Bug 196340

Summary: [Cairo] out-of-bounds read in ShareableBitmap::paint if a fractional device scale factor is used
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: PlatformAssignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, don.olmstead, ross.kirsling, webkit-bug-importer
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 201361, 196339    
Attachments:
Description Flags
WIP patch
none
Patch none

Description Fujii Hironori 2019-03-27 22:19:45 PDT 
[Cairo] Segmentation fault in Cairo::drawPatternToCairoContext with 1.5x device scale factor high DPI display

I'm working on WinCairo WK2 High DPI support in Bug 196339.
It's easy to cause segmentation faults in Cairo::drawPatternToCairoContext.
I'm using 1.5x device scale factor high DPI.
It's no problem if I tweaks deviceScaleFactor to 2x.

> cairo.dll!_pixman_implementation_create_sse2()	C
> cairo.dll!_pixman_gradient_walker_pixel()	C
> cairo.dll!pixman_image_composite32()	C
> cairo.dll!_inplace_src_spans(void * abstract_renderer, int y, int h, const _cairo_half_open_span * spans, unsigned int num_spans) Line 2716	C
> cairo.dll!generate_row(_cairo_span_renderer * renderer, const _rectangle * r, int y, int h, unsigned short coverage) Line 626	C
> cairo.dll!_cairo_rectangular_scan_converter_generate(void * converter, _cairo_span_renderer * renderer) Line 673	C
> cairo.dll!composite_boxes(const cairo_spans_compositor * compositor, _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 741	C
> cairo.dll!clip_and_composite_boxes(const cairo_spans_compositor * compositor, _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 888	C
> cairo.dll!_cairo_spans_compositor_mask(const cairo_compositor * _compositor, _cairo_composite_rectangles * extents) Line 1000	C
> cairo.dll!_cairo_compositor_paint(const cairo_compositor * compositor, _cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 67	C
> cairo.dll!_cairo_image_surface_paint(void * abstract_surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 931	C
> cairo.dll!_cairo_surface_paint(_cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 2199	C
> cairo.dll!_cairo_gstate_paint(_cairo_gstate * gstate) Line 1061	C
> cairo.dll!_cairo_default_context_paint_with_alpha(void * abstract_cr, double alpha) Line 971	C
> cairo.dll!cairo_paint_with_alpha(_cairo * cr, double alpha) Line 2248	C
> WebKit2.dll!WebCore::Cairo::drawPatternToCairoContext(_cairo * cr, _cairo_pattern * pattern, const WebCore::FloatRect & destRect, float alpha) Line 156	C++
> WebKit2.dll!WebCore::Cairo::drawSurface(WebCore::PlatformContextCairo & platformContext, _cairo_surface * surface, const WebCore::FloatRect & destRect, const WebCore::FloatRect & originalSrcRect, WebCore::InterpolationQuality imageInterpolationQuality, float globalAlpha, const WebCore::Cairo::ShadowState & shadowState) Line 944	C++
> WebKit2.dll!WebKit::ShareableBitmap::paint(WebCore::GraphicsContext & context, float scaleFactor, const WebCore::IntPoint & dstPoint, const WebCore::IntRect & srcRect) Line 80	C++
> WebKit2.dll!WebKit::BackingStore::incorporateUpdate(WebKit::ShareableBitmap * bitmap, const WebKit::UpdateInfo & updateInfo) Line 93	C++
> WebKit2.dll!WebKit::BackingStore::incorporateUpdate(const WebKit::UpdateInfo & updateInfo) Line 62	C++
> WebKit2.dll!WebKit::DrawingAreaProxyCoordinatedGraphics::incorporateUpdate(const WebKit::UpdateInfo & updateInfo) Line 255	C++
> WebKit2.dll!WebKit::DrawingAreaProxyCoordinatedGraphics::update(unsigned __int64 backingStoreStateID, const WebKit::UpdateInfo & updateInfo) Line 157	C++
> WebKit2.dll!IPC::callMemberFunctionImpl<WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &),std::tuple<unsigned long long,WebKit::UpdateInfo>,0,1>(WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function, std::tuple<unsigned long long,WebKit::UpdateInfo> && args, std::integer_sequence<unsigned long long,0,1>) Line 42	C++
> WebKit2.dll!IPC::callMemberFunction<WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &),std::tuple<unsigned long long,WebKit::UpdateInfo>,std::integer_sequence<unsigned long long,0,1> >(std::tuple<unsigned long long,WebKit::UpdateInfo> && args, WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function) Line 47	C++
> WebKit2.dll!IPC::handleMessage<Messages::DrawingAreaProxy::Update,WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &)>(IPC::Decoder & decoder, WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function) Line 121	C++
> WebKit2.dll!WebKit::DrawingAreaProxy::didReceiveMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 50	C++
> WebKit2.dll!IPC::MessageReceiverMap::dispatchMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 124	C++
> WebKit2.dll!WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 155	C++
> WebKit2.dll!WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 619	C++
> WebKit2.dll!IPC::Connection::dispatchMessage(IPC::Decoder & decoder) Line 984	C++
> WebKit2.dll!IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > message) Line 1012	C++
> WebKit2.dll!IPC::Connection::dispatchIncomingMessages() Line 1116	C++
> WebKit2.dll!IPC::Connection::enqueueIncomingMessage::<unnamed-tag>::operator()() Line 959	C++
> WebKit2.dll!WTF::Function<void ()>::CallableWrapper<`lambda at ..\..\Source\WebKit\Platform\IPC\Connection.cpp:957:30'>::call() Line 102	C++
> WTF.dll!WTF::Function<void ()>::operator()() Line 57	C++
> WTF.dll!WTF::RunLoop::performWork() Line 107	C++
> WTF.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 57	C++
> WTF.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 39	C++
> [External Code]	
> WebKit.dll!WebKitMessageLoop::run(HACCEL__ * hAccelTable) Line 94	C++
> MiniBrowserLib.dll!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 97	C++
> MiniBrowserLib.dll!dllLauncherEntryPoint(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 115	C++
> MiniBrowser.exe!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 232	C++
> [External Code]
Comment 1 Fujii Hironori 2019-03-27 23:19:32 PDT 
Created attachment 366154 [details]
WIP patch
Comment 2 Fujii Hironori 2019-09-01 21:23:25 PDT 
Created attachment 377837 [details]
Patch
Comment 3 Brent Fulgham 2019-09-01 22:43:38 PDT 
Comment on attachment 377837 [details]
Patch

This looks correct to me, and seems to satisfy the CI system.
Comment 4 Fujii Hironori 2019-09-01 23:03:37 PDT 
Comment on attachment 377837 [details]
Patch

Clearing flags on attachment: 377837

Committed r249375: <https://trac.webkit.org/changeset/249375>
Comment 5 Fujii Hironori 2019-09-01 23:03:40 PDT 
All reviewed patches have been landed.  Closing bug.