Bug 156804

Summary: Potential overflow in RenderLayer::hitTestList()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Layout and RenderingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, esprehn+autocc, glenn, kondapallykalyan, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=156796
Attachments:
Description Flags
Patch none

Description Chris Dumez 2016-04-20 12:02:35 PDT 
Potential overflow in RenderLayer::hitTestList():
 1 com.apple.JavaScriptCore       0x7fff8d8dd7ce WTFCrash + 0x3e
   2 com.apple.WebCore              0x7fff9772ccc9 WTF::CrashOnOverflow::crash() + 0x9
   3 com.apple.WebCore              0x7fff9772ccb9 WTF::CrashOnOverflow::overflowed() + 0x9
>  4 com.apple.WebCore              0x7fff9804d8ee WebCore::RenderLayer::hitTestList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, WebCore::HitTestingTransformState const*, double*, double*, WebCore::HitTestingTransformState const*, bool) + 0x1ae
   5 com.apple.WebCore              0x7fff9758ae95 WebCore::RenderLayer::hitTestLayer(WebCore::RenderLayer*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, bool, WebCore::HitTestingTransformState const*, double*) + 0x565
   6 com.apple.WebCore              0x7fff9804d85f WebCore::RenderLayer::hitTestList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, WebCore::HitTestingTransformState const*, double*, double*, WebCore::HitTestingTransformState const*, bool) + 0x11f
   7 com.apple.WebCore              0x7fff9758ae04 WebCore::RenderLayer::hitTestLayer(WebCore::RenderLayer*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, bool, WebCore::HitTestingTransformState const*, double*) + 0x4d4
   8 com.apple.WebCore              0x7fff9758a8a0 WebCore::RenderLayer::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) + 0x250
   9 com.apple.WebCore              0x7fff97634a8e WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) + 0x6e
  10 com.apple.WebCore              0x7fff9758a45f WebCore::EventHandler::hitTestResultAtPoint(WebCore::LayoutPoint const&, unsigned int, WebCore::LayoutSize const&) + 0xcf
  11 com.apple.WebKit               0x7fff8f250c34 WebKit::WebFrame::hitTest(WebCore::IntPoint) const + 0xc2
  12 com.apple.WebKit               0x7fff8f250b3d WKBundleFrameCreateHitTestResult + 0x35
  13 com.apple.Safari.framework     0x7fff966d3bc5 Safari::WK::BundleFrame::hitTest(CGPoint) const + 0x1f
  14 com.apple.Safari.framework     0x7fff965b2e09 Safari::ArticleFinderJSController::nodeAtPoint(double, double) const + 0x23
  15 com.apple.JavaScriptCore       0x7fff8dbda39b long long JSC::APICallbackFunction::call<JSC::JSCallbackFunction>(JSC::ExecState*) + 0x23b
  16 com.apple.JavaScriptCore       0x7fff8d77fda0 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 0x210
Comment 1 Chris Dumez 2016-04-20 12:02:54 PDT 
rdar://problem/23249479
Comment 2 Chris Dumez 2016-04-20 12:05:17 PDT 
Created attachment 276841 [details]
Patch
Comment 3 Simon Fraser (smfr) 2016-04-20 12:07:51 PDT 
Comment on attachment 276841 [details]
Patch

This is a good change but I don't think it fixes the underlying cause of the bug.
Comment 4 Chris Dumez 2016-04-20 12:12:11 PDT 
(In reply to comment #3)
> Comment on attachment 276841 [details]
> Patch
> 
> This is a good change but I don't think it fixes the underlying cause of the
> bug.

Similar fix at https://bugs.webkit.org/show_bug.cgi?id=156796 where there were also overflow crashes.
Comment 5 WebKit Commit Bot 2016-04-20 12:56:52 PDT 
Comment on attachment 276841 [details]
Patch

Clearing flags on attachment: 276841

Committed r199781: <http://trac.webkit.org/changeset/199781>
Comment 6 WebKit Commit Bot 2016-04-20 12:56:57 PDT 
All reviewed patches have been landed.  Closing bug.