RESOLVED FIXED 149373
WTFCrash loading Blink layout test fast/gradients/css3-repeating-radial-gradients-crash.html 
https://bugs.webkit.org/show_bug.cgi?id=149373
Summary WTFCrash loading Blink layout test fast/gradients/css3-repeating-radial-gradi...
Jon Honeycutt
Reported 2015-09-19 11:11:36 PDT
Created attachment 261579 [details] crashing test WTFCrash loading Blink layout test fast/gradients/css3-repeating-radial-gradients-crash.html. Test added in Blink change: https://chromiumcodereview.appspot.com/24350008 Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0xbbadbeef: --> __TEXT 0000000100f90000-0000000100f92000 [ 8K] r-x/rwx SM=COW /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST: temp-tests/fast/gradients/css3-repeating-radial-gradients-crash.html Global Trace Buffer (reverse chronological seconds): 18446744057.579926 CFNetwork 0x00007fff88d43b97 Explicitly setting CF cookie storage singleton 18446744057.580311 CFNetwork 0x00007fff88d8f211 Explicitly setting cookie storage singleton Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000108872bde WTFCrash + 62 (Assertions.cpp:321) 1 com.apple.WebCore 0x0000000108e998f7 WTF::Vector<WebCore::GradientStop, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long) + 199 2 com.apple.WebCore 0x0000000108e9459c WebCore::CSSGradientValue::addStops(WebCore::Gradient&, WebCore::CSSToLengthConversionData const&, float) + 5148 (Vector.h:316) 3 com.apple.WebCore 0x0000000108e92ef4 WebCore::CSSRadialGradientValue::createGradient(WebCore::RenderElement&, WebCore::FloatSize const&) + 2276 (CSSGradientValue.cpp:1228) 4 com.apple.WebCore 0x0000000108e920e5 WebCore::CSSGradientValue::image(WebCore::RenderElement*, WebCore::FloatSize const&) + 309 (StdLibExtras.h:366) 5 com.apple.WebCore 0x0000000108ea95e8 WebCore::CSSImageGeneratorValue::image(WebCore::RenderElement*, WebCore::FloatSize const&) + 312 (RefPtr.h:61) 6 com.apple.WebCore 0x0000000109b040e2 WebCore::StyleGeneratedImage::image(WebCore::RenderElement*, WebCore::FloatSize const&) const + 18 (StyleGeneratedImage.cpp:90) 7 com.apple.WebCore 0x00000001098527b2 WebCore::RenderBoxModelObject::paintFillLayerExtended(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::InlineFlowBox*, WebCore::LayoutSize const&, WebCore::CompositeOperator, WebCore::RenderElement*, WebCore::BaseBackgroundColorUsage) + 5794 (StdLibExtras.h:366) 8 com.apple.WebCore 0x000000010983d0b7 WebCore::RenderBox::paintFillLayers(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::LayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderElement*) + 743 (RenderBox.cpp:1620) 9 com.apple.WebCore 0x000000010983cdb7 WebCore::RenderBox::paintRootBoxFillLayers(WebCore::PaintInfo const&) + 135 (RenderBox.cpp:1221) 10 com.apple.WebCore 0x000000010983d6bc WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 652 (Ref.h:120) 11 com.apple.WebCore 0x000000010980c845 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 277 (RenderBlock.cpp:1554) 12 com.apple.WebCore 0x000000010980be86 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 326 (RenderBlock.cpp:1416) 13 com.apple.WebCore 0x00000001098bb1a1 WebCore::RenderLayer::paintBackgroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 385 (RenderLayer.cpp:4656) 14 com.apple.WebCore 0x00000001098b808a WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2650 (RenderLayer.cpp:4315) 15 com.apple.WebCore 0x00000001098b8328 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 (RenderLayer.cpp:4428) 16 com.apple.WebCore 0x00000001098ce8fc WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, unsigned int, unsigned int) + 524 (RenderLayerBacking.cpp:2308) 17 com.apple.WebCore 0x00000001098ceba0 WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 528 (RenderLayerBacking.h:257) 18 com.apple.WebCore 0x000000010914edd7 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 135 (GraphicsLayer.cpp:414) 19 com.apple.WebCore 0x00000001097c3329 WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow, 16ul>&) + 345 (GraphicsContext.h:581) 20 com.apple.WebCore 0x0000000109c33bf3 WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 163 (Vector.h:634) 21 com.apple.WebCore 0x0000000109cd5afc -[WebSimpleLayer drawInContext:] + 172 (WebLayer.mm:131) 22 com.apple.QuartzCore 0x00007fff937cd839 CABackingStoreUpdate_ + 3494 23 com.apple.QuartzCore 0x00007fff937cca8d ___ZN2CA5Layer8display_Ev_block_invoke + 59 24 com.apple.QuartzCore 0x00007fff937c06e9 CA::Layer::display_() + 1565 25 com.apple.WebCore 0x0000000109cd5a1b -[WebSimpleLayer display] + 43 (WebLayer.mm:112) 26 com.apple.QuartzCore 0x00007fff937beac5 CA::Layer::display_if_needed(CA::Transaction*) + 603 27 com.apple.QuartzCore 0x00007fff937be145 CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35 28 com.apple.QuartzCore 0x00007fff937bd6a9 CA::Context::commit_transaction(CA::Transaction*) + 277 29 com.apple.QuartzCore 0x00007fff937bd3dc CA::Transaction::commit() + 508 30 com.apple.WebKit 0x000000010754c864 WebKit::TiledCoreAnimationDrawingArea::forceRepaint() + 152 (TiledCoreAnimationDrawingArea.mm:149) 31 WebKitTestRunnerInjectedBundle 0x000000010b81675e WTR::InjectedBundlePage::dump() + 50 (InjectedBundlePage.cpp:853) 32 com.apple.WebKit 0x0000000107487e5e WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr<API::Object>&) + 76 (InjectedBundlePageLoaderClient.cpp:146) 33 com.apple.WebKit 0x00000001075ae126 WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() + 72 (WebFrameLoaderClient.cpp:553) 34 com.apple.WebCore 0x00000001090faad2 WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 594 (FrameLoader.cpp:2286) 35 com.apple.WebCore 0x00000001090f13b6 WebCore::FrameLoader::checkLoadComplete() + 438 (FrameLoader.cpp:2465) 36 com.apple.WebCore 0x0000000108f87a80 WebCore::DocumentLoader::finishedLoading(double) + 416 (DocumentLoader.cpp:439) 37 com.apple.WebCore 0x0000000108db8179 WebCore::CachedResource::checkNotify() + 153 (CachedResourceClientWalker.h:51) 38 com.apple.WebCore 0x0000000108db4433 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 227 (CachedRawResource.cpp:104) 39 com.apple.WebCore 0x0000000109b2f501 WebCore::SubresourceLoader::didFinishLoading(double) + 1153 (ResourceLoader.h:154) 40 com.apple.WebKit 0x000000010767598d WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 561 (HandleMessage.h:16) 41 com.apple.WebKit 0x000000010744f1f1 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 (memory:2636) 42 com.apple.WebKit 0x0000000107451b4a IPC::Connection::dispatchOneMessage() + 126 (memory:2656) 43 com.apple.JavaScriptCore 0x0000000108893985 WTF::RunLoop::performWork() + 437 (functional:1742) 44 com.apple.JavaScriptCore 0x0000000108893d32 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 45 com.apple.CoreFoundation 0x00007fff949e2c01 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 46 com.apple.CoreFoundation 0x00007fff949d4b1c __CFRunLoopDoSources0 + 556 47 com.apple.CoreFoundation 0x00007fff949d403f __CFRunLoopRun + 927 48 com.apple.CoreFoundation 0x00007fff949d3a38 CFRunLoopRunSpecific + 296 49 com.apple.HIToolbox 0x00007fff88e673bd RunCurrentEventLoopInMode + 235 50 com.apple.HIToolbox 0x00007fff88e67153 ReceiveNextEventCommon + 432 51 com.apple.HIToolbox 0x00007fff88e66f93 _BlockUntilNextEventMatchingListInModeWithFilter + 71 52 com.apple.AppKit 0x00007fff870b81e7 _DPSNextEvent + 1076 53 com.apple.AppKit 0x00007fff8748490d -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 54 com.apple.AppKit 0x00007fff870ae0b8 -[NSApplication run] + 682 55 com.apple.AppKit 0x00007fff87030396 NSApplicationMain + 1176 56 libxpc.dylib 0x00007fff8c70ff70 _xpc_objc_main + 793 57 libxpc.dylib 0x00007fff8c7116bf xpc_main + 494 58 com.apple.WebKit.WebContent.Development 0x0000000100f91424 main + 409 (XPCServiceMain.Development.mm:187) 59 libdyld.dylib 0x00007fff93aa15ad start + 1
Attachments
crashing test (206 bytes, text/html)
2015-09-19 11:11 PDT, Jon Honeycutt 		no flags
Details
Patch (3.61 KB, patch)
2015-09-30 19:19 PDT, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
Patch (3.55 KB, patch)
2015-10-01 12:22 PDT, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
Patch (3.47 KB, patch)
2015-10-05 14:59 PDT, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2015-09-19 12:05:59 PDT
<rdar://problem/22771418>
Radar WebKit Bug Importer
Comment 2 2015-09-19 12:06:00 PDT
<rdar://problem/22771419>
Jiewen Tan
Comment 3 2015-09-30 19:19:41 PDT
Created attachment 262223 [details] Patch
Darin Adler
Comment 4 2015-09-30 21:46:11 PDT
Comment on attachment 262223 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=262223&action=review > Source/WebCore/ChangeLog:13 > + Check whether gradientLength > 0 before using it as nominator. It’s denominator, not nominator. > LayoutTests/fast/gradients/css3-repeating-radial-gradients-crash.html:4 > +Test for crbug.com/295126. If this test passes, no crash occurs. Could you put a WebKit bug URL here instead of the Chromium bug URL please? It would also be better if this was a ref test instead of a render tree dump test.
Jiewen Tan
Comment 5 2015-10-01 09:58:44 PDT
Comment on attachment 262223 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=262223&action=review >> Source/WebCore/ChangeLog:13 >> + Check whether gradientLength > 0 before using it as nominator. > > It’s denominator, not nominator. Sorry for the typo. >> LayoutTests/fast/gradients/css3-repeating-radial-gradients-crash.html:4 >> +Test for crbug.com/295126. If this test passes, no crash occurs. > > Could you put a WebKit bug URL here instead of the Chromium bug URL please? > > It would also be better if this was a ref test instead of a render tree dump test. Sorry for missing the url here. I am not sure whether I know the difference between a ref test and a render tree dump test. Could you give me some references about them? Thank you!
Jiewen Tan
Comment 6 2015-10-01 12:22:48 PDT
Created attachment 262274 [details] Patch
Jiewen Tan
Comment 7 2015-10-05 14:59:39 PDT
Created attachment 262464 [details] Patch
WebKit Commit Bot
Comment 8 2015-10-05 18:23:18 PDT
Comment on attachment 262464 [details] Patch Clearing flags on attachment: 262464 Committed r190597: <http://trac.webkit.org/changeset/190597>
WebKit Commit Bot
Comment 9 2015-10-05 18:23:23 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.