Bug 164702

Summary: WebContent crash due to checked unsigned overflow in WebCore: WebCore::RenderLayerCompositor::requiresCompositingLayer const + 1104
Product: WebKit Reporter: David Kilzer (:ddkilzer) <ddkilzer>
Component: Layout and RenderingAssignee: David Kilzer (:ddkilzer) <ddkilzer>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, esprehn+autocc, glenn, kondapallykalyan, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: Safari 10   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch v1
none
Patch v2 none

David Kilzer (:ddkilzer)
Reported 2016-11-13 10:35:30 PST
Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x0000000188bb4798 Termination Signal: Trace/BPT trap: 5 Termination Reason: Namespace SIGNAL, Code 0x5 Terminating Process: exc handler [0] Triggered by Thread: 0 Filtered syslog: None found Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 WebCore 0x0000000188bb4798 WTF::CrashOnOverflow::crash() + 0 (CheckedArithmetic.h:85) 1 WebCore 0x0000000188bb4798 WTF::CrashOnOverflow::overflowed() + 12 (CheckedArithmetic.h:78) 2 WebCore 0x0000000188c531f4 WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked(WTF::ResultOverflowedTag) + 16 (CheckedArithmetic.h:462) 3 WebCore 0x0000000188c531e4 WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked(WTF::ResultOverflowedTag) + 12 (CheckedArithmetic.h:461) 4 WebCore 0x00000001896143a4 WebCore::RenderLayerCompositor::requiresCompositingLayer(WebCore::RenderLayer const&, WebCore::RenderLayer::ViewportConstrainedNotCompositedReason*) const + 1104 (CheckedArithmetic.h:745) 5 WebCore 0x0000000189612d3c WebCore::RenderLayerCompositor::updateBacking(WebCore::RenderLayer&, WebCore::RenderLayerCompositor::CompositingChangeRepaint, WebCore::RenderLayerCompositor::BackingRequired) + 188 (RenderLayerCompositor.cpp:2161) 6 WebCore 0x0000000189612c04 WebCore::RenderLayerCompositor::updateLayerCompositingState(WebCore::RenderLayer&, WebCore::RenderLayerCompositor::CompositingChangeRepaint) + 24 (RenderLayerCompositor.cpp:1100) 7 WebCore 0x0000000188b71d70 WebCore::RenderLayer::contentChanged(WebCore::ContentChangeType) + 84 (RenderLayer.cpp:424) 8 WebCore 0x0000000188b95968 WebCore::HTMLCanvasElement::reset() + 904 (HTMLCanvasElement.cpp:368) 9 WebCore 0x0000000188b955c4 WebCore::HTMLCanvasElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) + 76 (HTMLCanvasElement.cpp:130) 10 WebCore 0x0000000188e6d7a8 WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) + 888 (Element.cpp:1276) 11 WebCore 0x0000000188a163f4 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 820 (Element.cpp:3229) 12 WebCore 0x0000000188f88afc WebCore::HTMLCanvasElement::setHeight(unsigned int) + 60 (HTMLCanvasElement.cpp:164) 13 WebCore 0x00000001892387f4 WebCore::setJSHTMLCanvasElementHeight(JSC::ExecState*, long long, long long) + 340 (JSHTMLCanvasElement.cpp:206) 14 ??? 0x00000001088ec0e4 0 + 4438540516 15 ??? 0x0000000108967ff4 0 + 4439048180 16 JavaScriptCore 0x00000001885af3b8 vmEntryToJavaScript + 264 17 JavaScriptCore 0x0000000188481b04 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 168 (JITCode.cpp:80) 18 JavaScriptCore 0x0000000187ed2984 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 352 (Interpreter.cpp:1018) 19 JavaScriptCore 0x0000000188145b9c JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 164 (CallData.cpp:40) 20 WebCore 0x0000000188b51350 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 992 (JSMainThreadExecState.h:75) 21 WebCore 0x0000000188e8629c WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) + 620 (EventTarget.cpp:291) 22 WebCore 0x0000000188e85f4c WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 328 (EventTarget.cpp:235) 23 WebCore 0x0000000188e3c930 WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) + 280 (DOMWindow.cpp:1920) 24 WebCore 0x0000000188b28e5c WebCore::DocumentEventQueue::pendingEventTimerFired() + 216 (DocumentEventQueue.cpp:150) 25 WebCore 0x0000000188a14d2c WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 (ThreadTimers.cpp:121) 26 WebCore 0x0000000188a14c84 WebCore::timerFired(__CFRunLoopTimer*, void*) + 28 (MainThreadSharedTimerCF.cpp:74) 27 CoreFoundation 0x0000000183e911d8 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28 (CFRunLoop.c:1810) 28 CoreFoundation 0x0000000183e90eec __CFRunLoopDoTimer + 872 (CFRunLoop.c:2349) 29 CoreFoundation 0x0000000183e907a8 __CFRunLoopDoTimers + 244 (CFRunLoop.c:2488) 30 CoreFoundation 0x0000000183e8e3a4 __CFRunLoopRun + 1572 (CFRunLoop.c:2973) 31 CoreFoundation 0x0000000183dbc2b8 CFRunLoopRunSpecific + 444 (CFRunLoop.c:3113) 32 Foundation 0x00000001848f926c -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 304 (NSRunLoop.m:367) 33 Foundation 0x000000018494daa0 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:389) 34 libxpc.dylib 0x0000000182fbfc4c _xpc_objc_main + 660 (main.m:186) 35 libxpc.dylib 0x0000000182fc1944 xpc_main + 200 (init.c:1447) 36 com.apple.WebKit.WebContent 0x00000001000d35bc main + 376 (XPCServiceMain.mm:130) 37 libdyld.dylib 0x0000000182d9d5b8 start + 4
Attachments
Patch v1 (6.75 KB, patch)
2016-11-13 10:49 PST, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
Patch v2 (5.17 KB, patch)
2016-11-14 09:53 PST, David Kilzer (:ddkilzer) 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2016-11-13 10:36:03 PST
<rdar://problem/29236368>
David Kilzer (:ddkilzer)
Comment 2 2016-11-13 10:49:24 PST
Created attachment 294668 [details] Patch v1
David Kilzer (:ddkilzer)
Comment 3 2016-11-13 10:51:39 PST
Comment on attachment 294668 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=294668&action=review > LayoutTests/fast/canvas/large-composited-canvas-area.html:24 > +setTimeout(function() { > + document.getElementById("canvas").width = "65537"; > + document.getElementById("canvas").height = "65537"; > + testPassed("No crash"); > + finishJSTest(); > +}, 0); This test doesn't reproduce the crash. I can't figure out how to reproduce the crashing stack in a layout test. Simon or Zalan: Can you help me figure out what I'm not doing to reproduce the crashing stack? However, LayoutTests/inspector/layers/layers-compositing-reasons.html does reproduce the crash through different means.
zalan
Comment 4 2016-11-13 14:07:36 PST
Can't we just clamp the canvas size?
Simon Fraser (smfr)
Comment 5 2016-11-13 19:03:53 PST
Comment on attachment 294668 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=294668&action=review > Source/WebCore/rendering/RenderLayerCompositor.cpp:2541 > + bool isCanvasLargeEnoughToForceCompositing = canvasArea.hasOverflowed() || canvasArea.unsafeGet() >= canvasAreaThresholdRequiringCompositing; I think we should avoid compositing if the area overflowed.
David Kilzer (:ddkilzer)
Comment 6 2016-11-13 20:00:21 PST
(In reply to comment #4) > Can't we just clamp the canvas size? What do you propose that we clamp it to without introducing compatibility issues? Note that setWidth() and setHeight() in Source/WebCore/html/HTMLCanvasElement.cpp already call limitToOnlyHTMLNonNegative() in HTMLParserIdioms.h, which is maxHTMLNonNegativeInteger == 2147483647 == (2^31 - 1). Also, we don't know of any other places where large canvas elements cause problems.
David Kilzer (:ddkilzer)
Comment 7 2016-11-14 09:53:59 PST
Created attachment 294709 [details] Patch v2
WebKit Commit Bot
Comment 8 2016-11-14 10:23:44 PST
Comment on attachment 294709 [details] Patch v2 Clearing flags on attachment: 294709 Committed r208691: <http://trac.webkit.org/changeset/208691>
WebKit Commit Bot
Comment 9 2016-11-14 10:23:48 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.