Bug 156804

Summary: Potential overflow in RenderLayer::hitTestList()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Layout and RenderingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, esprehn+autocc, glenn, kondapallykalyan, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=156796
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2016-04-20 12:02:35 PDT
Potential overflow in RenderLayer::hitTestList(): 1 com.apple.JavaScriptCore 0x7fff8d8dd7ce WTFCrash + 0x3e 2 com.apple.WebCore 0x7fff9772ccc9 WTF::CrashOnOverflow::crash() + 0x9 3 com.apple.WebCore 0x7fff9772ccb9 WTF::CrashOnOverflow::overflowed() + 0x9 > 4 com.apple.WebCore 0x7fff9804d8ee WebCore::RenderLayer::hitTestList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, WebCore::HitTestingTransformState const*, double*, double*, WebCore::HitTestingTransformState const*, bool) + 0x1ae 5 com.apple.WebCore 0x7fff9758ae95 WebCore::RenderLayer::hitTestLayer(WebCore::RenderLayer*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, bool, WebCore::HitTestingTransformState const*, double*) + 0x565 6 com.apple.WebCore 0x7fff9804d85f WebCore::RenderLayer::hitTestList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, WebCore::HitTestingTransformState const*, double*, double*, WebCore::HitTestingTransformState const*, bool) + 0x11f 7 com.apple.WebCore 0x7fff9758ae04 WebCore::RenderLayer::hitTestLayer(WebCore::RenderLayer*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, bool, WebCore::HitTestingTransformState const*, double*) + 0x4d4 8 com.apple.WebCore 0x7fff9758a8a0 WebCore::RenderLayer::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) + 0x250 9 com.apple.WebCore 0x7fff97634a8e WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) + 0x6e 10 com.apple.WebCore 0x7fff9758a45f WebCore::EventHandler::hitTestResultAtPoint(WebCore::LayoutPoint const&, unsigned int, WebCore::LayoutSize const&) + 0xcf 11 com.apple.WebKit 0x7fff8f250c34 WebKit::WebFrame::hitTest(WebCore::IntPoint) const + 0xc2 12 com.apple.WebKit 0x7fff8f250b3d WKBundleFrameCreateHitTestResult + 0x35 13 com.apple.Safari.framework 0x7fff966d3bc5 Safari::WK::BundleFrame::hitTest(CGPoint) const + 0x1f 14 com.apple.Safari.framework 0x7fff965b2e09 Safari::ArticleFinderJSController::nodeAtPoint(double, double) const + 0x23 15 com.apple.JavaScriptCore 0x7fff8dbda39b long long JSC::APICallbackFunction::call<JSC::JSCallbackFunction>(JSC::ExecState*) + 0x23b 16 com.apple.JavaScriptCore 0x7fff8d77fda0 JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 0x210
Attachments
Patch (1.60 KB, patch)
2016-04-20 12:05 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2016-04-20 12:02:54 PDT
rdar://problem/23249479
Chris Dumez
Comment 2 2016-04-20 12:05:17 PDT
Created attachment 276841 [details] Patch
Simon Fraser (smfr)
Comment 3 2016-04-20 12:07:51 PDT
Comment on attachment 276841 [details] Patch This is a good change but I don't think it fixes the underlying cause of the bug.
Chris Dumez
Comment 4 2016-04-20 12:12:11 PDT
(In reply to comment #3) > Comment on attachment 276841 [details] > Patch > > This is a good change but I don't think it fixes the underlying cause of the > bug. Similar fix at https://bugs.webkit.org/show_bug.cgi?id=156796 where there were also overflow crashes.
WebKit Commit Bot
Comment 5 2016-04-20 12:56:52 PDT
Comment on attachment 276841 [details] Patch Clearing flags on attachment: 276841 Committed r199781: <http://trac.webkit.org/changeset/199781>
WebKit Commit Bot
Comment 6 2016-04-20 12:56:57 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.