Bug 98456

Summary: [chromium] Crash in WebCore::GraphicsLayerChromium::setContentsToImage
Product: WebKit Reporter: Nick Carter <nick>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: hclam, inferno, jamesr, nick, senorblanco, simon.fraser, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: Unspecified   
URL: http://code.google.com/p/chromium/issues/detail?id=138677
Bug Depends on:    
Bug Blocks: 99207    
Attachments:
Description Flags
Patch none

Nick Carter
Reported 2012-10-04 15:17:20 PDT
GraphicsLayerChromium::setContentsToImage does not handle a null return from nativeImageForCurrentFrame(). This can happen if there is an error early in the decoding of an image. I have a layout test that demonstrates the crash, and a proposed fix.
Attachments
Patch (4.78 KB, patch)
2012-10-04 15:30 PDT, Nick Carter 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Nick Carter
Comment 1 2012-10-04 15:30:19 PDT
Created attachment 167188 [details] Patch
James Robinson
Comment 2 2012-10-05 15:14:53 PDT
Comment on attachment 167188 [details] Patch R=me. Thanks for tracking this down!
Abhishek Arya
Comment 3 2012-10-05 15:18:18 PDT
Note that null ptr crashes are not security bugs. Please don't use the security template for such bugs in the future.
Nick Carter
Comment 4 2012-10-05 15:20:53 PDT
@inferno -- that's what I thought, but I figured I'd rather be wrong in this direction than in the other direction.
Abhishek Arya
Comment 5 2012-10-05 15:22:23 PDT
(In reply to comment #4) > @inferno -- that's what I thought, but I figured I'd rather be wrong in this direction than in the other direction. Feel free to poke us anytime on chat :)
WebKit Review Bot
Comment 6 2012-10-05 15:25:48 PDT
Comment on attachment 167188 [details] Patch Rejecting attachment 167188 [details] from commit-queue. nick@chromium.org does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/committers.py. - If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags. - If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/committers.py by adding yourself to the file (no review needed). The commit-queue restarts itself every 2 hours. After restart the commit-queue will correctly respect your committer rights.
WebKit Review Bot
Comment 7 2012-10-05 15:57:13 PDT
Comment on attachment 167188 [details] Patch Rejecting attachment 167188 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: Auto-merging Source/WebCore/ChangeLog CONFLICT (content): Merge conflict in Source/WebCore/ChangeLog Failed to merge in the changes. Patch failed at 0001 Try to fix the build. When you have resolved this problem run "git rebase --continue". If you would prefer to skip this patch, instead run "git rebase --skip". To restore the original branch and stop rebasing run "git rebase --abort". rebase refs/remotes/origin/master: command returned error: 1 Died at Tools/Scripts/update-webkit line 164. Full output: http://queues.webkit.org/results/14183550
WebKit Review Bot
Comment 8 2012-10-07 15:13:55 PDT
Comment on attachment 167188 [details] Patch Clearing flags on attachment: 167188 Committed r130610: <http://trac.webkit.org/changeset/130610>
WebKit Review Bot
Comment 9 2012-10-07 15:13:58 PDT
All reviewed patches have been landed. Closing bug.
Simon Fraser (smfr)
Comment 10 2012-10-08 11:03:15 PDT
The ref test is failing on Mac.
James Robinson
Comment 11 2012-10-08 12:12:01 PDT
What does the failure look like?
Simon Fraser (smfr)
Comment 12 2012-10-08 12:36:51 PDT
The partial image is black. This is probably an OS-level thing.
Nick Carter
Comment 14 2012-10-09 13:58:55 PDT
The reftest is based on the assumption that a broken image will render the same regardless of whether or not it has an identity transform applied (in this case, a z-transform of zero). If that assumption is invalid for the Mac port, we can change this test so that it's not a reftest -- all I really needed was a "doesn't crash" expectation; making it a reftest was gravy. Please let me know if you'd like me to relax the test in that way.
Simon Fraser (smfr)
Comment 15 2012-10-09 15:16:34 PDT
Yes, you should change the test. A 'do not crash' test should never be a ref test anyway, because those are more expensive to run. The new test can use internals.layerTreeAsText() to verify that the image is going into a compositing layer.
Simon Fraser (smfr)
Comment 16 2012-10-09 15:16:55 PDT
Oh, and we should have a separate bug on the fact that the image is black on Mac.
Simon Fraser (smfr)
Comment 17 2012-10-10 21:23:45 PDT
It's bad to leave the test failing for so long. I'm gonna make it an ImageOnlyFailure in Mac TestExpectations.
Simon Fraser (smfr)
Comment 18 2012-10-10 21:26:05 PDT
http://trac.webkit.org/changeset/131010
Note You need to log in before you can comment on or make changes to this bug.