RESOLVED FIXED286338
[Win] Offset out of range in span::subspan(offset, count) under WebCore::convertImagePixelsUnaccelerated 
https://bugs.webkit.org/show_bug.cgi?id=286338
Summary [Win] Offset out of range in span::subspan(offset, count) under WebCore::conv...
Fujii Hironori
Reported 2025-01-21 22:03:31 PST
With Debug CRT, Windows port is crashing for some canvas tests. For example fast/canvas/canvas-clip-path.html > Debug Assertion Failed! > > Program: C:\webkit\wb\webkitbuild\debug\bin\WebCore.dll > File: C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Tools\MSVC\14.42.34433\include\span > Line: 423 > > Expression: Offset out of range in span::subspan(offset, count)w > WebCore.dll!std::span<const unsigned char,18446744073709551615>::subspan(const unsigned __int64 _Offset, const unsigned __int64 _Count) Line 423 C++ > WebCore.dll!WTF::skip<const unsigned char>(std::span<const unsigned char,18446744073709551615> & data, unsigned __int64 amountToSkip) Line 47 C++ > WebCore.dll!WebCore::convertImagePixelsUnaccelerated<&WebCore::convertSinglePixelPremultipliedToUnpremultiplied>(const WebCore::ConstPixelBufferConversionView & source, const WebCore::PixelBufferConversionView & destination, const WebCore::IntSize & destinationSize) Line 288 C++ > WebCore.dll!WebCore::convertImagePixels(const WebCore::ConstPixelBufferConversionView & source, const WebCore::PixelBufferConversionView & destination, const WebCore::IntSize & destinationSize) Line 349 C++ > WebCore.dll!WebCore::ImageBufferBackend::getPixelBuffer(const WebCore::IntRect & sourceRect, std::span<const unsigned char,18446744073709551615> sourceData, WebCore::PixelBuffer & destinationPixelBuffer) Line 132 C++ > WebKit2.dll!WebKit::ImageBufferShareableBitmapBackend::getPixelBuffer(const WebCore::IntRect & srcRect, WebCore::PixelBuffer & destination) Line 157 C++ > WebCore.dll!WebCore::ImageBuffer::getPixelBuffer(const WebCore::PixelBufferFormat & destinationFormat, const WebCore::IntRect & sourceRect, const WebCore::ImageBufferAllocator & allocator) Line 541 C++ > WebKit2.dll!WebKit::RemoteImageBufferProxy::getPixelBuffer(const WebCore::PixelBufferFormat & destinationFormat, const WebCore::IntRect & sourceRect, const WebCore::ImageBufferAllocator & allocator) Line 282 C++ > WebCore.dll!WebCore::CanvasRenderingContext2DBase::getImageData(int sx, int sy, int sw, int sh, std::optional<WebCore::ImageDataSettings> settings) Line 2598 C++ > WebCore.dll!WebCore::jsCanvasRenderingContext2DPrototypeFunction_getImageDataBody(JSC::JSGlobalObject * lexicalGlobalObject, JSC::CallFrame * callFrame, WebCore::JSCanvasRenderingContext2D * castedThis) Line 2601 C++ > WebCore.dll!WebCore::IDLOperation<WebCore::JSCanvasRenderingContext2D>::call<&WebCore::jsCanvasRenderingContext2DPrototypeFunction_getImageDataBody,0>(JSC::JSGlobalObject & lexicalGlobalObject, JSC::CallFrame & callFrame, const char * operationName) Line 63 C++ > WebCore.dll!WebCore::jsCanvasRenderingContext2DPrototypeFunction_getImageData(JSC::JSGlobalObject * lexicalGlobalObject, JSC::CallFrame * callFrame) Line 2606 C++ > 000001b6000011b8() Unknown > 00000038cdbfcac0() Unknown > JavaScriptCore.dll!llint_entry() C++
Attachments
Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2025-01-21 23:11:30 PST
Pull request: https://github.com/WebKit/WebKit/pull/39365
EWS
Comment 2 2025-01-28 20:45:32 PST
Committed 289484@main (53ee544dee9b): <https://commits.webkit.org/289484@main> Reviewed commits have been landed. Closing PR #39365 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2025-01-28 20:46:14 PST
<rdar://problem/143801677>
Note You need to log in before you can comment on or make changes to this bug.