Bug 190954

Summary: CRASH in CoreGraphics: ERROR_CGDataProvider_BufferIsNotBigEnough
Product: WebKit Reporter: Jer Noble <jer.noble>
Component: New BugsAssignee: Jer Noble <jer.noble>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, commit-queue, ddkilzer, dino, ews-watchlist, graouts, jonlee, kondapallykalyan, sabouhallawa, simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch for landing
none
Patch for landing none

Jer Noble
Reported 2018-10-26 05:18:26 PDT
CRASH in CoreGraphics: ERROR_CGDataProvider_BufferIsNotBigEnough
Attachments
Patch (13.29 KB, patch)
2018-10-26 07:03 PDT, Jer Noble 		no flags
DetailsFormatted DiffDiff
Patch (15.51 KB, patch)
2018-10-26 07:38 PDT, Jer Noble 		no flags
DetailsFormatted DiffDiff
Patch for landing (20.67 KB, patch)
2018-10-29 10:14 PDT, Jer Noble 		no flags
DetailsFormatted DiffDiff
Patch for landing (22.69 KB, patch)
2018-10-29 10:53 PDT, Jer Noble 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Jer Noble
Comment 1 2018-10-26 07:03:13 PDT
Created attachment 353182 [details] Patch
Jer Noble
Comment 2 2018-10-26 07:38:55 PDT
Created attachment 353184 [details] Patch
Jer Noble
Comment 3 2018-10-26 08:26:45 PDT
<rdar://problem/45492021>
Simon Fraser (smfr)
Comment 4 2018-10-26 22:28:18 PDT
Comment on attachment 353184 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=353184&action=review > Source/WebCore/ChangeLog:17 > + (This assumes that the issue is the wrong sized buffer at CGDataProvider creation time, and not > + that the buffer itself is reclaimed between creation time and access.) Isn't this the more likely scenario?
Jer Noble
Comment 5 2018-10-27 12:46:53 PDT
(In reply to Simon Fraser (smfr) from comment #4) > Comment on attachment 353184 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=353184&action=review > > > Source/WebCore/ChangeLog:17 > > + (This assumes that the issue is the wrong sized buffer at CGDataProvider creation time, and not > > + that the buffer itself is reclaimed between creation time and access.) > > Isn't this the more likely scenario? We have absolutely no way of knowing. At least with this patch in place, we have narrowed the possibilities.
Jer Noble
Comment 6 2018-10-27 12:49:38 PDT
Oh, and to continue the thought, previous crashes in other projects with this same stack trace were due to miscalculations in row size, etc. Not due to premature release.
Simon Fraser (smfr)
Comment 7 2018-10-27 23:40:48 PDT
Comment on attachment 353184 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=353184&action=review > Source/WebCore/platform/graphics/cg/ImageUtilitiesCG.h:32 > +inline uint8_t verifyImageBufferIsBigEnough(const void* buffer, size_t bufferSize) This function isn't really specific to image buffers so the filename seems oddly specific, but hopefully it's temporary. > Source/WebCore/platform/graphics/cg/ImageUtilitiesCG.h:40 > + return *(uint8_t*)lastByte; Might the compiler optimize that away since no callers use the return value?
Jer Noble
Comment 8 2018-10-29 06:24:40 PDT
(In reply to Simon Fraser (smfr) from comment #7) > Comment on attachment 353184 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=353184&action=review > > > Source/WebCore/platform/graphics/cg/ImageUtilitiesCG.h:32 > > +inline uint8_t verifyImageBufferIsBigEnough(const void* buffer, size_t bufferSize) > > This function isn't really specific to image buffers so the filename seems > oddly specific, but hopefully it's temporary. Indeed. In the meantime, I at least renamed the file "ImageBufferUtilitiesCG.h" > > Source/WebCore/platform/graphics/cg/ImageUtilitiesCG.h:40 > > + return *(uint8_t*)lastByte; > > Might the compiler optimize that away since no callers use the return value? I talked this over with Keith and Alex and the consensus was that it would. Without crazy #pragma magic, the best way to avoid this would be to put it into its own translation unit, so move the implementation into a .cpp file and do /not/ add it to the unified build system. I'll do that before landing.
Jer Noble
Comment 9 2018-10-29 10:14:27 PDT
Created attachment 353295 [details] Patch for landing
Jer Noble
Comment 10 2018-10-29 10:53:24 PDT
Created attachment 353299 [details] Patch for landing
WebKit Commit Bot
Comment 11 2018-10-29 12:08:31 PDT
Comment on attachment 353299 [details] Patch for landing Clearing flags on attachment: 353299 Committed r237559: <https://trac.webkit.org/changeset/237559>
WebKit Commit Bot
Comment 12 2018-10-29 12:08:33 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.