Bug 179051

Summary: [GTK] imported/w3c/web-platform-tests/2dcontext/imagebitmap/createImageBitmap-invalid-args.html crash in in bmalloc::Heap::allocateLarge
Product: WebKit Reporter: Charlie Turner <cturner>
Component: WebKitGTKAssignee: Ms2ger (he/him; ⌚ UTC+1/+2) <Ms2ger>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, bugs-noreply, buildbot, cdumez, cmarcelo, commit-queue, dbates, Hironori.Fujii, mcatanzaro, Ms2ger
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=178984
Bug Depends on: 179477    
Bug Blocks:    
Attachments:
Description Flags
Crash log
none
Patch
none
Archive of layout-test-results from ews124 for ios-simulator-wk2
none
Patch none

Description Charlie Turner 2017-10-31 03:43:48 PDT 
Created attachment 325430 [details]
Crash log

The following seems to have taken us from always failing to occasionally failing and occasionally crashing.

commit f4fd10564f49868d19feb708112cd373b514fa7d
Author: dino@apple.com <dino@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sun Oct 29 10:06:35 2017 +0000

    createImageBitmap with HTMLCanvasElement
    https://bugs.webkit.org/show_bug.cgi?id=178984
    <rdar://problem/35238440>

Crash log attached.
Comment 1 Ms2ger (he/him; ⌚ UTC+1/+2) 2017-11-01 04:03:11 PDT 
Created attachment 325558 [details]
Patch
Comment 2 Build Bot 2017-11-01 05:24:32 PDT 
Comment on attachment 325558 [details]
Patch

Attachment 325558 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/5061481

New failing tests:
imported/w3c/web-platform-tests/service-workers/cache-storage/serviceworker/cache-match.https.html
Comment 3 Build Bot 2017-11-01 05:24:33 PDT 
Created attachment 325561 [details]
Archive of layout-test-results from ews124 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews124  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6
Comment 4 Michael Catanzaro 2017-11-02 05:35:18 PDT 
Comment on attachment 325558 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=325558&action=review

> Source/WebCore/ChangeLog:3
> +        [GTK] Use fallible allocation in ImageBuffer::ImageBuffer().

Why?

I think Zan or Miguel would be a good reviewer to ask for this.
Comment 5 Ms2ger (he/him; ⌚ UTC+1/+2) 2017-11-03 02:57:05 PDT 
(In reply to Michael Catanzaro from comment #4)
> Comment on attachment 325558 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=325558&action=review
> 
> > Source/WebCore/ChangeLog:3
> > +        [GTK] Use fallible allocation in ImageBuffer::ImageBuffer().
> 
> Why?
> 
> I think Zan or Miguel would be a good reviewer to ask for this.

Because of the crash this bug is filed for; web pages can easily control the size of the buffer we try to allocate here. The mac port also uses fallible allocation.
Comment 6 Fujii Hironori 2017-11-09 00:22:59 PST 
WinCairo EWS is red. tryFastZeroedMalloc should be marked as WTF_EXPORT_PRIVATE.
Comment 7 Ms2ger (he/him; ⌚ UTC+1/+2) 2017-11-10 01:07:07 PST 
Created attachment 326569 [details]
Patch
Comment 8 Michael Catanzaro 2017-11-10 07:23:37 PST 
(In reply to Ms2ger from comment #5)
> Because of the crash this bug is filed for; web pages can easily control the
> size of the buffer we try to allocate here. The mac port also uses fallible
> allocation.

OK, makes sense.
Comment 9 WebKit Commit Bot 2017-11-10 07:43:37 PST 
Comment on attachment 326569 [details]
Patch

Clearing flags on attachment: 326569

Committed r224681: <https://trac.webkit.org/changeset/224681>
Comment 10 WebKit Commit Bot 2017-11-10 07:43:39 PST 
All reviewed patches have been landed.  Closing bug.
Comment 11 Ms2ger (he/him; ⌚ UTC+1/+2) 2017-11-10 08:38:17 PST 
*** Bug 179477 has been marked as a duplicate of this bug. ***