Bug 33844

Summary: [CHROMIUM] Crash on large TransparencyWin allocation
Product: WebKit Reporter: Stephen White <senorblanco>
Component: Layout and RenderingAssignee: Stephen White <senorblanco>
Status: RESOLVED FIXED    
Severity: Normal CC: brettw, kuchhal
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows 7   
Attachments:
Description Flags
Fix for TransparencyWin crash
none
Fix for crash v.2 (added bug ID)
none
Fix for crash v.3 (added *correct* bug ID. (I hate Bugzilla.)) dglazkov: review+

Stephen White
Reported 2010-01-19 08:10:46 PST
When allocating the buffers in TransparencyWin for an OpaqueCompositeLayer, there are two allocations: one for the ImageBuffer, and one for the SkBitmap OwnedBuffers::m_referenceBitmap. If the allocation is small enough for the first one to pass, but big enough for the second one to fail, Chrome will crash in referenceCanvas.drawBitmap() in TransparencyWin::setupLayerForOpaqueCompositeLayer(). Reproduction URL: http://www.vandaag.be See http://crbug.com/28851.
Attachments
Fix for TransparencyWin crash (1.60 KB, patch)
2010-01-19 08:21 PST, Stephen White 		no flags
DetailsFormatted DiffDiff
Fix for crash v.2 (added bug ID) (1.69 KB, patch)
2010-01-19 08:24 PST, Stephen White 		no flags
DetailsFormatted DiffDiff
Fix for crash v.3 (added *correct* bug ID. (I hate Bugzilla.)) (1.69 KB, patch)
2010-01-19 08:27 PST, Stephen White 		dglazkov: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Stephen White
Comment 1 2010-01-19 08:21:55 PST
Created attachment 46910 [details] Fix for TransparencyWin crash
Stephen White
Comment 2 2010-01-19 08:24:20 PST
Created attachment 46911 [details] Fix for crash v.2 (added bug ID)
Stephen White
Comment 3 2010-01-19 08:27:33 PST
Created attachment 46912 [details] Fix for crash v.3 (added *correct* bug ID. (I hate Bugzilla.))
Brett Wilson (Google)
Comment 4 2010-01-19 09:33:12 PST
This looks good to me (but I'm not a WebKit reviewer).
Dimitri Glazkov (Google)
Comment 5 2010-01-19 09:54:24 PST
Comment on attachment 46912 [details] Fix for crash v.3 (added *correct* bug ID. (I hate Bugzilla.)) r=me.
Stephen White
Comment 6 2010-01-19 13:21:31 PST
Landed as r53480, closing bug.
Note You need to log in before you can comment on or make changes to this bug.