| Summary: | CRASH in CoreGraphics: ERROR_CGDataProvider_BufferIsNotBigEnough | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Jer Noble <jer.noble> | ||||||||||
| Component: | New Bugs | Assignee: | Jer Noble <jer.noble> | ||||||||||
| Status: | RESOLVED FIXED | ||||||||||||
| Severity: | Normal | CC: | bfulgham, cdumez, commit-queue, ddkilzer, dino, ews-watchlist, graouts, jonlee, kondapallykalyan, sabouhallawa, simon.fraser, webkit-bug-importer | ||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||
| Version: | WebKit Nightly Build | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Jer Noble
2018-10-26 05:18:26 PDT
Created attachment 353182 [details]
Patch
Created attachment 353184 [details]
Patch
Comment on attachment 353184 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=353184&action=review > Source/WebCore/ChangeLog:17 > + (This assumes that the issue is the wrong sized buffer at CGDataProvider creation time, and not > + that the buffer itself is reclaimed between creation time and access.) Isn't this the more likely scenario? (In reply to Simon Fraser (smfr) from comment #4) > Comment on attachment 353184 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=353184&action=review > > > Source/WebCore/ChangeLog:17 > > + (This assumes that the issue is the wrong sized buffer at CGDataProvider creation time, and not > > + that the buffer itself is reclaimed between creation time and access.) > > Isn't this the more likely scenario? We have absolutely no way of knowing. At least with this patch in place, we have narrowed the possibilities. Oh, and to continue the thought, previous crashes in other projects with this same stack trace were due to miscalculations in row size, etc. Not due to premature release. Comment on attachment 353184 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=353184&action=review > Source/WebCore/platform/graphics/cg/ImageUtilitiesCG.h:32 > +inline uint8_t verifyImageBufferIsBigEnough(const void* buffer, size_t bufferSize) This function isn't really specific to image buffers so the filename seems oddly specific, but hopefully it's temporary. > Source/WebCore/platform/graphics/cg/ImageUtilitiesCG.h:40 > + return *(uint8_t*)lastByte; Might the compiler optimize that away since no callers use the return value? (In reply to Simon Fraser (smfr) from comment #7) > Comment on attachment 353184 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=353184&action=review > > > Source/WebCore/platform/graphics/cg/ImageUtilitiesCG.h:32 > > +inline uint8_t verifyImageBufferIsBigEnough(const void* buffer, size_t bufferSize) > > This function isn't really specific to image buffers so the filename seems > oddly specific, but hopefully it's temporary. Indeed. In the meantime, I at least renamed the file "ImageBufferUtilitiesCG.h" > > Source/WebCore/platform/graphics/cg/ImageUtilitiesCG.h:40 > > + return *(uint8_t*)lastByte; > > Might the compiler optimize that away since no callers use the return value? I talked this over with Keith and Alex and the consensus was that it would. Without crazy #pragma magic, the best way to avoid this would be to put it into its own translation unit, so move the implementation into a .cpp file and do /not/ add it to the unified build system. I'll do that before landing. Created attachment 353295 [details]
Patch for landing
Created attachment 353299 [details]
Patch for landing
Comment on attachment 353299 [details] Patch for landing Clearing flags on attachment: 353299 Committed r237559: <https://trac.webkit.org/changeset/237559> All reviewed patches have been landed. Closing bug. |