Bug 193664

Summary: [WinCairo][WebKitTestRunner] Null dereference of GraphicsContext::m_data in GraphicsContext::releaseWindowsContext
Product: WebKit Reporter: Fujii Hironori <fujii.hironori>
Component: Tools / TestsAssignee: Fujii Hironori <fujii.hironori>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, don.olmstead, lforschler, pvollan, ross.kirsling, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Fujii Hironori
Reported 2019-01-22 00:23:15 PST
[WinCairo][WebKitTestRunner] Null dereference of GraphicsContext::m_data in GraphicsContext::releaseWindowsContext Some test cases are failing. > python ./Tools/Scripts/run-webkit-tests --debug --no-new-test-results --no-retry-failures --64-bit --no-timeout fast/dom/HTMLMeterElement/meter-element-form.html m_data of GraphicsContext was null. > WebKit2.dll!WebCore::GraphicsContextPlatformPrivate::restore() Line 161 C++ > WebKit2.dll!WebCore::GraphicsContext::releaseWindowsContext(HDC__ * hdc, const WebCore::IntRect & dstRect, bool supportAlphaBlend) Line 133 C++ > WebKit2.dll!WebCore::LocalWindowsContext::~LocalWindowsContext() Line 47 C++ > WebKit2.dll!WebCore::drawControl(WebCore::GraphicsContext & context, const WebCore::RenderObject & o, void * theme, const WebCore::ThemeData & themeData, const WebCore::IntRect & r) Line 678 C++ > WebKit2.dll!WebCore::RenderThemeWin::paintMeter(const WebCore::RenderObject & renderObject, const WebCore::PaintInfo & paintInfo, const WebCore::IntRect & rect) Line 1147 C++ > WebKit2.dll!WebCore::RenderTheme::paint(const WebCore::RenderBox & box, WebCore::ControlStates & controlStates, const WebCore::PaintInfo & paintInfo, const WebCore::LayoutRect & rect) Line 356 C++ > WebKit2.dll!WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1333 C++ > WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1226 C++ > WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1106 C++ > WebKit2.dll!WebCore::paintPhase(WebCore::RenderElement & element, WebCore::PaintPhase phase, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & childPoint) Line 977 C++ > WebKit2.dll!WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & childPoint) Line 989 C++ > WebKit2.dll!WebCore::InlineElementBox::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::LayoutUnit, WebCore::LayoutUnit) Line 82 C++ > WebKit2.dll!WebCore::InlineFlowBox::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::LayoutUnit lineTop, WebCore::LayoutUnit lineBottom) Line 1218 C++ > WebKit2.dll!WebCore::RootInlineBox::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::LayoutUnit lineTop, WebCore::LayoutUnit lineBottom) Line 169 C++ > WebKit2.dll!WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject * renderer, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 262 C++ > WebKit2.dll!WebCore::RenderBlockFlow::paintInlineChildren(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 3485 C++ > WebKit2.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1126 C++ > WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1266 C++ > WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1106 C++ > WebKit2.dll!WebCore::RenderBlock::paintChild(WebCore::RenderBox & child, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect, WebCore::RenderBlock::PaintBlockType paintType) Line 1183 C++ > WebKit2.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect) Line 1146 C++ > WebKit2.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1141 C++ > WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1266 C++ > WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1106 C++ > WebKit2.dll!WebCore::RenderBlock::paintChild(WebCore::RenderBox & child, WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect, WebCore::RenderBlock::PaintBlockType paintType) Line 1183 C++ > WebKit2.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset, WebCore::PaintInfo & paintInfoForChild, bool usePrintRect) Line 1146 C++ > WebKit2.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1141 C++ > WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1266 C++ > WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1106 C++ > WebKit2.dll!WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase phase, const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16> & layerFragments, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, WTF::OptionSet<WebCore::PaintBehavior> paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer) Line 4762 C++ > WebKit2.dll!WebCore::RenderLayer::paintForegroundForFragments(const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16> & layerFragments, WebCore::GraphicsContext & context, WebCore::GraphicsContext & contextForTransparencyLayer, const WebCore::LayoutRect & transparencyPaintDirtyRect, bool haveTransparency, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, WTF::OptionSet<WebCore::PaintBehavior> paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer) Line 4738 C++ > WebKit2.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4348 C++ > WebKit2.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4035 C++ > WebKit2.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4018 C++ > WebKit2.dll!WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList layerIterator, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4461 C++ > WebKit2.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4361 C++ > WebKit2.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4035 C++ > WebKit2.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4018 C++ > WebKit2.dll!WebCore::RenderLayer::paint(WebCore::GraphicsContext & context, const WebCore::LayoutRect & damageRect, const WebCore::LayoutSize & subpixelOffset, WTF::OptionSet<WebCore::PaintBehavior> paintBehavior, WebCore::RenderObject * subtreePaintRoot, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags, WebCore::RenderLayer::SecurityOriginPaintPolicy paintPolicy) Line 3835 C++ > WebKit2.dll!WebCore::FrameView::paintContents(WebCore::GraphicsContext & context, const WebCore::IntRect & dirtyRect, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy) Line 4237 C++ > WebKit2.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext & context, const WebCore::IntRect & rect, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy) Line 1204 C++ > WebKit2.dll!WebKit::WebPage::drawRect(WebCore::GraphicsContext & graphicsContext, const WebCore::IntRect & rect) Line 1642 C++ > WebKit2.dll!WebKit::DrawingAreaImpl::display(WebKit::UpdateInfo & updateInfo) Line 454 C++ > WebKit2.dll!WebKit::DrawingAreaImpl::display() Line 364 C++ > WebKit2.dll!WebKit::DrawingAreaImpl::forceRepaint() Line 169 C++ > WebKit2.dll!WebKit::WebPage::forceRepaintWithoutCallback() Line 3359 C++ > WebKit2.dll!WKBundlePageForceRepaint(const OpaqueWKBundlePage * page) Line 514 C++ > TestRunnerInjectedBundle.dll!WTR::InjectedBundlePage::dump() Line 899 C++ > TestRunnerInjectedBundle.dll!WTR::InjectedBundlePage::frameDidChangeLocation(const OpaqueWKBundleFrame * frame) Line 1980 C++ > TestRunnerInjectedBundle.dll!WTR::InjectedBundlePage::didFinishLoadForFrame(const OpaqueWKBundleFrame * frame) Line 973 C++ > TestRunnerInjectedBundle.dll!WTR::InjectedBundlePage::didFinishLoadForFrame(const OpaqueWKBundlePage * page, const OpaqueWKBundleFrame * frame, const void * *, const void * clientInfo) Line 590 C++ > WebKit2.dll!WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage & page, WebKit::WebFrame & frame, WTF::RefPtr<API::Object,WTF::DumbPtrTraits<API::Object> > & userData) Line 141 C++ > WebKit2.dll!WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() Line 615 C++ > WebKit2.dll!WebCore::FrameLoader::checkLoadCompleteForThisFrame() Line 2540 C++ > WebKit2.dll!WebCore::FrameLoader::checkLoadComplete() Line 2684 C++ > WebKit2.dll!WebCore::DocumentLoader::finishedLoading() Line 455 C++ > WebKit2.dll!WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource & resource) Line 392 C++ > WebKit2.dll!WebCore::CachedResource::checkNotify() Line 357 C++ > WebKit2.dll!WebCore::CachedResource::finishLoading(WebCore::SharedBuffer *) Line 375 C++ > WebKit2.dll!WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer * data) Line 121 C++ > WebKit2.dll!WebCore::SubresourceLoader::didFinishLoading(const WebCore::NetworkLoadMetrics & networkLoadMetrics) Line 656 C++ > WebKit2.dll!WebKit::WebResourceLoader::didFinishResourceLoad(const WebCore::NetworkLoadMetrics & networkLoadMetrics) Line 164 C++ > WebKit2.dll!IPC::callMemberFunctionImpl<WebKit::WebResourceLoader,void (WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &),std::tuple<WebCore::NetworkLoadMetrics>,0>(WebKit::WebResourceLoader * object, void(WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &) function, std::tuple<WebCore::NetworkLoadMetrics> && args, std::integer_sequence<unsigned long long,0>) Line 42 C++ > WebKit2.dll!IPC::callMemberFunction<WebKit::WebResourceLoader,void (WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &),std::tuple<WebCore::NetworkLoadMetrics>,std::integer_sequence<unsigned long long,0> >(std::tuple<WebCore::NetworkLoadMetrics> && args, WebKit::WebResourceLoader * object, void(WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &) function) Line 47 C++ > WebKit2.dll!IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad,WebKit::WebResourceLoader,void (WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &)>(IPC::Decoder & decoder, WebKit::WebResourceLoader * object, void(WebKit::WebResourceLoader::*)(const WebCore::NetworkLoadMetrics &) function) Line 134 C++ > WebKit2.dll!WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 65 C++ > WebKit2.dll!WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 79 C++ > WebKit2.dll!IPC::Connection::dispatchMessage(IPC::Decoder & decoder) Line 979 C++ > WebKit2.dll!IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > message) Line 1007 C++ > WebKit2.dll!IPC::Connection::dispatchOneIncomingMessage() Line 1075 C++ > WebKit2.dll!IPC::Connection::enqueueIncomingMessage::<unnamed-tag>::operator()() Line 957 C++ > WebKit2.dll!WTF::Function<void ()>::CallableWrapper<`lambda at ..\..\Source\WebKit\Platform\IPC\Connection.cpp:952:30'>::call() Line 101 C++ > WTF.dll!WTF::Function<void ()>::operator()() Line 56 C++ > WTF.dll!WTF::RunLoop::performWork() Line 107 C++ > WTF.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 57 C++ > WTF.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 39 C++ > [External Code] > WTF.dll!WTF::RunLoop::run() Line 69 C++ > WebKit2.dll!WebKit::ChildProcessMain<WebKit::WebProcess,WebKit::WebProcessMain>(int argc, char * * argv) Line 62 C++ > WebKit2.dll!WebKit::WebProcessMainWin(int argc, char * * argv) Line 45 C++ > WebKitWebProcess.exe!main(int argc, char * * argv) Line 33 C++ > [External Code]
Attachments
Patch (1.74 KB, patch)
2019-01-22 02:37 PST, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (8.10 KB, patch)
2019-01-24 01:03 PST, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2019-01-22 00:25:50 PST
This can be happen by openning the test case with MiniBrowser.
Fujii Hironori
Comment 2 2019-01-22 00:30:40 PST
It doesn't happen in Legacy WebView (DumpRenderTree and MiniBrowser.exe --wk1). This happens only with WK2 WebView.
Fujii Hironori
Comment 3 2019-01-22 02:19:37 PST
In RenderThemeWin::paintMeter, completedRect has zero width. > completedRect {m_location={m_x=8 m_y=7 } m_size={m_width=0 m_height=16 } } WebCore::IntRect Then, GraphicsContext::getWindowsContext returned 0. https://github.com/WebKit/webkit/blob/5f7dcb377532103d4561192cd2197de0bd78c372/Source/WebCore/platform/graphics/win/GraphicsContextWin.cpp#L110 Then, LocalWindowsContext::~LocalWindowsContext tried to release zero HDC, and crashed.
Fujii Hironori
Comment 4 2019-01-22 02:37:37 PST
Created attachment 359726 [details] Patch
Brent Fulgham
Comment 5 2019-01-22 08:37:41 PST
Comment on attachment 359726 [details] Patch Seems reasonable. r=me.
Fujii Hironori
Comment 6 2019-01-22 17:33:58 PST
Thank you for r+. Landed. https://trac.webkit.org/changeset/240313/webkit
Radar WebKit Bug Importer
Comment 7 2019-01-22 17:34:30 PST
<rdar://problem/47467053>
Fujii Hironori
Comment 8 2019-01-24 01:03:39 PST
Reopening to attach new patch.
Fujii Hironori
Comment 9 2019-01-24 01:03:57 PST
Created attachment 359997 [details] Patch
Fujii Hironori
Comment 10 2019-01-24 01:05:53 PST
Comment on attachment 359997 [details] Patch Oops, I uploaded wrong patch.
Note You need to log in before you can comment on or make changes to this bug.