33844 – [CHROMIUM] Crash on large TransparencyWin allocation

Bug 33844 - [CHROMIUM] Crash on large TransparencyWin allocation

Summary: [CHROMIUM] Crash on large TransparencyWin allocation

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Windows 7

Importance:	P2 Normal
Assignee:	Stephen White

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-19 08:10 PST by Stephen White
Modified:	2010-01-19 13:21 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Fix for TransparencyWin crash (1.60 KB, patch) 2010-01-19 08:21 PST, Stephen White	no flags	Details \| Formatted Diff \| Diff
Fix for crash v.2 (added bug ID) (1.69 KB, patch) 2010-01-19 08:24 PST, Stephen White	no flags	Details \| Formatted Diff \| Diff
*Fix for crash v.3 (added correct* bug ID. (I hate Bugzilla.))** (1.69 KB, patch) 2010-01-19 08:27 PST, Stephen White	dglazkov: review+	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stephen White 2010-01-19 08:10:46 PST

When allocating the buffers in TransparencyWin for an OpaqueCompositeLayer, there are two allocations:  one for the ImageBuffer, and one for the SkBitmap OwnedBuffers::m_referenceBitmap.  If the allocation is small enough for the first one to pass, but big enough for the second one to fail, Chrome will crash in referenceCanvas.drawBitmap() in TransparencyWin::setupLayerForOpaqueCompositeLayer().

Reproduction URL:  http://www.vandaag.be 

See http://crbug.com/28851.

Comment 1 Stephen White 2010-01-19 08:21:55 PST

Created attachment 46910 [details]
Fix for TransparencyWin crash

Comment 2 Stephen White 2010-01-19 08:24:20 PST

Created attachment 46911 [details]
Fix for crash v.2 (added bug ID)

Comment 3 Stephen White 2010-01-19 08:27:33 PST

Created attachment 46912 [details]
Fix for crash v.3 (added *correct* bug ID.  (I hate Bugzilla.))

Comment 4 Brett Wilson (Google) 2010-01-19 09:33:12 PST

This looks good to me (but I'm not a WebKit reviewer).

Comment 5 Dimitri Glazkov (Google) 2010-01-19 09:54:24 PST

Comment on attachment 46912 [details]
Fix for crash v.3 (added *correct* bug ID.  (I hate Bugzilla.))

r=me.

Comment 6 Stephen White 2010-01-19 13:21:31 PST

Landed as r53480, closing bug.