Bug 220348 - Nullptr crash in GradientImage::drawPattern
Summary: Nullptr crash in GradientImage::drawPattern
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Images (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-01-05 22:23 PST by Ryosuke Niwa
Modified: 2021-01-13 13:00 PST (History)
12 users (show)

See Also:

Attachments
Test (470.01 KB, text/html)
2021-01-05 22:29 PST, Ryosuke Niwa 		no flags Details
Reduced testcase (169 bytes, text/html)
2021-01-11 06:21 PST, Rob Buis 		no flags Details
Patch (4.16 KB, patch)
2021-01-12 05:50 PST, Rob Buis 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2021-01-05 22:23:16 PST 
e.g.

ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00011895889d bp 0x7ffee7433210 sp 0x7ffee7433210 T0)

    #0 0x11895889d in WTF::RetainPtr<CGImage*>::get() const+0x1d (WebCore.framework/Versions/A/WebCore:x86_64+0x1e489d)
    #1 0x11d6d0dc0 in WebCore::createBitmapImageAfterScalingIfNeeded(WTF::RefPtr<WebCore::NativeImage, WTF::RawPtrTraits<WebCore::NativeImage>, WTF::DefaultRefDerefTraits<WebCore::NativeImage> >&&, WebCore::IntSize const&, WebCore::IntSize const&, float, WebCore::PreserveResolution)+0x4a0 (WebCore.framework/Versions/A/WebCore:x86_64+0x4f5cdc0)
    #2 0x11d6d1182 in WebCore::ImageBufferCGBackend::sinkIntoImage(WebCore::PreserveResolution)+0x1c2 (WebCore.framework/Versions/A/WebCore:x86_64+0x4f5d182)
    #3 0x11d5972e0 in WebCore::ConcreteImageBuffer<WebCore::ImageBufferCGBitmapBackend>::sinkIntoImage(WebCore::PreserveResolution)+0xb0 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e232e0)
    #4 0x11d5885c2 in WebCore::ImageBuffer::sinkIntoImage(WTF::RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> >, WebCore::PreserveResolution)+0x52 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e145c2)
    #5 0x11d54d633 in WebCore::GradientImage::drawPattern(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::AffineTransform const&, WebCore::FloatPoint const&, WebCore::FloatSize const&, WebCore::ImagePaintingOptions const&)+0x603 (WebCore.framework/Versions/A/WebCore:x86_64+0x4dd9633)
    #6 0x11d584054 in WebCore::Image::drawTiled(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::FloatSize const&, WebCore::Image::TileRule, WebCore::Image::TileRule, WebCore::ImagePaintingOptions const&)+0x814 (WebCore.framework/Versions/A/WebCore:x86_64+0x4e10054)
    #7 0x11d561307 in WebCore::GraphicsContext::drawTiledImage(WebCore::Image&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::FloatSize const&, WebCore::Image::TileRule, WebCore::Image::TileRule, WebCore::ImagePaintingOptions const&)+0x157 (WebCore.framework/Versions/A/WebCore:x86_64+0x4ded307)
    #8 0x11dfcf704 in WebCore::NinePieceImage::paint(WebCore::GraphicsContext&, WebCore::RenderElement*, WebCore::RenderStyle const&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, float, WebCore::CompositeOperator) const+0x814 (WebCore.framework/Versions/A/WebCore:x86_64+0x585b704)
    #9 0x11dc2770b in WebCore::RenderBoxModelObject::paintNinePieceImage(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::NinePieceImage const&, WebCore::CompositeOperator)+0x3db (WebCore.framework/Versions/A/WebCore:x86_64+0x54b370b)
    #10 0x11dc31def in WebCore::RenderBoxModelObject::paintBorder(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::BackgroundBleedAvoidance, bool, bool)+0x39f (WebCore.framework/Versions/A/WebCore:x86_64+0x54bddef)
    #11 0x11dbb9b63 in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&)+0x4f3 (WebCore.framework/Versions/A/WebCore:x86_64+0x5445b63)
    #12 0x11de23053 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&)+0x543 (WebCore.framework/Versions/A/WebCore:x86_64+0x56af053)
    #13 0x11dd41a4a in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*)+0x49a (WebCore.framework/Versions/A/WebCore:x86_64+0x55cda4a)
    #14 0x11dd3d3f0 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*)+0x9f0 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c93f0)
    #15 0x11dd356eb in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0xeab (WebCore.framework/Versions/A/WebCore:x86_64+0x55c16eb)
    #16 0x11dd346fe in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x23e (WebCore.framework/Versions/A/WebCore:x86_64+0x55c06fe)
    #17 0x11dd34360 in WebCore::RenderLayer::paintLayerByApplyingTransform(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::LayoutSize const&)+0x690 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c0360)
    #18 0x11dd32752 in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x782 (WebCore.framework/Versions/A/WebCore:x86_64+0x55be752)
    #19 0x11dd30e9f in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1ff (WebCore.framework/Versions/A/WebCore:x86_64+0x55bce9f)
    #20 0x11dd3c98b in WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x13b (WebCore.framework/Versions/A/WebCore:x86_64+0x55c898b)
    #21 0x11dd357d5 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0xf95 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c17d5)
    #22 0x11dd346fe in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x23e (WebCore.framework/Versions/A/WebCore:x86_64+0x55c06fe)
    #23 0x11dd34360 in WebCore::RenderLayer::paintLayerByApplyingTransform(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::LayoutSize const&)+0x690 (WebCore.framework/Versions/A/WebCore:x86_64+0x55c0360)
    #24 0x11dd32752 in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x782 (WebCore.framework/Versions/A/WebCore:x86_64+0x55be752)
    #25 0x11dd30e9f in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1ff (WebCore.framework/Versions/A/WebCore:x86_64+0x55bce9f)

<rdar://problem/72036950>
Comment 1 Ryosuke Niwa 2021-01-05 22:29:23 PST 
Created attachment 417067 [details]
Test
Comment 2 Rob Buis 2021-01-11 06:21:03 PST 
Created attachment 417374 [details]
Reduced testcase
Comment 3 Rob Buis 2021-01-12 05:50:42 PST 
Created attachment 417450 [details]
Patch
Comment 4 EWS 2021-01-13 10:41:02 PST 
Committed r271441: <https://trac.webkit.org/changeset/271441>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 417450 [details].
Comment 5 Ryosuke Niwa 2021-01-13 13:00:12 PST 
No security implication here.