65420 2011-07-30 16:54:43 -0700 WebKit2 crashes on attempt to decode null image 2011-07-31 20:21:13 -0700 1 1 1 Unclassified WebKit WebKit2 528+ (Nightly build) Unspecified Unspecified RESOLVED DUPLICATE 64802 P2 Normal --- 64321 1 romaxa webkit-unassigned andersca darin oldest_to_newest 444337 0 romaxa 2011-07-30 16:54:43 -0700 I'm using Qt WebKit2 build http://svn.webkit.org/repository/webkit/trunk@91765 (before Qt5 changes) open maps.google.com try to scroll google maps content Result: crash Crash start happening after bug 64321 fixed. #0 0xb55e880d in WebKit::ShareableBitmap::createQImage (this=0x0) at ../../../Source/WebKit2/Shared/qt/ShareableBitmapQt.cpp:42 #1 0xb55e89c1 in WebKit::ShareableBitmap::createGraphicsContext (this=0x0) at ../../../Source/WebKit2/Shared/qt/ShareableBitmapQt.cpp:56 #2 0xb55d0692 in CoreIPC::encodeImage (encoder=0xacc28758, image=0x9786a58) at ../../../Source/WebKit2/Shared/WebCoreArgumentCoders.cpp:294 #3 0xb55d0927 in CoreIPC::ArgumentCoder<WebCore::Cursor>::encode ( encoder=0xacc28758, cursor=...) at ../../../Source/WebKit2/Shared/WebCoreArgumentCoders.cpp:324 #4 0xb563a720 in CoreIPC::ArgumentEncoder::encode<WebCore::Cursor> ( this=0xacc28758, t=...) at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.h:66 #5 0xb563a634 in CoreIPC::Arguments1<WebCore::Cursor const&>::encode ( this=0xbfd4bf9c, encoder=0xacc28758) at ../../../Source/WebKit2/Platform/CoreIPC/Arguments.h:72 #6 0xb563a3b5 in CoreIPC::ArgumentCoder<Messages::WebPageProxy::SetCursor>::encode (encoder=0xacc28758, t=...) at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentCoder.h:39 #7 0xb5639ed6 in CoreIPC::ArgumentEncoder::encode<Messages::WebPageProxy::SetCursor> (this=0xacc28758, t=...) at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.h:66 #8 0xb5638fe8 in CoreIPC::MessageSender<WebKit::WebPage>::send<Messages::WebPageProxy::SetCursor> (this=0xb0c00b10, message=..., destinationID=1) ---Type <return> to continue, or q <return> to quit--- at ../../../Source/WebKit2/Platform/CoreIPC/MessageSender.h:44 #9 0xb56378f7 in CoreIPC::MessageSender<WebKit::WebPage>::send<Messages::WebPageProxy::SetCursor> (this=0xb0c00b10, message=...) at ../../../Source/WebKit2/Platform/CoreIPC/MessageSender.h:38 #10 0xb56352d3 in WebKit::WebChromeClient::setCursor (this=0xb0c00488, cursor=...) at ../../../Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.cpp:648 #11 0xb5b0f9b7 in WebCore::Chrome::setCursor (this=0xb0c00fb8, cursor=...) at ../../../Source/WebCore/page/Chrome.cpp:487 #12 0xb5dd9d99 in QXmlStreamAttribute::namespaceUri (this=0xbfd4c0a0) at /usr/include/qt4/QtCore/qxmlstream.h:148 #13 0xb5b3862f in WebCore::EventHandler::handleMouseReleaseEvent ( this=0x9668f44, mouseEvent=...) at ../../../Source/WebCore/page/EventHandler.cpp:1718 #14 0xb5b37e87 in WebCore::EventHandler::handleMouseMoveEvent (this=0x9668f44, mouseEvent=..., hoveredNode=0xbfd4c178) at ../../../Source/WebCore/page/EventHandler.cpp:1636 #15 0xb5578f14 in WebKit::handleMouseEvent (mouseEvent=..., page=0xb0c00f00) at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1053 #16 0xb5579034 in WebKit::WebPage::mouseEvent (this=0xb0c00b10, mouseEvent=...) at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1079 #17 0xb559f779 in CoreIPC::callMemberFunction<WebKit::WebPage, void (WebKit::Web---Type <return> to continue, or q <return> to quit--- Page::*)(WebKit::WebMouseEvent const&), WebKit::WebMouseEvent> (args=..., object=0xb0c00b10, function= (void (WebKit::WebPage::*)(WebKit::WebPage *, const WebKit::WebMouseEvent &)) 0xb5578f60 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>) at ../../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:19 #18 0xb559d553 in CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)> ( argumentDecoder=0x9a18628, object=0xb0c00b10, function= (void (WebKit::WebPage::*)(WebKit::WebPage *, const WebKit::WebMouseEvent &)) 0xb5578f60 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>) at ../../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:277 #19 0xb559be44 in WebKit::WebPage::didReceiveWebPageMessage (this=0xb0c00b10, messageID=..., arguments=0x9a18628) at generated/WebPageMessageReceiver.cpp:104 #20 0xb557d00f in WebKit::WebPage::didReceiveMessage (this=0xb0c00b10, connection=0x963a528, messageID=..., arguments=0x9a18628) at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:2086 #21 0xb558950b in WebKit::WebProcess::didReceiveMessage (this=0x963a190, connection=0x963a528, messageID=..., arguments=0x9a18628) at ../../../Source/WebKit2/WebProcess/WebProcess.cpp:641 #22 0xb55b80bc in CoreIPC::Connection::dispatchMessage (this=0x963a528, message=...) at ../../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:677 #23 0xb55b8265 in CoreIPC::Connection::dispatchMessages (this=0x963a528) ---Type <return> to continue, or q <return> to quit--- at ../../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:704 #24 0xb55c0a21 in MemberFunctionWorkItem0<CoreIPC::Connection>::execute ( this=0x99f6c10) at ../../../Source/WebKit2/Platform/WorkItem.h:79 #25 0xb54be18d in RunLoop::performWork (this=0x9638048) at ../../../Source/WebKit2/Platform/RunLoop.cpp:63 #26 0xb54bf164 in RunLoop::TimerObject::performWork (this=0x9525840) at ../../../Source/WebKit2/Platform/qt/RunLoopQt.cpp:49 #27 0xb54bfc16 in RunLoop::TimerObject::qt_metacall (this=0x9525840, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x98f49d8) at ./RunLoopQt.moc:71 #28 0xb2a36e4d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) () from /usr/lib/libQtCore.so.4 #29 0xb2a41795 in QMetaCallEvent::placeMetaCall(QObject*) () from /usr/lib/libQtCore.so.4 #30 0xb2a48caf in QObject::event(QEvent*) () from /usr/lib/libQtCore.so.4 #31 0xb2e090a4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4 #32 0xb2e0e432 in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4 #33 0xb2a30a9e in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/libQtCore.so.4 #34 0xb2a34264 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQtCore.so.4 444379 1 102452 romaxa 2011-07-30 22:46:01 -0700 Created attachment 102452 Fix crash on attempt to decode null image 444383 2 102455 romaxa 2011-07-30 23:07:40 -0700 Created attachment 102455 Fix crash on attempt to decode null image v2 another version suggested in https://bugs.webkit.org/show_bug.cgi?id=64321#c6 444384 3 102452 darin 2011-07-30 23:08:42 -0700 Comment on attachment 102452 Fix crash on attempt to decode null image This change is incorrect. While this will not crash, it will create an encoded argument that will not decode properly on the receiving end. The decode function will decode the cursor type, see that it is Custom, then call decodeImage. But decodeImage will read the data of the next thing encoded in the stream, and the decode process will then fail because we’ll be off by at least one byte. The correct way to change this is to make the null image encode in a way that can be decoded on the other end. One way this could be accomplished would be to encode a boolean to indicate whether an image is present before encoding the image and then decode that boolean in the cursor decode function. If the boolean says the image is null the decoder knows not to try to decode the image. If the boolean says the image is non-null then it knows it must decode the image. 444386 4 102455 darin 2011-07-30 23:09:52 -0700 Comment on attachment 102455 Fix crash on attempt to decode null image v2 This is wrong for the same reason the other one is. Encoding no bytes at all does not work on the decoding side. The decodeImage function has no way to know that the image was null, and so will attempt to decode the image, and thus the decoding process will be off. 444491 5 ap 2011-07-31 20:16:39 -0700 Duplicate of bug 65420? 444492 6 ap 2011-07-31 20:16:59 -0700 I mean, duplicate of bug 64802? 444494 7 darin 2011-07-31 20:21:13 -0700 *** This bug has been marked as a duplicate of bug 64802 *** 102452 2011-07-30 22:46:01 -0700 2011-07-30 23:08:42 -0700 Fix crash on attempt to decode null image patch.diff text/plain 1146 romaxa SW5kZXg6IFNvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi S2l0Mi9DaGFuZ2VMb2cJKHJldmlzaW9uIDkyMDY5KQorKysgU291cmNlL1dlYktpdDIvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTEtMDctMzAgIE9sZWcgUm9t YXNoaW4gIDxyb21heGFAZ21haWwuY29tPgorCisgICAgICAgIERvIG5vdCBlbmNvZGUgbnVsbCBp bWFnZSwgcmVsYXRlZCB0byBidWcgNjQzMjEKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTY1NDIwCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChP T1BTISkuCisKKyAgICAgICAgKiBTaGFyZWQvV2ViQ29yZUFyZ3VtZW50Q29kZXJzLmNwcDoKKyAg ICAgICAgKENvcmVJUEM6Ojo6ZW5jb2RlKToKKwogMjAxMS0wNy0zMCAgUGF0cmljayBHYW5zdGVy ZXIgIDxwYXJvZ2FAd2Via2l0Lm9yZz4KIAogICAgICAgICBSZW1vdmUgaW5jbHVzaW9uIG9mIE1h aW5UaHJlYWQuaCBmcm9tIFRocmVhZGluZy5oCkluZGV4OiBTb3VyY2UvV2ViS2l0Mi9TaGFyZWQv V2ViQ29yZUFyZ3VtZW50Q29kZXJzLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViS2l0Mi9T aGFyZWQvV2ViQ29yZUFyZ3VtZW50Q29kZXJzLmNwcAkocmV2aXNpb24gOTIwNjkpCisrKyBTb3Vy Y2UvV2ViS2l0Mi9TaGFyZWQvV2ViQ29yZUFyZ3VtZW50Q29kZXJzLmNwcAkod29ya2luZyBjb3B5 KQpAQCAtMzE4LDcgKzMxOCw3IEBAIHZvaWQgQXJndW1lbnRDb2RlcjxDdXJzb3I+OjplbmNvZGUo QXJndW0KIHsKICAgICBlbmNvZGVyLT5lbmNvZGVFbnVtKGN1cnNvci50eXBlKCkpOwogICAgICAg ICAKLSAgICBpZiAoY3Vyc29yLnR5cGUoKSAhPSBDdXJzb3I6OkN1c3RvbSkKKyAgICBpZiAoY3Vy c29yLnR5cGUoKSAhPSBDdXJzb3I6OkN1c3RvbSB8fCBjdXJzb3IuaW1hZ2UoKS0+aXNOdWxsKCkp CiAgICAgICAgIHJldHVybjsKIAogICAgIGVuY29kZUltYWdlKGVuY29kZXIsIGN1cnNvci5pbWFn ZSgpKTsK 102455 2011-07-30 23:07:40 -0700 2011-07-30 23:09:51 -0700 Fix crash on attempt to decode null image v2 patch2.diff text/plain 1241 romaxa SW5kZXg6IFNvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi S2l0Mi9DaGFuZ2VMb2cJKHJldmlzaW9uIDkyMDY5KQorKysgU291cmNlL1dlYktpdDIvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTEtMDctMzAgIE9sZWcgUm9t YXNoaW4gIDxyb21heGFAZ21haWwuY29tPgorCisgICAgICAgIERvIG5vdCBlbmNvZGUgbnVsbCBp bWFnZSwgcmVsYXRlZCB0byBidWcgNjQzMjEKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTY1NDIwCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChP T1BTISkuCisKKyAgICAgICAgKiBTaGFyZWQvV2ViQ29yZUFyZ3VtZW50Q29kZXJzLmNwcDoKKyAg ICAgICAgKENvcmVJUEM6Ojo6ZW5jb2RlKToKKwogMjAxMS0wNy0zMCAgUGF0cmljayBHYW5zdGVy ZXIgIDxwYXJvZ2FAd2Via2l0Lm9yZz4KIAogICAgICAgICBSZW1vdmUgaW5jbHVzaW9uIG9mIE1h aW5UaHJlYWQuaCBmcm9tIFRocmVhZGluZy5oCkluZGV4OiBTb3VyY2UvV2ViS2l0Mi9TaGFyZWQv V2ViQ29yZUFyZ3VtZW50Q29kZXJzLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViS2l0Mi9T aGFyZWQvV2ViQ29yZUFyZ3VtZW50Q29kZXJzLmNwcAkocmV2aXNpb24gOTIwNjkpCisrKyBTb3Vy Y2UvV2ViS2l0Mi9TaGFyZWQvV2ViQ29yZUFyZ3VtZW50Q29kZXJzLmNwcAkod29ya2luZyBjb3B5 KQpAQCAtMjkwLDYgKzI5MCw5IEBAIGJvb2wgQXJndW1lbnRDb2RlcjxDcmVkZW50aWFsPjo6ZGVj b2RlKEEKIAogc3RhdGljIHZvaWQgZW5jb2RlSW1hZ2UoQXJndW1lbnRFbmNvZGVyKiBlbmNvZGVy LCBJbWFnZSogaW1hZ2UpCiB7CisgICAgaWYgKGltYWdlLT5pc051bGwoKSkKKyAgICAgIHJldHVy bjsKKwogICAgIFJlZlB0cjxTaGFyZWFibGVCaXRtYXA+IGJpdG1hcCA9IFNoYXJlYWJsZUJpdG1h cDo6Y3JlYXRlU2hhcmVhYmxlKGltYWdlLT5zaXplKCksIFNoYXJlYWJsZUJpdG1hcDo6U3VwcG9y dHNBbHBoYSk7CiAgICAgYml0bWFwLT5jcmVhdGVHcmFwaGljc0NvbnRleHQoKS0+ZHJhd0ltYWdl KGltYWdlLCBDb2xvclNwYWNlRGV2aWNlUkdCLCBJbnRQb2ludCgpKTsKIAo=