Bug 132635

Summary: Using a fill pattern much larger than actual canvas reliably segfaults browser
Product: WebKit Reporter: Stephen Judkins <stephen.judkins>
Component: CanvasAssignee: Dean Jackson <dino>
Status: RESOLVED FIXED    
Severity: Normal CC: cabanier, commit-queue, dino, esprehn+autocc, gyuyoung.kim, krit, oliver, simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Stack trace on crashing Safari process, OS X
none
Patch simon.fraser: review+

Stephen Judkins
Reported 2014-05-06 17:37:01 PDT
Created attachment 230959 [details] Stack trace on crashing Safari process, OS X The following code will reliably crash Safari or a UI WebView on iOS or OS X: ``` var canvas, ctx, pattern, patternCanvas, ratio; ratio = 50; canvas = document.createElement("canvas"); size = document.body.getBoundingClientRect() canvas.width = size.width * devicePixelRatio; canvas.height = size.height * devicePixelRatio; patternCanvas = document.createElement('canvas'); patternCanvas.width = Math.floor(canvas.width * ratio); patternCanvas.height = Math.floor(canvas.height * ratio); ctx = canvas.getContext("2d"); pattern = ctx.createPattern(patternCanvas, 'repeat'); ctx.rect(0, 0, canvas.width, canvas.height); ctx.fillStyle = pattern; ctx.fill(); ``` This appears to cause a null pointer deference in `WebCore::Pattern::createPlatformPattern` because `tileImage` is not set. See attached stack trace.
Attachments
Stack trace on crashing Safari process, OS X (59.63 KB, text/plain)
2014-05-06 17:37 PDT, Stephen Judkins 		no flags
Details
Patch (3.82 KB, patch)
2014-05-07 18:22 PDT, Dean Jackson 		simon.fraser: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2014-05-07 08:27:21 PDT
<rdar://problem/16839291>
Rik Cabanier
Comment 2 2014-05-07 09:47:10 PDT
I can't reproduce this: http://jsfiddle.net/gA5G8/1/ Is there something wrong with my code?
Stephen Judkins
Comment 3 2014-05-07 10:54:40 PDT
That jsfiddle link reliably causes crashes for me, on both Safari Version 7.0.3 (9537.75.14) and Webkit r168407 on OS X 10.9.2. [https://dl.dropboxusercontent.com/spa/4slnjubp16y5phq/q_svco15.png] However, none of my coworkers' machines crash. However, it reliably crashes everyone who tries it on mobile Safari (or a UIWebView) on iOS. This only occurs on the actual device, NOT the x86 simulator. The stack trace indicates it's a null pointer dereference in the same `WebCore::Pattern::createPlatformPattern` method. So far, this has been 100% reproducible on these devices: * iPad 4th-generation * iPhone 4g
Stephen Judkins
Comment 4 2014-05-07 11:04:35 PDT
Also reproduced on: * iPad (3rd gen)
Simon Fraser (smfr)
Comment 5 2014-05-07 11:13:03 PDT
I can reproduce.
Dean Jackson
Comment 6 2014-05-07 18:22:51 PDT
Created attachment 231034 [details] Patch
Simon Fraser (smfr)
Comment 7 2014-05-07 18:24:28 PDT
Comment on attachment 231034 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=231034&action=review > LayoutTests/fast/canvas/pattern-too-large-to-create-expected.html:2 > +<body> > +PASS: Saw exception. Weird using a ref test for this. Make it a text test.
Dean Jackson
Comment 8 2014-05-07 18:31:05 PDT
Committed r168457: <http://trac.webkit.org/changeset/168457>
Note You need to log in before you can comment on or make changes to this bug.