Bug 132635

Summary:

Using a fill pattern much larger than actual canvas reliably segfaults browser

Product:

WebKit

Reporter:

Stephen Judkins <stephen.judkins>

Component:

Canvas

Assignee:

Dean Jackson <dino>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cabanier, commit-queue, dino, esprehn+autocc, gyuyoung.kim, krit, oliver, simon.fraser, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Stack trace on crashing Safari process, OS X	none
Patch	simon.fraser: review+

Description Stephen Judkins 2014-05-06 17:37:01 PDT

Created attachment 230959 [details]
Stack trace on crashing Safari process, OS X

The following code will reliably crash Safari or a UI WebView on iOS or OS X:

```
var canvas, ctx, pattern, patternCanvas, ratio;

ratio = 50;

canvas = document.createElement("canvas");

size = document.body.getBoundingClientRect()

canvas.width = size.width * devicePixelRatio;

canvas.height = size.height * devicePixelRatio;

patternCanvas = document.createElement('canvas');

patternCanvas.width = Math.floor(canvas.width * ratio);

patternCanvas.height = Math.floor(canvas.height * ratio);

ctx = canvas.getContext("2d");

pattern = ctx.createPattern(patternCanvas, 'repeat');

ctx.rect(0, 0, canvas.width, canvas.height);

ctx.fillStyle = pattern;

ctx.fill();
```

This appears to cause a null pointer deference in `WebCore::Pattern::createPlatformPattern` because `tileImage` is not set. See attached stack trace.

Comment 1 Radar WebKit Bug Importer 2014-05-07 08:27:21 PDT

<rdar://problem/16839291>

Comment 2 Rik Cabanier 2014-05-07 09:47:10 PDT

I can't reproduce this: http://jsfiddle.net/gA5G8/1/
Is there something wrong with my code?

Comment 3 Stephen Judkins 2014-05-07 10:54:40 PDT

That jsfiddle link reliably causes crashes for me, on both Safari Version 7.0.3 (9537.75.14) and Webkit r168407 on OS X 10.9.2. [https://dl.dropboxusercontent.com/spa/4slnjubp16y5phq/q_svco15.png] However, none of my coworkers' machines crash.

However, it reliably crashes everyone who tries it on mobile Safari (or a UIWebView) on iOS. This only occurs on the actual device, NOT the x86 simulator. The stack trace indicates it's a null pointer dereference in the same `WebCore::Pattern::createPlatformPattern` method. So far, this has been 100% reproducible on these devices:

* iPad 4th-generation
* iPhone 4g

Comment 4 Stephen Judkins 2014-05-07 11:04:35 PDT

Also reproduced on:
* iPad (3rd gen)

Comment 5 Simon Fraser (smfr) 2014-05-07 11:13:03 PDT

I can reproduce.

Comment 6 Dean Jackson 2014-05-07 18:22:51 PDT

Created attachment 231034 [details]
Patch

Comment 7 Simon Fraser (smfr) 2014-05-07 18:24:28 PDT

Comment on attachment 231034 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=231034&action=review

> LayoutTests/fast/canvas/pattern-too-large-to-create-expected.html:2
> +<body>
> +PASS: Saw exception.

Weird using a ref test for this. Make it a text test.

Comment 8 Dean Jackson 2014-05-07 18:31:05 PDT

Committed r168457: <http://trac.webkit.org/changeset/168457>