Bug 15962

Summary: <canvas> rendering crasher with undefined moveTo and lineWidth != 1
Product: WebKit Reporter: Andrew Pouliot <andpoul>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Critical CC: bdakin, mitz, mrowe, oliver
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://darknoon.com/visuals/canvas_crasher1.html
Attachments:
Description Flags
Reduction none

Andrew Pouliot
Reported 2007-11-12 16:50:52 PST
Present in Safari 419.3, webkit nightly build, and Safari 3. Tested on Mac ppc and intel. The code in question is: a moveTo(undefined, undefined); <- this can result from an unexpected state in a js program then lineTo some specific points (not sure which ones or why) then lineWidth = 2; (must be not the default to trigger crash) then stroke(); The linked page should crash Safari. It is basically a fuzzer that tries to find the points to make it crash. I don't think they need to be outside the bounds of the rendering context, as I've seen the crash without that, but it seems to happen faster if the values are larger. I tried to plug in the values that were displayed onscreen when webkit crashed (see js code), but it did not trigger the crash. It appars that the condition needs to be triggered at least twice to trigger the crash.
Attachments
Reduction (632 bytes, text/html)
2007-11-13 18:09 PST, mitz 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2007-11-13 16:11:32 PST
<rdar://problem/5598549>
mitz
Comment 2 2007-11-13 18:09:46 PST
Created attachment 17252 [details] Reduction This usually crashes the second or third time I reload it. It looks like a bad crash in CG code, but I wonder what moveTo(undefined, undefined) should do in the first place.
Beth Dakin
Comment 3 2008-02-21 15:37:13 PST
This no longer crashes for me on TOT. in fact, the test does not appear to "run." I am not sure if we are correctly preventing it from running or if the fact that it is not running is a separate bug. Anyone have any info?
Matt Lilek
Comment 4 2008-02-21 15:58:46 PST
(In reply to comment #3) > This no longer crashes for me on TOT. in fact, the test does not appear to > "run." I am not sure if we are correctly preventing it from running or if the > fact that it is not running is a separate bug. Anyone have any info? > The test at the URL doesn't run in Firefox 2 or 3 and Opera 9.5 so I'm inclined to think that we're good by not running. Mitz's reduction does crash in TOT though (2nd reload for me), but its below WebKit: Thread 0 Crashed: 0 com.apple.CoreGraphics 0x926268e2 aa_render + 1810 1 libRIP.A.dylib 0x9542fe04 ripr_Coverage + 2053 2 libRIP.A.dylib 0x9541d8a6 ripc_Render + 481 3 libRIP.A.dylib 0x954267f8 ripc_DrawPath + 632 4 com.apple.CoreGraphics 0x926104f7 CGContextDrawPath + 176 5 com.apple.CoreGraphics 0x9265e1b6 CGContextStrokePath + 25 6 com.apple.WebCore 0x01bc2f14 WebCore::CanvasRenderingContext2D::stroke() + 474 (CanvasRenderingContext2D.cpp:577) 7 com.apple.WebCore 0x01db9082 WebCore::jsCanvasRenderingContext2DPrototypeFunctionStroke(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 96 (JSCanvasRenderingContext2D.cpp:687) 8 com.apple.JavaScriptCore 0x0041fe54 KJS::PrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 34 (function.cpp:883) 9 com.apple.JavaScriptCore 0x0043cae8 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:96) 10 com.apple.JavaScriptCore 0x004978b0 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1225) 11 com.apple.JavaScriptCore 0x0045872c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1231) 12 com.apple.JavaScriptCore 0x0044ab63 KJS::ExprStatementNode::execute(KJS::ExecState*) + 43 (nodes.cpp:3731) 13 com.apple.JavaScriptCore 0x0042b9b3 KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 85 (nodes.cpp:3684) 14 com.apple.JavaScriptCore 0x0042ba40 KJS::BlockNode::execute(KJS::ExecState*) + 26 (nodes.cpp:3710) 15 com.apple.JavaScriptCore 0x00448360 KJS::ProgramNode::execute(KJS::ExecState*) + 34 (nodes.cpp:4617) 16 com.apple.JavaScriptCore 0x00465a28 KJS::Interpreter::evaluate(KJS::ExecState*, KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 846 (interpreter.cpp:125) 17 com.apple.WebCore 0x0211c8c5 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&) + 223 (kjs_proxy.cpp:87) 18 com.apple.WebCore 0x01ce12ba WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 110 (FrameLoader.cpp:759) 19 com.apple.WebCore 0x01d6268e WebCore::HTMLTokenizer::scriptExecution(WebCore::String const&, WebCore::HTMLTokenizer::State, WebCore::String const&, int) + 276 (HTMLTokenizer.cpp:527) 20 com.apple.WebCore 0x01d63d16 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1456 (HTMLTokenizer.cpp:476) 21 com.apple.WebCore 0x01d64263 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 991 (HTMLTokenizer.cpp:326) 22 com.apple.WebCore 0x01d662a7 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6779 (HTMLTokenizer.cpp:1472) 23 com.apple.WebCore 0x01d66b71 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1295 (HTMLTokenizer.cpp:1697) 24 com.apple.WebCore 0x01cda862 WebCore::FrameLoader::write(char const*, int, bool) + 956 (FrameLoader.cpp:1000) 25 com.apple.WebCore 0x01cda996 WebCore::FrameLoader::addData(char const*, int) + 278 (FrameLoader.cpp:1747) 26 com.apple.WebCore 0x020cae40 -[WebCoreFrameBridge addData:] + 148 (WebCoreFrameBridge.mm:297) 27 com.apple.WebCore 0x020cfce8 -[WebCoreFrameBridge receivedData:textEncodingName:] + 252 (WebCoreFrameBridge.mm:1233) 28 com.apple.WebKit 0x001bf746 -[WebHTMLRepresentation receivedData:withDataSource:] + 200 (WebHTMLRepresentation.mm:175) 29 com.apple.WebKit 0x0019c758 -[WebDataSource(WebInternal) _receivedData:] + 90 (WebDataSource.mm:198) 30 com.apple.WebKit 0x001b2c66 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 128 (WebFrameLoaderClient.mm:703) 31 com.apple.WebCore 0x01cd5ca5 WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, int) + 53 (FrameLoader.cpp:3228) 32 com.apple.WebCore 0x01c7a0bd WebCore::DocumentLoader::commitLoad(char const*, int) + 87 (DocumentLoader.cpp:354) 33 com.apple.WebCore 0x01c7a2dc WebCore::DocumentLoader::receivedData(char const*, int) + 76 (DocumentLoader.cpp:367) 34 com.apple.WebCore 0x01cd54b1 WebCore::FrameLoader::receivedData(char const*, int) + 41 (FrameLoader.cpp:2194) 35 com.apple.WebCore 0x01ead1a8 WebCore::MainResourceLoader::addData(char const*, int, bool) + 80 (MainResourceLoader.cpp:139) 36 com.apple.WebCore 0x01fa2acd WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 83 (ResourceLoader.cpp:240) 37 com.apple.WebCore 0x01ead4b6 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 282 (MainResourceLoader.cpp:299) 38 com.apple.WebCore 0x01fa26a4 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 62 (ResourceLoader.cpp:368) 39 com.apple.WebCore 0x01f9ff61 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 201 (ResourceHandleMac.mm:450) 40 com.apple.Foundation 0x90dea3b7 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidReceiveData:originalLength:] + 119 41 com.apple.Foundation 0x90dea31e _NSURLConnectionDidReceiveData + 94 42 com.apple.CFNetwork 0x92c500af sendDidReceiveDataCallback + 518 43 com.apple.CFNetwork 0x92c4d76d _CFURLConnectionSendCallbacks + 1559 44 com.apple.CFNetwork 0x92c4d0d9 muxerSourcePerform + 283 45 com.apple.CoreFoundation 0x943af62e CFRunLoopRunSpecific + 3166 46 com.apple.CoreFoundation 0x943afd18 CFRunLoopRunInMode + 88 47 com.apple.HIToolbox 0x910986a0 RunCurrentEventLoopInMode + 283 48 com.apple.HIToolbox 0x910984b9 ReceiveNextEventCommon + 374 49 com.apple.HIToolbox 0x9109832d BlockUntilNextEventMatchingListInMode + 106 50 com.apple.AppKit 0x917047d9 _DPSNextEvent + 657 51 com.apple.AppKit 0x9170408e -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 52 com.apple.Safari 0x0000965e 0x1000 + 34398 53 com.apple.AppKit 0x916fd0c5 -[NSApplication run] + 795 54 com.apple.AppKit 0x916ca30a NSApplicationMain + 574 55 com.apple.Safari 0x00002a76 0x1000 + 6774
mitz
Comment 5 2008-02-21 17:19:48 PST
(In reply to comment #4) > (In reply to comment #3) > > This no longer crashes for me on TOT. in fact, the test does not appear to > > "run." I am not sure if we are correctly preventing it from running or if the > > fact that it is not running is a separate bug. Anyone have any info? > > > > The test at the URL doesn't run in Firefox 2 or 3 and Opera 9.5 so I'm inclined > to think that we're good by not running. > > Mitz's reduction does crash in TOT though (2nd reload for me), but its below > WebKit: As I said in comment #2, "It looks like a bad crash in CG code".
Matt Lilek
Comment 6 2008-02-21 17:22:26 PST
(In reply to comment #5) > (In reply to comment #4) > > (In reply to comment #3) > > > This no longer crashes for me on TOT. in fact, the test does not appear to > > > "run." I am not sure if we are correctly preventing it from running or if the > > > fact that it is not running is a separate bug. Anyone have any info? > > > > > > > The test at the URL doesn't run in Firefox 2 or 3 and Opera 9.5 so I'm inclined > > to think that we're good by not running. > > > > Mitz's reduction does crash in TOT though (2nd reload for me), but its below > > WebKit: > > As I said in comment #2, "It looks like a bad crash in CG code". > That's what happens when I only read the bug email and not the bug >.<
Oliver Hunt
Comment 7 2008-06-05 22:04:40 PDT
I fixed this a while ago (the issue was NaN and infinite arguments causing CG to go off the deep end) The test case triggered as it was using undefined as an argument to a couple of canvas api's which then converted to NaN.
Note You need to log in before you can comment on or make changes to this bug.