Bug 53830

Summary: Crashes in ShadowBlur via WebKit2 FindController
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: Layout and RenderingAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Patch mitz: review+

Simon Fraser (smfr)
Reported 2011-02-04 18:15:28 PST
The FindController code uses a GraphicsContext to draw shadowed boxes, which triggers a re-entrant code path in ShadowBlur.
Attachments
Patch (4.12 KB, patch)
2011-02-04 20:47 PST, Simon Fraser (smfr) 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2011-02-04 18:25:04 PST
Bad stack is: -> WebCore::ScratchBuffer::getScratchBuffer(WebCore::IntSize const&) -> WebCore::ShadowBlur::drawRectShadowWithTiling(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&, WebCore::IntSize const&) -> WebCore::ShadowBlur::drawRectShadow(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&) -> WebCore::GraphicsContext::fillRect(WebCore::FloatRect const&) -> WebCore::ShadowBlur::drawRectShadowWithTiling(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&, WebCore::IntSize const&) -> WebCore::ShadowBlur::drawRectShadow(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&) -> WebCore::GraphicsContext::fillRect(WebCore::FloatRect const&) -> WebKit::FindController::drawRect(WebKit::PageOverlay*, WebCore::GraphicsContext&, WebCore::IntRect const&) -> WebKit::PageOverlay::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&) -> WebKit::WebPage::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&) -> WebKit::DrawingAreaImpl::display(WebKit::UpdateInfo&) -> WebKit::DrawingAreaImpl::display() -> RunLoop::Timer<WebKit::DrawingAreaImpl>::fired() -> RunLoop::TimerBase::timerFired(__CFRunLoopTimer*, void*)
Simon Fraser (smfr)
Comment 2 2011-02-04 20:47:17 PST
Created attachment 81346 [details] Patch
Simon Fraser (smfr)
Comment 3 2011-02-04 20:59:07 PST
http://trac.webkit.org/changeset/77729
Simon Fraser (smfr)
Comment 4 2011-02-04 20:59:40 PST
<rdar://problem/8962505>
Note You need to log in before you can comment on or make changes to this bug.