42081 – [CAIRO]GtkLauncher crashes when loading LayoutTest text-shadow-extreme-value.html

Bug 42081 - [CAIRO]GtkLauncher crashes when loading LayoutTest text-shadow-extreme-value.html

Summary: [CAIRO]GtkLauncher crashes when loading LayoutTest text-shadow-extreme-value....

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:	40793
Blocks:
	Show dependency tree / graph

Reported:	2010-07-12 08:21 PDT by Mihnea Ovidenie
Modified:	2011-01-20 13:12 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mihnea Ovidenie 2010-07-12 08:21:45 PDT

Hi,

When loading WebKit LayoutTest/fast/text/text-shadow-extreme-value.html, GtkLauncher crashes. The same LayoutTest crashes WinCairo build too. 

Here is the stack trace, caught in gdb:

ASSERTION FAILED: m_ptr
(../../JavaScriptCore/wtf/OwnPtr.h:66 typename WTF::RemovePointer<T>::Type* WTF::OwnPtr<T>::operator->() const [with T = WebCore::ImageBuffer])

Program received signal SIGSEGV, Segmentation fault.

#0  0x005fc9a6 in WTF::OwnPtr<WebCore::ImageBuffer>::operator-> (this=0x8587de4) at ../../JavaScriptCore/wtf/OwnPtr.h:66
#1  0x00a66d00 in WebCore::FilterEffect::getEffectContext (this=0x8587d98)
    at ../../WebCore/platform/graphics/filters/FilterEffect.cpp:77
#2  0x00a66060 in WebCore::FEGaussianBlur::apply (this=0x8587d98, filter=0x856ce68)
    at ../../WebCore/platform/graphics/filters/FEGaussianBlur.cpp:108
#3  0x00b8f4b9 in WebCore::GraphicsContext::createPlatformShadow (this=0xbfffeb18, buffer=..., shadowColor=..., shadowRect=..., 
    kernelSize=1000) at ../../WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp:912
#4  0x00b8bd26 in WebCore::Font::drawGlyphs (this=0x85777f8, context=0xbfffeb18, font=0x8592c28, glyphBuffer=..., from=0, 
    numGlyphs=49, point=...) at ../../WebCore/platform/graphics/cairo/FontCairo.cpp:116
#5  0x00807afa in WebCore::Font::drawGlyphBuffer (this=0x85777f8, context=0xbfffeb18, glyphBuffer=..., point=...)
    at ../../WebCore/platform/graphics/FontFastPath.cpp:241
#6  0x00807931 in WebCore::Font::drawSimpleText (this=0x85777f8, context=0xbfffeb18, run=..., point=..., from=0, to=49)
    at ../../WebCore/platform/graphics/FontFastPath.cpp:214
#7  0x007f995d in WebCore::Font::drawText (this=0x85777f8, context=0xbfffeb18, run=..., point=..., from=0, to=49)
    at ../../WebCore/platform/graphics/Font.cpp:153
#8  0x00812ee1 in WebCore::GraphicsContext::drawText (this=0xbfffeb18, font=..., run=..., point=..., from=0, to=49)
    at ../../WebCore/platform/graphics/GraphicsContext.cpp:337
#9  0x00882af2 in paintTextWithShadows (context=0xbfffeb18, font=..., textRun=..., startOffset=0, endOffset=49, truncationPoint=49, 
    textOrigin=..., x=8, y=8, w=405, h=19, shadow=0x85902e0, stroked=false) at ../../WebCore/rendering/InlineTextBox.cpp:338
#10 0x008839cc in WebCore::InlineTextBox::paint (this=0x8529bcc, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/InlineTextBox.cpp:528
#11 0x0087b96b in WebCore::InlineFlowBox::paint (this=0x855c63c, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/InlineFlowBox.cpp:695
#12 0x0096e252 in WebCore::RootInlineBox::paint (this=0x855c63c, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/RootInlineBox.cpp:166
#13 0x00910862 in WebCore::RenderLineBoxList::paint (this=0x81dee50, renderer=0x81dede4, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/RenderLineBoxList.cpp:219
#14 0x00891e03 in WebCore::RenderBlock::paintContents (this=0x81dede4, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/RenderBlock.cpp:2089
#15 0x0089258d in WebCore::RenderBlock::paintObject (this=0x81dede4, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/RenderBlock.cpp:2184
#16 0x008916af in WebCore::RenderBlock::paint (this=0x81dede4, paintInfo=..., tx=8, ty=8)
---Type <return> to continue, or q <return> to quit---
    at ../../WebCore/rendering/RenderBlock.cpp:1980
#17 0x008920db in WebCore::RenderBlock::paintChildren (this=0x8543974, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/RenderBlock.cpp:2117
#18 0x00891e25 in WebCore::RenderBlock::paintContents (this=0x8543974, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/RenderBlock.cpp:2091
#19 0x0089258d in WebCore::RenderBlock::paintObject (this=0x8543974, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/RenderBlock.cpp:2184
#20 0x008916af in WebCore::RenderBlock::paint (this=0x8543974, paintInfo=..., tx=8, ty=8)
    at ../../WebCore/rendering/RenderBlock.cpp:1980
#21 0x008920db in WebCore::RenderBlock::paintChildren (this=0x854466c, paintInfo=..., tx=0, ty=0)
    at ../../WebCore/rendering/RenderBlock.cpp:2117
#22 0x00891e25 in WebCore::RenderBlock::paintContents (this=0x854466c, paintInfo=..., tx=0, ty=0)
    at ../../WebCore/rendering/RenderBlock.cpp:2091
#23 0x0089258d in WebCore::RenderBlock::paintObject (this=0x854466c, paintInfo=..., tx=0, ty=0)
    at ../../WebCore/rendering/RenderBlock.cpp:2184
#24 0x008916af in WebCore::RenderBlock::paint (this=0x854466c, paintInfo=..., tx=0, ty=0)
    at ../../WebCore/rendering/RenderBlock.cpp:1980
#25 0x0090499e in WebCore::RenderLayer::paintLayer (this=0x81da53c, rootLayer=0x81fb6f4, p=0xbfffeb18, paintDirtyRect=..., 
    paintBehavior=0, paintingRoot=0x0, overlapTestRequests=0xbfffe95c, paintFlags=0) at ../../WebCore/rendering/RenderLayer.cpp:2446
#26 0x00904d4d in WebCore::RenderLayer::paintList (this=0x81fb6f4, list=0x80c51d0, rootLayer=0x81fb6f4, p=0xbfffeb18, 
    paintDirtyRect=..., paintBehavior=0, paintingRoot=0x0, overlapTestRequests=0xbfffe95c, paintFlags=0)
    at ../../WebCore/rendering/RenderLayer.cpp:2499
#27 0x00904b5e in WebCore::RenderLayer::paintLayer (this=0x81fb6f4, rootLayer=0x81fb6f4, p=0xbfffeb18, paintDirtyRect=..., 
    paintBehavior=0, paintingRoot=0x0, overlapTestRequests=0xbfffe95c, paintFlags=0) at ../../WebCore/rendering/RenderLayer.cpp:2467
#28 0x00903e92 in WebCore::RenderLayer::paint (this=0x81fb6f4, p=0xbfffeb18, damageRect=..., paintBehavior=0, paintingRoot=0x0)
    at ../../WebCore/rendering/RenderLayer.cpp:2252
#29 0x0077e001 in WebCore::FrameView::paintContents (this=0x8178a00, p=0xbfffeb18, rect=...) at ../../WebCore/page/FrameView.cpp:1941
#30 0x007e78f4 in WebCore::ScrollView::paint (this=0x8178a00, context=0xbfffeb18, rect=...)
    at ../../WebCore/platform/ScrollView.cpp:797
#31 0x00c0d162 in webkit_web_view_expose_event (widget=0x812d808, event=0xbfffef88) at ../../WebKit/gtk/webkit/webkitwebview.cpp:539
#32 0x01fc62f4 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#33 0x025928b9 in ?? () from /usr/lib/libgobject-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#34 0x02594252 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#35 0x025a85e6 in ?? () from /usr/lib/libgobject-2.0.so.0
#36 0x025a9c33 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#37 0x025aa256 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#38 0x020f3306 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#39 0x01fbffeb in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#40 0x0229980b in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#41 0x022997ba in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#42 0x022c2964 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#43 0x02295f63 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#44 0x02297f7f in gdk_window_process_all_updates () from /usr/lib/libgdk-x11-2.0.so.0
#45 0x01f356df in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#46 0x02274318 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#47 0x02610661 in ?? () from /lib/libglib-2.0.so.0
#48 0x026125e5 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#49 0x026162d8 in ?? () from /lib/libglib-2.0.so.0
#50 0x02616817 in g_main_loop_run () from /lib/libglib-2.0.so.0
#51 0x01fc0299 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#52 0x0804a093 in main (argc=1, argv=0xbffff494) at ../../WebKitTools/GtkLauncher/main.c:224

Regards,
Mihnea

Comment 1 Mihnea Ovidenie 2010-07-12 08:31:55 PDT

Debugging a little, i have found that the allocation of m_effectBuffer in FilterEffect::getEffectContext() fails. In the first place, i have thought that the fix for the problem is to add a null check in this function, but then i have realized that the problem appears because in function GraphicsContext::calculateShadowBufferDimensions the kernel size is not limitted at all. The LayoutTest uses a blurRadius = 38005685px, which gives a very bug kernel that is not limitted to 1000 as in GraphicsContext::createPlatformShadow (both from GraphicsContextCairo.cpp). 

* I think the fix should be to limit the kernel size in calculateShadowBufferDimensions the same way it is done in createPlatformShadow

* Taking a look at GraphicsContext::setPlatformShadow() from GraphicsContextCG.cpp, i can see that the blurRadius is clamped to 1000, not the kernel, which in the case of Cairo port (Win/Gtk) is computed to be sqrt(2*blurRadius). Am i missing something here? 

Regards,
Mihnea Ovidenie

Comment 2 Martin Robinson 2010-09-15 20:04:00 PDT

Soon the blur radius will be limited to 128, similar to other ports. See this bug: https://bugs.webkit.org/show_bug.cgi?id=45599

Comment 3 Alejandro G. Castro 2011-01-20 13:12:25 PST

The shadows code has changed completely, I've tested it and it does not crash anymore. Feel free to reopen if I missed something.