| Summary: | Nullptr crash in GradientImage::drawPattern | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Ryosuke Niwa <rniwa> | ||||||||
| Component: | Images | Assignee: | Rob Buis <rbuis> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | achristensen, bfulgham, cgarcia, ews-feeder, gpoo, product-security, rbuis, sabouhallawa, simon.fraser, svillar, thorton, webkit-bug-importer | ||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||
| Version: | WebKit Nightly Build | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 417067 [details]
Test
Created attachment 417374 [details]
Reduced testcase
Created attachment 417450 [details]
Patch
Committed r271441: <https://trac.webkit.org/changeset/271441> All reviewed patches have been landed. Closing bug and clearing flags on attachment 417450 [details]. No security implication here. |
e.g. ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00011895889d bp 0x7ffee7433210 sp 0x7ffee7433210 T0) #0 0x11895889d in WTF::RetainPtr<CGImage*>::get() const+0x1d (WebCore.framework/Versions/A/WebCore:x86_64+0x1e489d) #1 0x11d6d0dc0 in WebCore::createBitmapImageAfterScalingIfNeeded(WTF::RefPtr<WebCore::NativeImage, WTF::RawPtrTraits<WebCore::NativeImage>, WTF::DefaultRefDerefTraits<WebCore::NativeImage> >&&, WebCore::IntSize const&, WebCore::IntSize const&, float, WebCore::PreserveResolution)+0x4a0 (WebCore.framework/Versions/A/WebCore:x86_64+0x4f5cdc0) #2 0x11d6d1182 in WebCore::ImageBufferCGBackend::sinkIntoImage(WebCore::PreserveResolution)+0x1c2 (WebCore.framework/Versions/A/WebCore:x86_64+0x4f5d182) #3 0x11d5972e0 in WebCore::ConcreteImageBuffer<WebCore::ImageBufferCGBitmapBackend>::sinkIntoImage(WebCore::PreserveResolution)+0xb0 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e232e0) #4 0x11d5885c2 in WebCore::ImageBuffer::sinkIntoImage(WTF::RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> >, WebCore::PreserveResolution)+0x52 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e145c2) #5 0x11d54d633 in WebCore::GradientImage::drawPattern(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::AffineTransform const&, WebCore::FloatPoint const&, WebCore::FloatSize const&, WebCore::ImagePaintingOptions const&)+0x603 (WebCore.framework/Versions/A/WebCore:x86_64+0x4dd9633) #6 0x11d584054 in WebCore::Image::drawTiled(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::FloatSize const&, WebCore::Image::TileRule, WebCore::Image::TileRule, WebCore::ImagePaintingOptions const&)+0x814 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e10054) #7 0x11d561307 in WebCore::GraphicsContext::drawTiledImage(WebCore::Image&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::FloatSize const&, WebCore::Image::TileRule, WebCore::Image::TileRule, WebCore::ImagePaintingOptions const&)+0x157 (WebCore.framework/Versions/A/WebCore:x86_64+0x4ded307) #8 0x11dfcf704 in WebCore::NinePieceImage::paint(WebCore::GraphicsContext&, WebCore::RenderElement*, WebCore::RenderStyle const&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, float, WebCore::CompositeOperator) const+0x814 (WebCore.framework/Versions/A/WebCore:x86_64+0x585b704) #9 0x11dc2770b in WebCore::RenderBoxModelObject::paintNinePieceImage(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::NinePieceImage const&, WebCore::CompositeOperator)+0x3db (WebCore.framework/Versions/A/WebCore:x86_64+0x54b370b) #10 0x11dc31def in WebCore::RenderBoxModelObject::paintBorder(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::BackgroundBleedAvoidance, bool, bool)+0x39f (WebCore.framework/Versions/A/WebCore:x86_64+0x54bddef) #11 0x11dbb9b63 in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&)+0x4f3 (WebCore.framework/Versions/A/WebCore:x86_64+0x5445b63) #12 0x11de23053 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&)+0x543 (WebCore.framework/Versions/A/WebCore:x86_64+0x56af053) #13 0x11dd41a4a in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*)+0x49a (WebCore.framework/Versions/A/WebCore:x86_64+0x55cda4a) #14 0x11dd3d3f0 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*)+0x9f0 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c93f0) #15 0x11dd356eb in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0xeab (WebCore.framework/Versions/A/WebCore:x86_64+0x55c16eb) #16 0x11dd346fe in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x23e (WebCore.framework/Versions/A/WebCore:x86_64+0x55c06fe) #17 0x11dd34360 in WebCore::RenderLayer::paintLayerByApplyingTransform(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::LayoutSize const&)+0x690 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c0360) #18 0x11dd32752 in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x782 (WebCore.framework/Versions/A/WebCore:x86_64+0x55be752) #19 0x11dd30e9f in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1ff (WebCore.framework/Versions/A/WebCore:x86_64+0x55bce9f) #20 0x11dd3c98b in WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x13b (WebCore.framework/Versions/A/WebCore:x86_64+0x55c898b) #21 0x11dd357d5 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0xf95 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c17d5) #22 0x11dd346fe in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x23e (WebCore.framework/Versions/A/WebCore:x86_64+0x55c06fe) #23 0x11dd34360 in WebCore::RenderLayer::paintLayerByApplyingTransform(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::LayoutSize const&)+0x690 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c0360) #24 0x11dd32752 in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x782 (WebCore.framework/Versions/A/WebCore:x86_64+0x55be752) #25 0x11dd30e9f in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1ff (WebCore.framework/Versions/A/WebCore:x86_64+0x55bce9f) <rdar://problem/72036950>