RESOLVED FIXED26470
[Cairo] Zero-height image pattern Causes Crash on Windows, improper Behavior on GTK 
https://bugs.webkit.org/show_bug.cgi?id=26470
Summary [Cairo] Zero-height image pattern Causes Crash on Windows, improper Behavior ...
Brent Fulgham
Reported 2009-06-16 21:54:47 PDT
The Windows Cairo build of WebKit will crash when running the LayoutTest "fast/gradients/border-image-gradient-sides-and-corners.html". The failure occurs down inside cairo, but is triggered by a NaN value generated in Image::drawTiled (see Image.cpp line 170): vPhase -= fmodf(dstRect.height(), scale.height() * srcRect.height() / 2.0f); The fmodf (at least under Windows) generates a silent NaN, yielding a vPhase of -1.0#IND00. Later, this triggers a divide-by-zero deep in the cairo logic. This same test works properly under Safari.
Attachments
first shot (17.30 KB, image/png)
2009-06-17 09:11 PDT, Gustavo Noronha (kov) 		no flags
Details
shot 2 (17.43 KB, image/png)
2009-06-17 09:12 PDT, Gustavo Noronha (kov) 		no flags
Details
shot 3 (17.37 KB, image/png)
2009-06-17 09:12 PDT, Gustavo Noronha (kov) 		no flags
Details
Comparison of Safari and WinCairo after patch (25.53 KB, image/png)
2009-06-17 10:57 PDT, Brent Fulgham 		no flags
Details
Avoid NaN crash (1.49 KB, patch)
2009-06-17 11:13 PDT, Brent Fulgham 		gustavo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2009-06-17 09:05:09 PDT
The GTK+ build of WebKit does not crash, but seems to generate different gradient images each time the screen refreshes. This is sort of a neat effect, but certainly not the intended behavior!
Gustavo Noronha (kov)
Comment 2 2009-06-17 09:11:13 PDT
As I discussed on IRC with Brent, the NaN also happens in GTK+, but the only problem I can see with the test is that the gradients are drawn incorrectly, and seem to have different colors each time they are rendered - no crash here. I'm attaching screenshots - I did nothing but take the screenshots, I'm beting that taking the shot causes the window to be re-exposed.
Gustavo Noronha (kov)
Comment 3 2009-06-17 09:11:51 PDT
Created attachment 31415 [details] first shot
Gustavo Noronha (kov)
Comment 4 2009-06-17 09:12:13 PDT
Created attachment 31416 [details] shot 2
Gustavo Noronha (kov)
Comment 5 2009-06-17 09:12:58 PDT
Created attachment 31417 [details] shot 3
Brent Fulgham
Comment 6 2009-06-17 09:46:05 PDT
Running the same test in a Mac OS X Debug build, I can see that the vPhase calculation also produces a NaN value. This is eventually processed in the ImageCG.cpp (Image::drawPattern) method, which works with the NaN as-is, uses it in the various transform calculations, then uses them to generate the pattern. CGPatternCreate seems to handle the NaN matrix without any errors: matrix = { a = 0.5, b = 0, c = 0, d = 0.5, tx = -nan(0x400000), ty = -nan(0x400000) }
Brent Fulgham
Comment 7 2009-06-17 10:57:14 PDT
Created attachment 31422 [details] Comparison of Safari and WinCairo after patch
Brent Fulgham
Comment 8 2009-06-17 11:13:44 PDT
Created attachment 31425 [details] Avoid NaN crash
Brent Fulgham
Comment 9 2009-06-17 11:14:18 PDT
Patch confirmed to work on both Windows Cairo build, and webkitgtk.
Gustavo Noronha (kov)
Comment 10 2009-06-17 11:17:27 PDT
Comment on attachment 31425 [details] Avoid NaN crash Looks right to me (and also trusting krit's judgement).
Brent Fulgham
Comment 11 2009-06-17 12:54:58 PDT
Landed in http://trac.webkit.org/changeset/44771.
Note You need to log in before you can comment on or make changes to this bug.