Bug 15962

Summary:

<canvas> rendering crasher with undefined moveTo and lineWidth != 1

Product:

WebKit

Reporter:

Andrew Pouliot <andpoul>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

bdakin, mitz, mrowe, oliver

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.4

URL:

http://darknoon.com/visuals/canvas_crasher1.html

Attachments:

Description	Flags
Reduction	none

Description Andrew Pouliot 2007-11-12 16:50:52 PST

Present in Safari 419.3, webkit nightly build, and Safari 3. Tested on Mac ppc and intel.

The code in question is:
a moveTo(undefined, undefined); <- this can result from an unexpected state in a js program
then lineTo some specific points (not sure which ones or why)
then lineWidth = 2; (must be not the default to trigger crash)
then stroke();

The linked page should crash Safari. It is basically a fuzzer that tries to find the points to make it crash. I don't think they need to be outside the bounds of the rendering context, as I've seen the crash without that, but it seems to happen faster if the values are larger.

I tried to plug in the values that were displayed onscreen when webkit crashed (see js code), but it did not trigger the crash. It appars that the condition needs to be triggered at least twice to trigger the crash.

Comment 1 Mark Rowe (bdash) 2007-11-13 16:11:32 PST

<rdar://problem/5598549>

Comment 2 mitz 2007-11-13 18:09:46 PST

Created attachment 17252 [details]
Reduction

This usually crashes the second or third time I reload it. It looks like a bad crash in CG code, but I wonder what moveTo(undefined, undefined) should do in the first place.

Comment 3 Beth Dakin 2008-02-21 15:37:13 PST

This no longer crashes for me on TOT. in fact, the test does not appear to "run." I am not sure if we are correctly preventing it from running or if the fact that it is not running is a separate bug. Anyone have any info?

Comment 4 Matt Lilek 2008-02-21 15:58:46 PST

(In reply to comment #3)
> This no longer crashes for me on TOT. in fact, the test does not appear to
> "run." I am not sure if we are correctly preventing it from running or if the
> fact that it is not running is a separate bug. Anyone have any info?
> 

The test at the URL doesn't run in Firefox 2 or 3 and Opera 9.5 so I'm inclined to think that we're good by not running.

Mitz's reduction does crash in TOT though (2nd reload for me), but its below WebKit:

Thread 0 Crashed:
0   com.apple.CoreGraphics        	0x926268e2 aa_render + 1810
1   libRIP.A.dylib                	0x9542fe04 ripr_Coverage + 2053
2   libRIP.A.dylib                	0x9541d8a6 ripc_Render + 481
3   libRIP.A.dylib                	0x954267f8 ripc_DrawPath + 632
4   com.apple.CoreGraphics        	0x926104f7 CGContextDrawPath + 176
5   com.apple.CoreGraphics        	0x9265e1b6 CGContextStrokePath + 25
6   com.apple.WebCore             	0x01bc2f14 WebCore::CanvasRenderingContext2D::stroke() + 474 (CanvasRenderingContext2D.cpp:577)
7   com.apple.WebCore             	0x01db9082 WebCore::jsCanvasRenderingContext2DPrototypeFunctionStroke(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 96 (JSCanvasRenderingContext2D.cpp:687)
8   com.apple.JavaScriptCore      	0x0041fe54 KJS::PrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 34 (function.cpp:883)
9   com.apple.JavaScriptCore      	0x0043cae8 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96)
10  com.apple.JavaScriptCore      	0x004978b0 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1225)
11  com.apple.JavaScriptCore      	0x0045872c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1231)
12  com.apple.JavaScriptCore      	0x0044ab63 KJS::ExprStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:3731)
13  com.apple.JavaScriptCore      	0x0042b9b3 KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3684)
14  com.apple.JavaScriptCore      	0x0042ba40 KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3710)
15  com.apple.JavaScriptCore      	0x00448360 KJS::ProgramNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4617)
16  com.apple.JavaScriptCore      	0x00465a28 KJS::Interpreter::evaluate(KJS::ExecState*, KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 846 (interpreter.cpp:125)
17  com.apple.WebCore             	0x0211c8c5 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&) + 223 (kjs_proxy.cpp:87)
18  com.apple.WebCore             	0x01ce12ba WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 110 (FrameLoader.cpp:759)
19  com.apple.WebCore             	0x01d6268e WebCore::HTMLTokenizer::scriptExecution(WebCore::String const&, WebCore::HTMLTokenizer::State, WebCore::String const&, int) + 276 (HTMLTokenizer.cpp:527)
20  com.apple.WebCore             	0x01d63d16 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1456 (HTMLTokenizer.cpp:476)
21  com.apple.WebCore             	0x01d64263 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 991 (HTMLTokenizer.cpp:326)
22  com.apple.WebCore             	0x01d662a7 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6779 (HTMLTokenizer.cpp:1472)
23  com.apple.WebCore             	0x01d66b71 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1295 (HTMLTokenizer.cpp:1697)
24  com.apple.WebCore             	0x01cda862 WebCore::FrameLoader::write(char const*, int, bool) + 956 (FrameLoader.cpp:1000)
25  com.apple.WebCore             	0x01cda996 WebCore::FrameLoader::addData(char const*, int) + 278 (FrameLoader.cpp:1747)
26  com.apple.WebCore             	0x020cae40 -[WebCoreFrameBridge addData:] + 148 (WebCoreFrameBridge.mm:297)
27  com.apple.WebCore             	0x020cfce8 -[WebCoreFrameBridge receivedData:textEncodingName:] + 252 (WebCoreFrameBridge.mm:1233)
28  com.apple.WebKit              	0x001bf746 -[WebHTMLRepresentation receivedData:withDataSource:] + 200 (WebHTMLRepresentation.mm:175)
29  com.apple.WebKit              	0x0019c758 -[WebDataSource(WebInternal) _receivedData:] + 90 (WebDataSource.mm:198)
30  com.apple.WebKit              	0x001b2c66 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 128 (WebFrameLoaderClient.mm:703)
31  com.apple.WebCore             	0x01cd5ca5 WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, int) + 53 (FrameLoader.cpp:3228)
32  com.apple.WebCore             	0x01c7a0bd WebCore::DocumentLoader::commitLoad(char const*, int) + 87 (DocumentLoader.cpp:354)
33  com.apple.WebCore             	0x01c7a2dc WebCore::DocumentLoader::receivedData(char const*, int) + 76 (DocumentLoader.cpp:367)
34  com.apple.WebCore             	0x01cd54b1 WebCore::FrameLoader::receivedData(char const*, int) + 41 (FrameLoader.cpp:2194)
35  com.apple.WebCore             	0x01ead1a8 WebCore::MainResourceLoader::addData(char const*, int, bool) + 80 (MainResourceLoader.cpp:139)
36  com.apple.WebCore             	0x01fa2acd WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 83 (ResourceLoader.cpp:240)
37  com.apple.WebCore             	0x01ead4b6 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 282 (MainResourceLoader.cpp:299)
38  com.apple.WebCore             	0x01fa26a4 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 62 (ResourceLoader.cpp:368)
39  com.apple.WebCore             	0x01f9ff61 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 201 (ResourceHandleMac.mm:450)
40  com.apple.Foundation          	0x90dea3b7 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveData:originalLength:] + 119
41  com.apple.Foundation          	0x90dea31e _NSURLConnectionDidReceiveData + 94
42  com.apple.CFNetwork           	0x92c500af sendDidReceiveDataCallback + 518
43  com.apple.CFNetwork           	0x92c4d76d _CFURLConnectionSendCallbacks + 1559
44  com.apple.CFNetwork           	0x92c4d0d9 muxerSourcePerform + 283
45  com.apple.CoreFoundation      	0x943af62e CFRunLoopRunSpecific + 3166
46  com.apple.CoreFoundation      	0x943afd18 CFRunLoopRunInMode + 88
47  com.apple.HIToolbox           	0x910986a0 RunCurrentEventLoopInMode + 283
48  com.apple.HIToolbox           	0x910984b9 ReceiveNextEventCommon + 374
49  com.apple.HIToolbox           	0x9109832d BlockUntilNextEventMatchingListInMode + 106
50  com.apple.AppKit              	0x917047d9 _DPSNextEvent + 657
51  com.apple.AppKit              	0x9170408e -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
52  com.apple.Safari              	0x0000965e 0x1000 + 34398
53  com.apple.AppKit              	0x916fd0c5 -[NSApplication run] + 795
54  com.apple.AppKit              	0x916ca30a NSApplicationMain + 574
55  com.apple.Safari              	0x00002a76 0x1000 + 6774

Comment 5 mitz 2008-02-21 17:19:48 PST

(In reply to comment #4)
> (In reply to comment #3)
> > This no longer crashes for me on TOT. in fact, the test does not appear to
> > "run." I am not sure if we are correctly preventing it from running or if the
> > fact that it is not running is a separate bug. Anyone have any info?
> > 
> 
> The test at the URL doesn't run in Firefox 2 or 3 and Opera 9.5 so I'm inclined
> to think that we're good by not running.
> 
> Mitz's reduction does crash in TOT though (2nd reload for me), but its below
> WebKit:

As I said in comment #2, "It looks like a bad crash in CG code".

Comment 6 Matt Lilek 2008-02-21 17:22:26 PST

(In reply to comment #5)
> (In reply to comment #4)
> > (In reply to comment #3)
> > > This no longer crashes for me on TOT. in fact, the test does not appear to
> > > "run." I am not sure if we are correctly preventing it from running or if the
> > > fact that it is not running is a separate bug. Anyone have any info?
> > > 
> > 
> > The test at the URL doesn't run in Firefox 2 or 3 and Opera 9.5 so I'm inclined
> > to think that we're good by not running.
> > 
> > Mitz's reduction does crash in TOT though (2nd reload for me), but its below
> > WebKit:
> 
> As I said in comment #2, "It looks like a bad crash in CG code".
> 

That's what happens when I only read the bug email and not the bug >.<

Comment 7 Oliver Hunt 2008-06-05 22:04:40 PDT

I fixed this a while ago (the issue was NaN and infinite arguments causing CG to go off the deep end)

The test case triggered as it was using undefined as an argument to a couple of canvas api's which then converted to NaN.