICAgICAgIHJldHVybiBtX2ltYWdlQnVmZmVyLmdldCgpOwpAQCAtNzEsNiArNzgsOSBAQCBwdWJs aWM6CiAKICAgICB2b2lkIHNjaGVkdWxlU2NyYXRjaEJ1ZmZlclB1cmdlKCkKICAgICB7CisjaWYg IUFTU0VSVF9ESVNBQkxFRAorICAgICAgICBtX2J1ZmZlckluVXNlID0gZmFsc2U7CisjZW5kaWYK ICAgICAgICAgaWYgKG1fcHVyZ2VUaW1lci5pc0FjdGl2ZSgpKQogICAgICAgICAgICAgbV9wdXJn ZVRpbWVyLnN0b3AoKTsKIApAQCAtOTMsNiArMTAzLDkgQEAgcHJpdmF0ZToKIAogICAgIE93blB0 cjxJbWFnZUJ1ZmZlcj4gbV9pbWFnZUJ1ZmZlcjsKICAgICBUaW1lcjxTY3JhdGNoQnVmZmVyPiBt X3B1cmdlVGltZXI7CisjaWYgIUFTU0VSVF9ESVNBQkxFRAorICAgIGJvb2wgbV9idWZmZXJJblVz ZTsKKyNlbmRpZgogfTsKIAogU2NyYXRjaEJ1ZmZlciYgU2NyYXRjaEJ1ZmZlcjo6c2hhcmVkKCkK QEAgLTEwNiw2ICsxMTksNyBAQCBTaGFkb3dCbHVyOjpTaGFkb3dCbHVyKGZsb2F0IHJhZGl1cywg Y29uc3QgRmxvYXRTaXplJiBvZmZzZXQsIGNvbnN0IENvbG9yJiBjb2xvcgogICAgICwgbV9jb2xv clNwYWNlKGNvbG9yU3BhY2UpCiAgICAgLCBtX2JsdXJSYWRpdXMocmFkaXVzKQogICAgICwgbV9v ZmZzZXQob2Zmc2V0KQorICAgICwgbV9sYXllckltYWdlKDApCiAgICAgLCBtX3NoYWRvd3NJZ25v cmVUcmFuc2Zvcm1zKGZhbHNlKQogewogICAgIC8vIExpbWl0IGJsdXIgcmFkaXVzIHRvIDEyOCB0 byBhdm9pZCBsb3RzIG9mIHZlcnkgZXhwZW5zaXZlIGJsdXJyaW5nLgpAQCAtNDkzLDYgKzUwNyw5 IEBAIHZvaWQgU2hhZG93Qmx1cjo6ZHJhd1JlY3RTaGFkb3dXaXRob3V0VGlsaW5nKEdyYXBoaWNz Q29udGV4dCogZ3JhcGhpY3NDb250ZXh0LCBjCiAKIHZvaWQgU2hhZG93Qmx1cjo6ZHJhd1JlY3RT aGFkb3dXaXRoVGlsaW5nKEdyYXBoaWNzQ29udGV4dCogZ3JhcGhpY3NDb250ZXh0LCBjb25zdCBG bG9hdFJlY3QmIHNoYWRvd2VkUmVjdCwgY29uc3QgUm91bmRlZEludFJlY3Q6OlJhZGlpJiByYWRp aSwgY29uc3QgSW50U2l6ZSYgc2hhZG93VGVtcGxhdGVTaXplKQogeworICAgIGdyYXBoaWNzQ29u dGV4dC0+c2F2ZSgpOworICAgIGdyYXBoaWNzQ29udGV4dC0+Y2xlYXJTaGFkb3coKTsKKwogICAg IGNvbnN0IGZsb2F0IHJvdW5kZWRSYWRpdXMgPSBjZWlsZihtX2JsdXJSYWRpdXMpOwogICAgIGNv bnN0IGZsb2F0IHR3aWNlUmFkaXVzID0gcm91bmRlZFJhZGl1cyAqIDI7CiAKQEAgLTYwMSw2ICs2 MTgsOCBAQCB2b2lkIFNoYWRvd0JsdXI6OmRyYXdSZWN0U2hhZG93V2l0aFRpbGluZyhHcmFwaGlj c0NvbnRleHQqIGdyYXBoaWNzQ29udGV4dCwgY29ucwogICAgIGRlc3RSZWN0ID0gRmxvYXRSZWN0 KHNoYWRvd0JvdW5kcy54KCksIHNoYWRvd0JvdW5kcy5tYXhZKCkgLSBib3R0b21PZmZzZXQsIGxl ZnRPZmZzZXQsIGJvdHRvbU9mZnNldCk7CiAgICAgZ3JhcGhpY3NDb250ZXh0LT5kcmF3SW1hZ2VC dWZmZXIobV9sYXllckltYWdlLCBDb2xvclNwYWNlRGV2aWNlUkdCLCBkZXN0UmVjdCwgdGlsZVJl Y3QpOwogCisgICAgZ3JhcGhpY3NDb250ZXh0LT5yZXN0b3JlKCk7CisKICAgICBtX2xheWVySW1h Z2UgPSAwOwogICAgIC8vIFNjaGVkdWxlIGEgcHVyZ2Ugb2YgdGhlIHNjcmF0Y2ggYnVmZmVyLgog ICAgIFNjcmF0Y2hCdWZmZXI6OnNoYXJlZCgpLnNjaGVkdWxlU2NyYXRjaEJ1ZmZlclB1cmdlKCk7 Cg==