Bug 193664

Summary:

[WinCairo][WebKitTestRunner] Null dereference of GraphicsContext::m_data in GraphicsContext::releaseWindowsContext

Product:

WebKit

Reporter:

Fujii Hironori <Hironori.Fujii>

Component:

Tools / Tests

Assignee:

Fujii Hironori <Hironori.Fujii>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, bfulgham, don.olmstead, lforschler, pvollan, ross.kirsling, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none

Description Fujii Hironori 2019-01-22 00:23:15 PST

[WinCairo][WebKitTestRunner] Null dereference of GraphicsContext::m_data in GraphicsContext::releaseWindowsContext

Some test cases are failing.

> python ./Tools/Scripts/run-webkit-tests --debug --no-new-test-results --no-retry-failures --64-bit --no-timeout fast/dom/HTMLMeterElement/meter-element-form.html

m_data of GraphicsContext was null.

> WebKit2.dll!WebCore::GraphicsContextPlatformPrivate::restore() Line 161	C++
> WebKit2.dll!WebCore::GraphicsContext::releaseWindowsContext(HDC__ * hdc, const WebCore::IntRect & dstRect, bool supportAlphaBlend) Line 133	C++
> WebKit2.dll!WebCore::LocalWindowsContext::~LocalWindowsContext() Line 47	C++
> WebKit2.dll!WebCore::drawControl(WebCore::GraphicsContext & context, const WebCore::RenderObject & o, void * theme, const WebCore::ThemeData & themeData, const WebCore::IntRect & r) Line 678	C++
> WebKit2.dll!WebCore::RenderThemeWin::paintMeter(const WebCore::RenderObject & renderObject, const WebCore::PaintInfo & paintInfo, const WebCore::IntRect & rect) Line 1147	C++
> WebKit2.dll!WebCore::RenderTheme::paint(const WebCore::RenderBox & box, WebCore::ControlStates & controlStates, const WebCore::PaintInfo & paintInfo, const WebCore::LayoutRect & rect) Line 356	C++
> WebKit2.dll!WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1333	C++
> WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1226	C++
> WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1106	C++
> WebKit2.dll!WebCore::paintPhase(WebCore::RenderElement & element, WebCore::PaintPhase phase, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & childPoint) Line 977	C++
> WebKit2.dll!WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & childPoint) Line 989	C++
> WebKit2.dll!WebCore::InlineElementBox::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::LayoutUnit, WebCore::LayoutUnit) Line 82	C++
> WebKit2.dll!WebCore::InlineFlowBox::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::LayoutUnit lineTop, WebCore::LayoutUnit lineBottom) Line 1218	C++
> WebKit2.dll!WebCore::RootInlineBox::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::LayoutUnit lineTop, WebCore::LayoutUnit lineBottom) Line 169	C++
> WebKit2.dll!WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject * renderer, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 262	C++
> WebKit2.dll!WebCore::RenderBlockFlow::paintInlineChildren(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 3485	C++
> WebKit2.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1126	C++
> WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1266	C++
> WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1106	C++
> WebKit2.dll!WebCore::RenderBlock::paintChild(WebCore::RenderBox & child, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect, WebCore::RenderBlock::PaintBlockType paintType) Line 1183	C++
> WebKit2.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect) Line 1146	C++
> WebKit2.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1141	C++
> WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1266	C++
> WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1106	C++
> WebKit2.dll!WebCore::RenderBlock::paintChild(WebCore::RenderBox & child, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect, WebCore::RenderBlock::PaintBlockType paintType) Line 1183	C++
> WebKit2.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect) Line 1146	C++
> WebKit2.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1141	C++
> WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1266	C++
> WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1106	C++
> WebKit2.dll!WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase phase, const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16> & layerFragments, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, WTF::OptionSet<WebCore::PaintBehavior> paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer) Line 4762	C++
> WebKit2.dll!WebCore::RenderLayer::paintForegroundForFragments(const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16> & layerFragments, WebCore::GraphicsContext & context, WebCore::GraphicsContext & contextForTransparencyLayer, const WebCore::LayoutRect & transparencyPaintDirtyRect, bool haveTransparency, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, WTF::OptionSet<WebCore::PaintBehavior> paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer) Line 4738	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4348	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4035	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4018	C++
> WebKit2.dll!WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList layerIterator, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4461	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4361	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4035	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4018	C++
> WebKit2.dll!WebCore::RenderLayer::paint(WebCore::GraphicsContext & context, const WebCore::LayoutRect & damageRect, const WebCore::LayoutSize & subpixelOffset, WTF::OptionSet<WebCore::PaintBehavior> paintBehavior, WebCore::RenderObject * subtreePaintRoot, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags, WebCore::RenderLayer::SecurityOriginPaintPolicy paintPolicy) Line 3835	C++
> WebKit2.dll!WebCore::FrameView::paintContents(WebCore::GraphicsContext & context, const WebCore::IntRect & dirtyRect, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy) Line 4237	C++
> WebKit2.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext & context, const WebCore::IntRect & rect, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy) Line 1204	C++
> WebKit2.dll!WebKit::WebPage::drawRect(WebCore::GraphicsContext & graphicsContext, const WebCore::IntRect & rect) Line 1642	C++
> WebKit2.dll!WebKit::DrawingAreaImpl::display(WebKit::UpdateInfo & updateInfo) Line 454	C++
> WebKit2.dll!WebKit::DrawingAreaImpl::display() Line 364	C++
> WebKit2.dll!WebKit::DrawingAreaImpl::forceRepaint() Line 169	C++
> WebKit2.dll!WebKit::WebPage::forceRepaintWithoutCallback() Line 3359	C++
> WebKit2.dll!WKBundlePageForceRepaint(const OpaqueWKBundlePage * page) Line 514	C++
> TestRunnerInjectedBundle.dll!WTR::InjectedBundlePage::dump() Line 899	C++
> TestRunnerInjectedBundle.dll!WTR::InjectedBundlePage::frameDidChangeLocation(const OpaqueWKBundleFrame * frame) Line 1980	C++
> TestRunnerInjectedBundle.dll!WTR::InjectedBundlePage::didFinishLoadForFrame(const OpaqueWKBundleFrame * frame) Line 973	C++
> TestRunnerInjectedBundle.dll!WTR::InjectedBundlePage::didFinishLoadForFrame(const OpaqueWKBundlePage * page, const OpaqueWKBundleFrame * frame, const void * *, const void * clientInfo) Line 590	C++
> WebKit2.dll!WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage & page, WebKit::WebFrame & frame, WTF::RefPtr<API::Object,WTF::DumbPtrTraits<API::Object> > & userData) Line 141	C++
> WebKit2.dll!WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() Line 615	C++
> WebKit2.dll!WebCore::FrameLoader::checkLoadCompleteForThisFrame() Line 2540	C++
> WebKit2.dll!WebCore::FrameLoader::checkLoadComplete() Line 2684	C++
> WebKit2.dll!WebCore::DocumentLoader::finishedLoading() Line 455	C++
> WebKit2.dll!WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource & resource) Line 392	C++
> WebKit2.dll!WebCore::CachedResource::checkNotify() Line 357	C++
> WebKit2.dll!WebCore::CachedResource::finishLoading(WebCore::SharedBuffer *) Line 375	C++
> WebKit2.dll!WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer * data) Line 121	C++
> WebKit2.dll!WebCore::SubresourceLoader::didFinishLoading(const WebCore::NetworkLoadMetrics & networkLoadMetrics) Line 656	C++
> WebKit2.dll!WebKit::WebResourceLoader::didFinishResourceLoad(const WebCore::NetworkLoadMetrics & networkLoadMetrics) Line 164	C++
> WebKit2.dll!IPC::callMemberFunctionImpl<WebKit::WebResourceLoader,void (WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &),std::tuple<WebCore::NetworkLoadMetrics>,0>(WebKit::WebResourceLoader * object, void(WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &) function, std::tuple<WebCore::NetworkLoadMetrics> && args, std::integer_sequence<unsigned long long,0>) Line 42	C++
> WebKit2.dll!IPC::callMemberFunction<WebKit::WebResourceLoader,void (WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &),std::tuple<WebCore::NetworkLoadMetrics>,std::integer_sequence<unsigned long long,0> >(std::tuple<WebCore::NetworkLoadMetrics> && args, WebKit::WebResourceLoader * object, void(WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &) function) Line 47	C++
> WebKit2.dll!IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad,WebKit::WebResourceLoader,void (WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &)>(IPC::Decoder & decoder, WebKit::WebResourceLoader * object, void(WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &) function) Line 134	C++
> WebKit2.dll!WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 65	C++
> WebKit2.dll!WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 79	C++
> WebKit2.dll!IPC::Connection::dispatchMessage(IPC::Decoder & decoder) Line 979	C++
> WebKit2.dll!IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > message) Line 1007	C++
> WebKit2.dll!IPC::Connection::dispatchOneIncomingMessage() Line 1075	C++
> WebKit2.dll!IPC::Connection::enqueueIncomingMessage::<unnamed-tag>::operator()() Line 957	C++
> WebKit2.dll!WTF::Function<void ()>::CallableWrapper<`lambda at ..\..\Source\WebKit\Platform\IPC\Connection.cpp:952:30'>::call() Line 101	C++
> WTF.dll!WTF::Function<void ()>::operator()() Line 56	C++
> WTF.dll!WTF::RunLoop::performWork() Line 107	C++
> WTF.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 57	C++
> WTF.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 39	C++
> [External Code]	
> WTF.dll!WTF::RunLoop::run() Line 69	C++
> WebKit2.dll!WebKit::ChildProcessMain<WebKit::WebProcess,WebKit::WebProcessMain>(int argc, char * * argv) Line 62	C++
> WebKit2.dll!WebKit::WebProcessMainWin(int argc, char * * argv) Line 45	C++
> WebKitWebProcess.exe!main(int argc, char * * argv) Line 33	C++
> [External Code]

Comment 1 Fujii Hironori 2019-01-22 00:25:50 PST

This can be happen by openning the test case with MiniBrowser.

Comment 2 Fujii Hironori 2019-01-22 00:30:40 PST

It doesn't happen in Legacy WebView (DumpRenderTree and MiniBrowser.exe --wk1). This happens only with WK2 WebView.

Comment 3 Fujii Hironori 2019-01-22 02:19:37 PST

In RenderThemeWin::paintMeter, completedRect has zero width.

> completedRect	{m_location={m_x=8 m_y=7 } m_size={m_width=0 m_height=16 } }	WebCore::IntRect

Then, GraphicsContext::getWindowsContext returned 0.
https://github.com/WebKit/webkit/blob/5f7dcb377532103d4561192cd2197de0bd78c372/Source/WebCore/platform/graphics/win/GraphicsContextWin.cpp#L110

Then, LocalWindowsContext::~LocalWindowsContext tried to release zero HDC, and crashed.

Comment 4 Fujii Hironori 2019-01-22 02:37:37 PST

Created attachment 359726 [details]
Patch

Comment 5 Brent Fulgham 2019-01-22 08:37:41 PST

Comment on attachment 359726 [details]
Patch

Seems reasonable. r=me.

Comment 6 Fujii Hironori 2019-01-22 17:33:58 PST

Thank you for r+. Landed. https://trac.webkit.org/changeset/240313/webkit

Comment 7 Radar WebKit Bug Importer 2019-01-22 17:34:30 PST

<rdar://problem/47467053>

Comment 8 Fujii Hironori 2019-01-24 01:03:39 PST

Reopening to attach new patch.

Comment 9 Fujii Hironori 2019-01-24 01:03:57 PST

Created attachment 359997 [details]
Patch

Comment 10 Fujii Hironori 2019-01-24 01:05:53 PST

Comment on attachment 359997 [details]
Patch

Oops, I uploaded wrong patch.