107467 – [Safari] Crash with opacity + drop shadow filter + child element extending beyond filter outsets

RESOLVED FIXED 107467

[Safari] Crash with opacity + drop shadow filter + child element extending beyond filter outsets

https://bugs.webkit.org/show_bug.cgi?id=107467

Summary [Safari] Crash with opacity + drop shadow filter + child element extending be...

Max Vujovic

Reported 2013-01-21 11:57:57 PST

Created attachment 183813 [details] Reproduction To reproduce the crash, open the attached reproduction in Safari WebKit nightly r140335. The crash does not occur in Chromium. Here's the crash log: OS Version: Mac OS X 10.8.1 (12B19) Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Application Specific Information: Assertion failed: (s->stack->next != NULL), function CGGStackRestore, file Context/CGGStack.c, line 77. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x00007fff99742212 __pthread_kill + 10 1 libsystem_c.dylib 0x00007fff99a82b34 pthread_kill + 90 2 libsystem_c.dylib 0x00007fff99ac6dfa abort + 143 3 libsystem_c.dylib 0x00007fff99ac7dd5 __assert_rtn + 146 4 com.apple.CoreGraphics 0x00007fff94ceb6c8 CGGStackRestore + 145 5 com.apple.CoreGraphics 0x00007fff94ceb60e CGContextRestoreGState + 32 6 com.apple.WebCore 0x000000010507d8be WebCore::TileCache::drawLayer(WebTileLayer*, CGContext*) + 174 7 com.apple.WebCore 0x00000001050f19e1 -[WebTileLayer drawInContext:] + 33 8 com.apple.QuartzCore 0x00007fff98d352a2 CABackingStoreUpdate_ + 4104 9 com.apple.QuartzCore 0x00007fff98d33ce2 CA::Layer::display_() + 1188 10 com.apple.QuartzCore 0x00007fff98d33661 CA::Layer::display_if_needed(CA::Transaction*) + 593 11 com.apple.QuartzCore 0x00007fff98d32e7b CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35 12 com.apple.QuartzCore 0x00007fff98d28653 CA::Context::commit_transaction(CA::Transaction*) + 261 13 com.apple.QuartzCore 0x00007fff98d28423 CA::Transaction::commit() + 369 14 com.apple.QuartzCore 0x00007fff98d2823f CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 63 15 com.apple.CoreFoundation 0x00007fff96f890c7 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23 16 com.apple.CoreFoundation 0x00007fff96f89031 __CFRunLoopDoObservers + 369 17 com.apple.CoreFoundation 0x00007fff96f63df4 CFRunLoopRunSpecific + 324 18 com.apple.HIToolbox 0x00007fff949ab774 RunCurrentEventLoopInMode + 209 19 com.apple.HIToolbox 0x00007fff949ab512 ReceiveNextEventCommon + 356 20 com.apple.HIToolbox 0x00007fff949ab3a3 BlockUntilNextEventMatchingListInMode + 62 21 com.apple.AppKit 0x00007fff90da5fa3 _DPSNextEvent + 685 22 com.apple.AppKit 0x00007fff90da5862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 23 com.apple.AppKit 0x00007fff90d9cc03 -[NSApplication run] + 517 24 com.apple.WebCore 0x0000000104eb28dd WebCore::RunLoop::run() + 77 25 com.apple.WebKit2 0x0000000103c9defb int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMainDelegate>(WebKit::CommandLine const&) + 495 26 com.apple.WebKit2 0x0000000103c40997 WebKitMain + 299 27 com.apple.WebProcess 0x0000000103b43e7b main + 214 28 libdyld.dylib 0x00007fff947f57e1 start + 1 In a debug build, I hit an assertion in GraphicsContext::endTransparencyLayer: ERROR: ERROR void GraphicsContext::restore() stack is empty /Users/mvujovic/Documents/www/ChromiumSources/ChromiumWebKit/src/third_party/WebKit/Source/WebCore/platform/graphics/GraphicsContext.cpp(111) : void WebCore::GraphicsContext::restore() ASSERTION FAILED: m_transparencyCount > 0 /Users/mvujovic/Documents/www/ChromiumSources/ChromiumWebKit/src/third_party/WebKit/Source/WebCore/platform/graphics/GraphicsContext.cpp(356) : void WebCore::GraphicsContext::endTransparencyLayer() 1 0x104a236a1 WebCore::GraphicsContext::endTransparencyLayer() 2 0x105660571 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 3 0x10565ed3b WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 4 0x10565e3d8 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 5 0x105660f29 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul>*, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 6 0x1056600af WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 7 0x10565ed3b WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 8 0x10565e3d8 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 9 0x105660f29 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul>*, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 10 0x1056600af WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 11 0x105685288 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, unsigned int) 12 0x105685544 WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::IntRect const&) 13 0x104a50fa0 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::IntRect const&) 14 0x104a5e4d0 WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) 15 0x104a5e517 non-virtual thunk to WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) 16 0x105cc0120 drawLayerContents(CGContext*, CALayer*, WebCore::PlatformCALayer*) 17 0x105c0e95b WebCore::TileCache::drawLayer(WebTileLayer*, CGContext*) 18 0x105cdc149 -[WebTileLayer drawInContext:] 19 0x7fff98d352a2 CABackingStoreUpdate_ 20 0x7fff98d33ce2 CA::Layer::display_() 21 0x7fff98d33661 CA::Layer::display_if_needed(CA::Transaction*) 22 0x7fff98d32e7b CA::Layer::layout_and_display_if_needed(CA::Transaction*) 23 0x7fff98d28653 CA::Context::commit_transaction(CA::Transaction*) 24 0x7fff98d28423 CA::Transaction::commit() 25 0x7fff98d2823f CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) 26 0x7fff96f890c7 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ 27 0x7fff96f89031 __CFRunLoopDoObservers 28 0x7fff96f64571 __CFRunLoopRun 29 0x7fff96f63dd2 CFRunLoopRunSpecific 30 0x7fff949ab774 RunCurrentEventLoopInMode 31 0x7fff949ab512 ReceiveNextEventCommon

Attachments
Reproduction (692 bytes, text/html) 2013-01-21 11:57 PST, Max Vujovic	no flags	Details
Patch (4.91 KB, patch) 2013-02-19 22:02 PST, Simon Fraser (smfr)	dino: review+ eflews.bot: commit-queue-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2013-01-21 12:57:20 PST

<rdar://problem/13054744>

Simon Fraser (smfr)

Comment 2 2013-02-19 20:31:25 PST

Debug hits: ERROR: ERROR void GraphicsContext::restore() stack is empty /Volumes/DataSSD/Development/apple/webkit/WebKit.git/Source/WebCore/platform/graphics/GraphicsContext.cpp(111) : void WebCore::GraphicsContext::restore() ASSERTION FAILED: m_transparencyCount > 0 /Volumes/DataSSD/Development/apple/webkit/WebKit.git/Source/WebCore/platform/graphics/GraphicsContext.cpp(356) : void WebCore::GraphicsContext::endTransparencyLayer()

Simon Fraser (smfr)

Comment 3 2013-02-19 20:54:34 PST

The bounds of the child element don't seem to matter. This happens because we only start the transparency layer lazily, when we know that the child has to be painted. That means that we start it using the wrong context (the filter context), and we have unmatched save/restore.

Simon Fraser (smfr)

Comment 4 2013-02-19 22:02:10 PST

Created attachment 189239 [details] Patch

EFL EWS Bot

Comment 5 2013-02-19 22:19:56 PST

Comment on attachment 189239 [details] Patch Attachment 189239 [details] did not pass efl-ews (efl): Output: http://queues.webkit.org/results/16647076

Dean Jackson

Comment 6 2013-02-21 15:13:35 PST

Comment on attachment 189239 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=189239&action=review > Source/WebCore/rendering/RenderLayer.cpp:3728 > + if (filterPainter.hasStartedFilterEffect() && haveTransparency) { probably need to add #if ENABLED(FILTERS) or whatever it is.

Simon Fraser (smfr)

Comment 7 2013-02-21 15:31:49 PST

https://trac.webkit.org/r143655

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Mac (Intel)

OS OS X 10.8

Product WebKit

Component Layout and Rendering

Assignee

Simon Fraser (smfr)

Reported

2013-01-21 11:57 PST

Modified

2013-02-21 15:31 PST History

CC List

9 users Show

URL

Keywords InRadar

Depends on

Blocks