WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
164925
[GTK] Crash in WebCore::TextureMapperTiledBackingStore::createOrDestroyTilesIfNeeded allocating too-large vector
https://bugs.webkit.org/show_bug.cgi?id=164925
Summary
[GTK] Crash in WebCore::TextureMapperTiledBackingStore::createOrDestroyTilesI...
Michael Catanzaro
Reported
2016-11-18 08:18:04 PST
Only two reports of this one. Web process crash in WebCore::TextureMapperTiledBackingStore::createOrDestroyTilesIfNeeded inside WTF::Vector<WebCore::FloatRect, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity. It's crashing on overflow here: if (newCapacity > std::numeric_limits<unsigned>::max() / sizeof(T)) CRASH(); Curiously, the function accepts a size_t newCapacity parameter, but the limit it's checking is for smaller unsigned int. Long backtrace downstream. Short version: Thread 1 (Thread 0x7fa365b88ac0 (LWP 25221)): #0 0x00007fa36318a67c in WTFCrash() () at /usr/src/debug/webkitgtk-2.12.4/Source/WTF/wtf/Assertions.cpp:322 #1 0x00007fa363a91df6 in WTF::Vector<WebCore::FloatRect, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long) (newCapacity=<optimized out>, this=0x7ffdaef91720) at /usr/src/debug/webkitgtk-2.12.4/Source/WTF/wtf/Vector.h:266 sizeToAllocate = <optimized out> this = 0x7ffdaef91720 #2 0x00007fa363a91df6 in WTF::Vector<WebCore::FloatRect, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long) (newCapacity=<optimized out>, this=0x7ffdaef91720) at /usr/src/debug/webkitgtk-2.12.4/Source/WTF/wtf/Vector.h:1094 this = 0x7ffdaef91720 #3 0x00007fa363a91df6 in WTF::Vector<WebCore::FloatRect, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long) (this=0x7ffdaef91720, newMinCapacity=<optimized out>) at /usr/src/debug/webkitgtk-2.12.4/Source/WTF/wtf/Vector.h:955 #4 0x00007fa364a58100 in WebCore::TextureMapperTiledBackingStore::createOrDestroyTilesIfNeeded(WebCore::FloatSize const&, WebCore::IntSize const&, bool) (ptr=0x7ffdaef91740, newMinCapacity=<optimized out>, this=0x7ffdaef91720) at /usr/src/debug/webkitgtk-2.12.4/Source/WTF/wtf/Vector.h:962 index = <optimized out> tileRect = {m_location = {m_x = 3690000, m_y = 26344000}, m_size = {m_width = 2000, m_height = 2000}} x = <optimized out> y = 26344000 scaledSize = {m_width = 33554432, m_height = 33554432} tileRectsToAdd = {<WTF::VectorBuffer<WebCore::FloatRect, 0ul>> = {<WTF::VectorBufferBase<WebCore::FloatRect>> = {m_buffer = 0x7f9e69800000, m_capacity = 221001661, m_size = 221001661}, <No data fields>}, <No data fields>} tileIndicesToRemove = {<WTF::VectorBuffer<int, 0ul>> = {<WTF::VectorBufferBase<int>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>} hasAlpha = <optimized out> tileSize = @0x7ffdaef917d0: {m_width = 2000, m_height = 2000} size = <optimized out> this = 0x7fa29e59e780
Attachments
Add attachment
proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1
2016-11-30 05:53:50 PST
We don't even use TextureMapperTiledBackingStore anymore since 2.14. Well only when building without coord graphics.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug