RESOLVED FIXED 212415
WebKit Crashes when SVG Filter Logging is Turned On 
https://bugs.webkit.org/show_bug.cgi?id=212415
Summary WebKit Crashes when SVG Filter Logging is Turned On
frankhome61
Reported 2020-05-27 10:03:43 PDT
WebKit crashes when the flag -WebCoreLogging "Filters" is present, which turns on the logging for SVG Filters. This is due to uncaught null pointers in FilterEffect::imageBufferResult(), FilterEffect::copyUnmultipliedResult() and FilterEffect::copyPremultipliedResult() Step to reproduce: 1. Turn on filter logging by adding the flag -WebCoreLogging "Filters" in build scheme 2. Launch MiniBrowser and load an html file with SVG Result: MiniBrowser crashes
Attachments
Patch (4.32 KB, patch)
2020-05-27 10:08 PDT, frankhome61 		no flags
DetailsFormatted DiffDiff
Patch (5.29 KB, patch)
2020-06-04 10:55 PDT, frankhome61 		simon.fraser: review-
DetailsFormatted DiffDiff
Patch (2.85 KB, patch)
2020-06-09 11:53 PDT, frankhome61 		no flags
DetailsFormatted DiffDiff
Patch (5.47 KB, patch)
2020-06-09 12:52 PDT, frankhome61 		no flags
DetailsFormatted DiffDiff
Patch - updated reviewer name (5.47 KB, patch)
2020-06-09 14:11 PDT, frankhome61 		frankhome61: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-05-27 10:04:37 PDT
<rdar://problem/63679095>
frankhome61
Comment 2 2020-05-27 10:08:58 PDT
Created attachment 400345 [details] Patch
Myles C. Maxfield
Comment 3 2020-05-27 10:20:53 PDT
Comment on attachment 400345 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400345&action=review > Source/WebCore/ChangeLog:7 > + Need some explanation. > Source/WebCore/ChangeLog:8 > + No new tests (OOPS!). Need justification for why there are no tests > Source/WebCore/platform/graphics/filters/FilterEffect.cpp:272 > + LOG_WITH_STREAM(Filters, stream << " m_premultipliedImageResult " << m_premultipliedImageResult->data()); I think this will create new lines, which probably isn't the intention. "FilterEffect" looks like it was an intentional prefix, to aid for things like grepping through logs. How about using StringBuilder to reduce this giant line into something more readable? Perhaps putting this stuff in its own function, too?
Simon Fraser (smfr)
Comment 4 2020-05-27 11:22:24 PDT
Comment on attachment 400345 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400345&action=review > Source/WebCore/platform/graphics/filters/FilterEffect.cpp:269 > - LOG_WITH_STREAM(Filters, stream << "FilterEffect " << filterName() << " " << this << " imageBufferResult(). Existing image buffer " << m_imageBufferResult.get() << " m_premultipliedImageResult " << m_premultipliedImageResult->data() << " m_unmultipliedImageResult " << m_unmultipliedImageResult->data()); > + LOG_WITH_STREAM(Filters, stream << "FilterEffect " << filterName() << " " << this << " imageBufferResult(). Existing image buffer " << m_imageBufferResult.get()); You want to do: LOG_WITH_STREAM(Filters, stream << "FilterEffect " << filterName() << " " << this << " imageBufferResult(). Existing image buffer " << m_imageBufferResult.get() << " m_premultipliedImageResult " << (m_premultipliedImageResult ? m_premultipliedImageResult->data() : nullptr) << " m_unmultipliedImageResult " << (m_unmultipliedImageResult ? m_unmultipliedImageResult->data() : nullptr));
frankhome61
Comment 5 2020-06-04 10:55:52 PDT
Created attachment 401045 [details] Patch
Simon Fraser (smfr)
Comment 6 2020-06-04 14:06:47 PDT
Comment on attachment 401045 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=401045&action=review > Source/WebCore/platform/graphics/filters/FilterEffect.cpp:284 > + StringBuilder builder; > + StringPrintStream logStream; > + logStream.printf("FilterEffect %s %p %s(). Existing image buffer %p", filterName(), this, resultType, m_imageBufferResult.get()); > + > + if (m_premultipliedImageResult) > + logStream.printf(" m_premultipliedImageResult %p ", m_premultipliedImageResult->data()); > + else > + logStream.printf(" m_premultipliedImageResult %p", nullptr); > + > + if (m_unmultipliedImageResult) > + logStream.printf(" m_unmultipliedImageResult %p", m_unmultipliedImageResult->data()); > + else > + logStream.printf(" m_unmultipliedImageResult %p", nullptr); > + builder.append(logStream.toString()); > + > + return builder.toString(); This seems worse than the original. Implement TextStream& operator<<(TextStream&, const ImageBuffer&) then use ValueOrNull() in the logging.
frankhome61
Comment 7 2020-06-09 11:53:45 PDT
Created attachment 401456 [details] Patch
frankhome61
Comment 8 2020-06-09 12:52:08 PDT
Created attachment 401463 [details] Patch
frankhome61
Comment 9 2020-06-09 14:11:54 PDT
Created attachment 401474 [details] Patch - updated reviewer name
EWS
Comment 10 2020-06-09 14:16:25 PDT
guowei_yang@apple.com does not have committer permissions according to https://trac.webkit.org/browser/webkit/trunk/Tools/Scripts/webkitpy/common/config/contributors.json. Rejecting attachment 401474 [details] from commit queue.
EWS
Comment 11 2020-06-09 14:47:49 PDT
Committed r262813: <https://trac.webkit.org/changeset/262813> All reviewed patches have been landed. Closing bug and clearing flags on attachment 401463 [details].
Simon Fraser (smfr)
Comment 12 2020-06-09 15:02:28 PDT
Comment on attachment 401463 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=401463&action=review > Source/WebCore/html/ImageData.cpp:122 > + // Print out the address of the pixel data array > + return ts << imageData.data(); This comment can be removed. This should also output the size.
Note You need to log in before you can comment on or make changes to this bug.