Bug 132337

Summary: REGRESSION (r167879): Heap-use-after-free in WebCore::RenderFlexibleBox
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: Layout and RenderingAssignee: Manuel Rego Casasnovas <rego>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, esprehn+autocc, glenn, jfernandez, kling, kondapallykalyan, mitz, rego, simon.fraser, svillar, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://www.flickr.com/photos/goopymart/14052958504/
Attachments:
Description Flags
Patch none

Simon Fraser (smfr)
Reported 2014-04-29 08:31:48 PDT
WebContent often crashes at in RenderBlock::paint at <https://www.flickr.com/photos/goopymart/14052958504/>. We think this may have been caused by r167879. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000100000520 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010870cd82 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 274 1 com.apple.WebCore 0x0000000107e0d1b8 WebCore::RenderFlexibleBox::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 88 2 com.apple.WebCore 0x0000000107cbce26 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 214 3 com.apple.WebCore 0x0000000107cbc0db WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 459 4 com.apple.WebCore 0x0000000107cbe36b WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 283 5 com.apple.WebCore 0x0000000107cbccc7 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 391 6 com.apple.WebCore 0x0000000107cbc911 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool, bool) + 337 7 com.apple.WebCore 0x0000000107cba9f1 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1953 8 com.apple.WebCore 0x0000000107ce4334 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, unsigned int) + 404 9 com.apple.WebCore 0x000000010876cbdf WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 687 10 com.apple.WebCore 0x000000010819c9ff WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 143 11 com.apple.WebCore 0x0000000108998b59 WebCore::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow>&) + 361 12 com.apple.WebCore 0x0000000107d0a96d -[WebLayer drawInContext:] + 61
Attachments
Patch (7.55 KB, patch)
2014-04-29 09:38 PDT, Manuel Rego Casasnovas 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2014-04-29 08:32:02 PDT
<rdar://problem/16752448>
Simon Fraser (smfr)
Comment 2 2014-04-29 08:32:30 PDT
Manuel, could you take a look?
Manuel Rego Casasnovas
Comment 3 2014-04-29 09:37:46 PDT
(In reply to comment #2) > Manuel, could you take a look? Yes, it seems it was introduced by my changes in OrderIterator. I'm uploading a new patch porting https://codereview.chromium.org/19558006 that seems to be fixing the issue here. It would be great if you could very it.
Manuel Rego Casasnovas
Comment 4 2014-04-29 09:38:55 PDT
Created attachment 230382 [details] Patch
Simon Fraser (smfr)
Comment 5 2014-04-29 09:56:14 PDT
Comment on attachment 230382 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=230382&action=review > Source/WebCore/ChangeLog:15 > + The solution is simple: just clear the memory when we remove a child. "clear the memory" doesn't really match removing all items from the m_children vector.
WebKit Commit Bot
Comment 6 2014-04-29 10:35:03 PDT
Comment on attachment 230382 [details] Patch Clearing flags on attachment: 230382 Committed r167942: <http://trac.webkit.org/changeset/167942>
WebKit Commit Bot
Comment 7 2014-04-29 10:35:08 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.