RESOLVED FIXED 117832
[Win] Crash when scrolling page with GIF images. 
https://bugs.webkit.org/show_bug.cgi?id=117832
Summary [Win] Crash when scrolling page with GIF images.
peavo
Reported 2013-06-20 06:26:37 PDT
I sometimes get a crash when scrolling pages with gif images. The crash happens at line 226 in WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp (buffer.setRGBA(currentAddress, ...)), because currentAddress points to an invalid address (close to 0x0). The address is invalid because the m_bytes member of the local variable buffer (type ImageFrame) is NULL, and currentAddress is an offset of the m_bytes value. Here is the stack: > WebKit.dll!WebCore::GIFImageDecoder::haveDecodedRow(unsigned int frameIndex, const WTF::Vector<unsigned char,0,WTF::CrashOnOverflow> & rowBuffer, unsigned int width, unsigned int rowNumber, unsigned int repeatCount, bool writeTransparentPixels) Line 226 + 0x27 bytes C++ WebKit.dll!GIFLZWContext::outputRow() Line 152 + 0x2e bytes C++ WebKit.dll!GIFLZWContext::doLZW(const unsigned char * block, unsigned int bytesInBlock) Line 306 + 0x7 bytes C++ WebKit.dll!GIFFrameContext::decode(const unsigned char * data, unsigned int length, WebCore::GIFImageDecoder * client, bool * frameDecoded) Line 340 + 0x11 bytes C++ WebKit.dll!GIFImageReader::decode(WebCore::GIFImageDecoder::GIFQuery query, unsigned int haltAtFrame) Line 371 + 0x27 bytes C++ WebKit.dll!WebCore::GIFImageDecoder::decode(unsigned int haltAtFrame, WebCore::GIFImageDecoder::GIFQuery query) Line 333 + 0x11 bytes C++ WebKit.dll!WebCore::GIFImageDecoder::frameBufferAtIndex(unsigned int index) Line 125 C++ WebKit.dll!WebCore::ImageSource::createFrameAtIndex(unsigned int index) Line 144 + 0xb bytes C++ WebKit.dll!WebCore::BitmapImage::cacheFrame(unsigned int index) Line 137 + 0x21 bytes C++ WebKit.dll!WebCore::BitmapImage::frameIsCompleteAtIndex(unsigned int index) Line 310 C++ WebKit.dll!WebCore::BitmapImage::startAnimation(bool catchUpIfNecessary) Line 452 + 0x17 bytes C++ WebKit.dll!WebCore::BitmapImage::draw(WebCore::GraphicsContext * context, const WebCore::FloatRect & dst, const WebCore::FloatRect & src, WebCore::ColorSpace styleColorSpace, WebCore::CompositeOperator op, WebCore::BlendMode blendMode, WebCore::RespectImageOrientationEnum shouldRespectImageOrientation) Line 80 C++ WebKit.dll!WebCore::BitmapImage::draw(WebCore::GraphicsContext * context, const WebCore::FloatRect & dst, const WebCore::FloatRect & src, WebCore::ColorSpace styleColorSpace, WebCore::CompositeOperator op, WebCore::BlendMode blendMode) Line 70 C++ WebKit.dll!WebCore::Image::drawTiled(WebCore::GraphicsContext * ctxt, const WebCore::FloatRect & destRect, const WebCore::FloatPoint & srcPoint, const WebCore::FloatSize & scaledTileSize, WebCore::ColorSpace styleColorSpace, WebCore::CompositeOperator op, WebCore::BlendMode blendMode) Line 128 + 0x64 bytes C++ WebKit.dll!WebCore::GraphicsContext::drawTiledImage(WebCore::Image * image, WebCore::ColorSpace styleColorSpace, const WebCore::IntRect & destRect, const WebCore::IntPoint & srcPoint, const WebCore::IntSize & tileSize, WebCore::CompositeOperator op, bool useLowQualityScale, WebCore::BlendMode blendMode) Line 532 + 0x44 bytes C++ WebKit.dll!WebCore::RenderBoxModelObject::paintFillLayerExtended(const WebCore::PaintInfo & paintInfo, const WebCore::Color & color, const WebCore::FillLayer * bgLayer, const WebCore::LayoutRect & rect, WebCore::BackgroundBleedAvoidance bleedAvoidance, WebCore::InlineFlowBox * box, const WebCore::LayoutSize & boxSize, WebCore::CompositeOperator op, WebCore::RenderObject * backgroundObject) Line 988 C++ WebKit.dll!WebCore::RenderBox::paintFillLayers(const WebCore::PaintInfo & paintInfo, const WebCore::Color & c, const WebCore::FillLayer * fillLayer, const WebCore::LayoutRect & rect, WebCore::BackgroundBleedAvoidance bleedAvoidance, WebCore::CompositeOperator op, WebCore::RenderObject * backgroundObject) Line 1390 + 0x32 bytes C++ WebKit.dll!WebCore::RenderBox::paintBackground(const WebCore::PaintInfo & paintInfo, const WebCore::LayoutRect & paintRect, WebCore::BackgroundBleedAvoidance bleedAvoidance) Line 1140 + 0x2d bytes C++ WebKit.dll!WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1117 C++ WebKit.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 3233 C++ WebKit.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 2973 C++ WebKit.dll!WebCore::RenderLayer::paintBackgroundForFragments(const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow> & layerFragments, WebCore::GraphicsContext * context, WebCore::GraphicsContext * transparencyLayerContext, const WebCore::LayoutRect & transparencyPaintDirtyRect, bool haveTransparency, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, unsigned int paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer) Line 4176 C++ WebKit.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3931 + 0x33 bytes C++ WebKit.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3701 + 0x13 bytes C++ WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3684 C++ WebKit.dll!WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0,WTF::CrashOnOverflow> * list, WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 4028 C++ WebKit.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3955 C++ WebKit.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3701 + 0x13 bytes C++ WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3684 C++ WebKit.dll!WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0,WTF::CrashOnOverflow> * list, WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 4028 C++ WebKit.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3955 C++ WebKit.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3701 + 0x13 bytes C++ WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext * context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, unsigned int paintFlags) Line 3684 C++ WebKit.dll!WebCore::RenderLayer::paint(WebCore::GraphicsContext * context, const WebCore::LayoutRect & damageRect, unsigned int paintBehavior, WebCore::RenderObject * subtreePaintRoot, WebCore::RenderRegion * region, unsigned int paintFlags) Line 3496 C++ WebKit.dll!WebCore::FrameView::paintContents(WebCore::GraphicsContext * p, const WebCore::IntRect & rect) Line 3552 C++ WebKit.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext * context, const WebCore::IntRect & rect) Line 1095 C++ WebKit.dll!WebView::paintIntoBackingStore(WebCore::FrameView * frameView, HDC__ * bitmapDC, const WebCore::IntRect & dirtyRect, WebView::WindowsToPaint windowsToPaint) Line 1185 C++ WebKit.dll!WebView::updateBackingStore(WebCore::FrameView * frameView, HDC__ * dc, bool backingStoreCompletelyDirty, WebView::WindowsToPaint windowsToPaint) Line 1015 + 0x14 bytes C++ WebKit.dll!WebView::scrollBackingStore(WebCore::FrameView * frameView, int dx, int dy, const WebCore::IntRect & scrollViewRect, const WebCore::IntRect & clipRect) Line 918 C++ WebKit.dll!WebChromeClient::scroll(const WebCore::IntSize & delta, const WebCore::IntRect & scrollViewRect, const WebCore::IntRect & clipRect) Line 485 + 0x35 bytes C++ WebKit.dll!WebCore::Chrome::scroll(const WebCore::IntSize & scrollDelta, const WebCore::IntRect & rectToScroll, const WebCore::IntRect & clipRect) Line 100 C++ WebKit.dll!WebCore::FrameView::scrollContentsFastPath(const WebCore::IntSize & scrollDelta, const WebCore::IntRect & rectToScroll, const WebCore::IntRect & clipRect) Line 1722 C++ WebKit.dll!WebCore::ScrollView::scrollContents(const WebCore::IntSize & scrollDelta) Line 686 + 0x2a bytes C++ WebKit.dll!WebCore::ScrollView::scrollTo(const WebCore::IntSize & newOffset) Line 394 C++ WebKit.dll!WebCore::FrameView::scrollTo(const WebCore::IntSize & newOffset) Line 3021 C++ WebKit.dll!WebCore::ScrollView::setScrollOffset(const WebCore::IntPoint & offset) Line 373 + 0x15 bytes C++ WebKit.dll!WebCore::ScrollableArea::scrollPositionChanged(const WebCore::IntPoint & position) Line 147 C++ WebKit.dll!WebCore::ScrollableArea::setScrollOffsetFromAnimation(const WebCore::IntPoint & offset) Line 190 + 0x8 bytes C++ WebKit.dll!WebCore::ScrollAnimator::notifyPositionChanged(const WebCore::FloatSize & delta) Line 142 + 0x22 bytes C++ WebKit.dll!WebCore::ScrollAnimator::scroll(WebCore::ScrollbarOrientation orientation, WebCore::ScrollGranularity __formal, float step, float multiplier) Line 71 + 0x28 bytes C++ WebKit.dll!WebCore::ScrollAnimator::handleWheelEvent(const WebCore::PlatformWheelEvent & e) Line 112 + 0x1f bytes C++ WebKit.dll!WebCore::ScrollableArea::handleWheelEvent(const WebCore::PlatformWheelEvent & wheelEvent) Line 176 + 0x4a bytes C++ WebKit.dll!WebCore::FrameView::wheelEvent(const WebCore::PlatformWheelEvent & wheelEvent) Line 4084 + 0xc bytes C++ WebKit.dll!WebCore::EventHandler::handleWheelEvent(const WebCore::PlatformWheelEvent & e) Line 2472 + 0x10 bytes C++ WebKit.dll!WebView::mouseWheel(unsigned int wParam, long lParam, bool isMouseHWheel) Line 1762 C++ WebKit.dll!WebView::WebViewWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 2233 C++
Attachments
Patch (2.38 KB, patch)
2013-06-20 06:37 PDT, peavo 		no flags
DetailsFormatted DiffDiff
Patch (2.38 KB, patch)
2013-06-20 06:54 PDT, peavo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
peavo
Comment 1 2013-06-20 06:37:03 PDT
Created attachment 205081 [details] Patch
EFL EWS Bot
Comment 2 2013-06-20 06:41:32 PDT
Comment on attachment 205081 [details] Patch Attachment 205081 [details] did not pass efl-ews (efl): Output: http://webkit-queues.appspot.com/results/904720
Early Warning System Bot
Comment 3 2013-06-20 06:41:35 PDT
Comment on attachment 205081 [details] Patch Attachment 205081 [details] did not pass qt-ews (qt): Output: http://webkit-queues.appspot.com/results/880524
Early Warning System Bot
Comment 4 2013-06-20 06:42:46 PDT
Comment on attachment 205081 [details] Patch Attachment 205081 [details] did not pass qt-wk2-ews (qt-wk2): Output: http://webkit-queues.appspot.com/results/942523
EFL EWS Bot
Comment 5 2013-06-20 06:42:50 PDT
Comment on attachment 205081 [details] Patch Attachment 205081 [details] did not pass efl-wk2-ews (efl-wk2): Output: http://webkit-queues.appspot.com/results/943514
peavo
Comment 6 2013-06-20 06:54:38 PDT
Created attachment 205086 [details] Patch
Brent Fulgham
Comment 7 2013-07-01 09:17:37 PDT
Comment on attachment 205086 [details] Patch r=me
WebKit Commit Bot
Comment 8 2013-07-01 09:38:43 PDT
Comment on attachment 205086 [details] Patch Clearing flags on attachment: 205086 Committed r152228: <http://trac.webkit.org/changeset/152228>
WebKit Commit Bot
Comment 9 2013-07-01 09:38:45 PDT
All reviewed patches have been landed. Closing bug.
peavo
Comment 10 2013-07-01 10:29:41 PDT
(In reply to comment #7) > (From update of attachment 205086 [details]) > r=me Thanks for reviewing!
Note You need to log in before you can comment on or make changes to this bug.