Bug 132635 - Using a fill pattern much larger than actual canvas reliably segfaults browser
Summary: Using a fill pattern much larger than actual canvas reliably segfaults browser
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Canvas (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Dean Jackson
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-05-06 17:37 PDT by Stephen Judkins
Modified: 2014-05-07 18:31 PDT (History)
9 users (show)

See Also:


Attachments
Stack trace on crashing Safari process, OS X (59.63 KB, text/plain)
2014-05-06 17:37 PDT, Stephen Judkins
no flags Details
Patch (3.82 KB, patch)
2014-05-07 18:22 PDT, Dean Jackson
simon.fraser: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stephen Judkins 2014-05-06 17:37:01 PDT
Created attachment 230959 [details]
Stack trace on crashing Safari process, OS X

The following code will reliably crash Safari or a UI WebView on iOS or OS X:

```
var canvas, ctx, pattern, patternCanvas, ratio;

ratio = 50;

canvas = document.createElement("canvas");

size = document.body.getBoundingClientRect()

canvas.width = size.width * devicePixelRatio;

canvas.height = size.height * devicePixelRatio;

patternCanvas = document.createElement('canvas');

patternCanvas.width = Math.floor(canvas.width * ratio);

patternCanvas.height = Math.floor(canvas.height * ratio);

ctx = canvas.getContext("2d");

pattern = ctx.createPattern(patternCanvas, 'repeat');

ctx.rect(0, 0, canvas.width, canvas.height);

ctx.fillStyle = pattern;

ctx.fill();
```

This appears to cause a null pointer deference in `WebCore::Pattern::createPlatformPattern` because `tileImage` is not set. See attached stack trace.
Comment 1 Radar WebKit Bug Importer 2014-05-07 08:27:21 PDT
<rdar://problem/16839291>
Comment 2 Rik Cabanier 2014-05-07 09:47:10 PDT
I can't reproduce this: http://jsfiddle.net/gA5G8/1/
Is there something wrong with my code?
Comment 3 Stephen Judkins 2014-05-07 10:54:40 PDT
That jsfiddle link reliably causes crashes for me, on both Safari Version 7.0.3 (9537.75.14) and Webkit r168407 on OS X 10.9.2. [https://dl.dropboxusercontent.com/spa/4slnjubp16y5phq/q_svco15.png] However, none of my coworkers' machines crash.

However, it reliably crashes everyone who tries it on mobile Safari (or a UIWebView) on iOS. This only occurs on the actual device, NOT the x86 simulator. The stack trace indicates it's a null pointer dereference in the same `WebCore::Pattern::createPlatformPattern` method. So far, this has been 100% reproducible on these devices:

* iPad 4th-generation
* iPhone 4g
Comment 4 Stephen Judkins 2014-05-07 11:04:35 PDT
Also reproduced on:
* iPad (3rd gen)
Comment 5 Simon Fraser (smfr) 2014-05-07 11:13:03 PDT
I can reproduce.
Comment 6 Dean Jackson 2014-05-07 18:22:51 PDT
Created attachment 231034 [details]
Patch
Comment 7 Simon Fraser (smfr) 2014-05-07 18:24:28 PDT
Comment on attachment 231034 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=231034&action=review

> LayoutTests/fast/canvas/pattern-too-large-to-create-expected.html:2
> +<body>
> +PASS: Saw exception.

Weird using a ref test for this. Make it a text test.
Comment 8 Dean Jackson 2014-05-07 18:31:05 PDT
Committed r168457: <http://trac.webkit.org/changeset/168457>