Bug 196340 - [Cairo] out-of-bounds read in ShareableBitmap::paint if a fractional device scale factor is used
Summary: [Cairo] out-of-bounds read in ShareableBitmap::paint if a fractional device s...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Fujii Hironori
URL:
Keywords:
Depends on:
Blocks: 196339 201361
  Show dependency treegraph
 
Reported: 2019-03-27 22:19 PDT by Fujii Hironori
Modified: 2019-09-24 18:35 PDT (History)
4 users (show)

See Also:

Attachments
WIP patch (1.23 KB, patch)
2019-03-27 23:19 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Patch (2.27 KB, patch)
2019-09-01 21:23 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fujii Hironori 2019-03-27 22:19:45 PDT 
[Cairo] Segmentation fault in Cairo::drawPatternToCairoContext with 1.5x device scale factor high DPI display

I'm working on WinCairo WK2 High DPI support in Bug 196339.
It's easy to cause segmentation faults in Cairo::drawPatternToCairoContext.
I'm using 1.5x device scale factor high DPI.
It's no problem if I tweaks deviceScaleFactor to 2x.

> cairo.dll!_pixman_implementation_create_sse2()	C
> cairo.dll!_pixman_gradient_walker_pixel()	C
> cairo.dll!pixman_image_composite32()	C
> cairo.dll!_inplace_src_spans(void * abstract_renderer, int y, int h, const _cairo_half_open_span * spans, unsigned int num_spans) Line 2716	C
> cairo.dll!generate_row(_cairo_span_renderer * renderer, const _rectangle * r, int y, int h, unsigned short coverage) Line 626	C
> cairo.dll!_cairo_rectangular_scan_converter_generate(void * converter, _cairo_span_renderer * renderer) Line 673	C
> cairo.dll!composite_boxes(const cairo_spans_compositor * compositor, _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 741	C
> cairo.dll!clip_and_composite_boxes(const cairo_spans_compositor * compositor, _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 888	C
> cairo.dll!_cairo_spans_compositor_mask(const cairo_compositor * _compositor, _cairo_composite_rectangles * extents) Line 1000	C
> cairo.dll!_cairo_compositor_paint(const cairo_compositor * compositor, _cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 67	C
> cairo.dll!_cairo_image_surface_paint(void * abstract_surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 931	C
> cairo.dll!_cairo_surface_paint(_cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 2199	C
> cairo.dll!_cairo_gstate_paint(_cairo_gstate * gstate) Line 1061	C
> cairo.dll!_cairo_default_context_paint_with_alpha(void * abstract_cr, double alpha) Line 971	C
> cairo.dll!cairo_paint_with_alpha(_cairo * cr, double alpha) Line 2248	C
> WebKit2.dll!WebCore::Cairo::drawPatternToCairoContext(_cairo * cr, _cairo_pattern * pattern, const WebCore::FloatRect & destRect, float alpha) Line 156	C++
> WebKit2.dll!WebCore::Cairo::drawSurface(WebCore::PlatformContextCairo & platformContext, _cairo_surface * surface, const WebCore::FloatRect & destRect, const WebCore::FloatRect & originalSrcRect, WebCore::InterpolationQuality imageInterpolationQuality, float globalAlpha, const WebCore::Cairo::ShadowState & shadowState) Line 944	C++
> WebKit2.dll!WebKit::ShareableBitmap::paint(WebCore::GraphicsContext & context, float scaleFactor, const WebCore::IntPoint & dstPoint, const WebCore::IntRect & srcRect) Line 80	C++
> WebKit2.dll!WebKit::BackingStore::incorporateUpdate(WebKit::ShareableBitmap * bitmap, const WebKit::UpdateInfo & updateInfo) Line 93	C++
> WebKit2.dll!WebKit::BackingStore::incorporateUpdate(const WebKit::UpdateInfo & updateInfo) Line 62	C++
> WebKit2.dll!WebKit::DrawingAreaProxyCoordinatedGraphics::incorporateUpdate(const WebKit::UpdateInfo & updateInfo) Line 255	C++
> WebKit2.dll!WebKit::DrawingAreaProxyCoordinatedGraphics::update(unsigned __int64 backingStoreStateID, const WebKit::UpdateInfo & updateInfo) Line 157	C++
> WebKit2.dll!IPC::callMemberFunctionImpl<WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &),std::tuple<unsigned long long,WebKit::UpdateInfo>,0,1>(WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function, std::tuple<unsigned long long,WebKit::UpdateInfo> && args, std::integer_sequence<unsigned long long,0,1>) Line 42	C++
> WebKit2.dll!IPC::callMemberFunction<WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &),std::tuple<unsigned long long,WebKit::UpdateInfo>,std::integer_sequence<unsigned long long,0,1> >(std::tuple<unsigned long long,WebKit::UpdateInfo> && args, WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function) Line 47	C++
> WebKit2.dll!IPC::handleMessage<Messages::DrawingAreaProxy::Update,WebKit::DrawingAreaProxy,void (WebKit::DrawingAreaProxy::*)(unsigned long long, const WebKit::UpdateInfo &)>(IPC::Decoder & decoder, WebKit::DrawingAreaProxy * object, void(WebKit::DrawingAreaProxy::*)(unsigned __int64, const WebKit::UpdateInfo &) function) Line 121	C++
> WebKit2.dll!WebKit::DrawingAreaProxy::didReceiveMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 50	C++
> WebKit2.dll!IPC::MessageReceiverMap::dispatchMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 124	C++
> WebKit2.dll!WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 155	C++
> WebKit2.dll!WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection & connection, IPC::Decoder & decoder) Line 619	C++
> WebKit2.dll!IPC::Connection::dispatchMessage(IPC::Decoder & decoder) Line 984	C++
> WebKit2.dll!IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > message) Line 1012	C++
> WebKit2.dll!IPC::Connection::dispatchIncomingMessages() Line 1116	C++
> WebKit2.dll!IPC::Connection::enqueueIncomingMessage::<unnamed-tag>::operator()() Line 959	C++
> WebKit2.dll!WTF::Function<void ()>::CallableWrapper<`lambda at ..\..\Source\WebKit\Platform\IPC\Connection.cpp:957:30'>::call() Line 102	C++
> WTF.dll!WTF::Function<void ()>::operator()() Line 57	C++
> WTF.dll!WTF::RunLoop::performWork() Line 107	C++
> WTF.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 57	C++
> WTF.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 39	C++
> [External Code]	
> WebKit.dll!WebKitMessageLoop::run(HACCEL__ * hAccelTable) Line 94	C++
> MiniBrowserLib.dll!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 97	C++
> MiniBrowserLib.dll!dllLauncherEntryPoint(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 115	C++
> MiniBrowser.exe!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 232	C++
> [External Code]
Comment 1 Fujii Hironori 2019-03-27 23:19:32 PDT 
Created attachment 366154 [details]
WIP patch
Comment 2 Fujii Hironori 2019-09-01 21:23:25 PDT 
Created attachment 377837 [details]
Patch
Comment 3 Brent Fulgham 2019-09-01 22:43:38 PDT 
Comment on attachment 377837 [details]
Patch

This looks correct to me, and seems to satisfy the CI system.
Comment 4 Fujii Hironori 2019-09-01 23:03:37 PDT 
Comment on attachment 377837 [details]
Patch

Clearing flags on attachment: 377837

Committed r249375: <https://trac.webkit.org/changeset/249375>
Comment 5 Fujii Hironori 2019-09-01 23:03:40 PDT 
All reviewed patches have been landed.  Closing bug.