Bug 33844

Summary: [CHROMIUM] Crash on large TransparencyWin allocation
Product: WebKit Reporter: Stephen White <senorblanco>
Component: Layout and RenderingAssignee: Stephen White <senorblanco>
Status: RESOLVED FIXED    
Severity: Normal CC: brettw, kuchhal
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows 7   
Attachments:
Description Flags
Fix for TransparencyWin crash
none
Fix for crash v.2 (added bug ID)
none
Fix for crash v.3 (added *correct* bug ID. (I hate Bugzilla.)) dglazkov: review+

Description Stephen White 2010-01-19 08:10:46 PST 
When allocating the buffers in TransparencyWin for an OpaqueCompositeLayer, there are two allocations:  one for the ImageBuffer, and one for the SkBitmap OwnedBuffers::m_referenceBitmap.  If the allocation is small enough for the first one to pass, but big enough for the second one to fail, Chrome will crash in referenceCanvas.drawBitmap() in TransparencyWin::setupLayerForOpaqueCompositeLayer().

Reproduction URL:  http://www.vandaag.be 

See http://crbug.com/28851.
Comment 1 Stephen White 2010-01-19 08:21:55 PST 
Created attachment 46910 [details]
Fix for TransparencyWin crash
Comment 2 Stephen White 2010-01-19 08:24:20 PST 
Created attachment 46911 [details]
Fix for crash v.2 (added bug ID)
Comment 3 Stephen White 2010-01-19 08:27:33 PST 
Created attachment 46912 [details]
Fix for crash v.3 (added *correct* bug ID.  (I hate Bugzilla.))
Comment 4 Brett Wilson (Google) 2010-01-19 09:33:12 PST 
This looks good to me (but I'm not a WebKit reviewer).
Comment 5 Dimitri Glazkov (Google) 2010-01-19 09:54:24 PST 
Comment on attachment 46912 [details]
Fix for crash v.3 (added *correct* bug ID.  (I hate Bugzilla.))

r=me.
Comment 6 Stephen White 2010-01-19 13:21:31 PST 
Landed as r53480, closing bug.