RESOLVED FIXED 48707
[Qt][WK2] Crash in drawUpdateChunkIntoBackingStore 
https://bugs.webkit.org/show_bug.cgi?id=48707
Summary [Qt][WK2] Crash in drawUpdateChunkIntoBackingStore
Andreas Kling
Reported 2010-10-29 19:37:03 PDT
UpdateChunk images should be created using the QImage constructor that takes a bytesPerLine value, or the data length won't match UpdateChunk::size(). Crashiness is easily reproduced by manually resizing MiniBrowser.
Attachments
Proposed patch (1.25 KB, patch)
2010-10-29 19:37 PDT, Andreas Kling 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Andreas Kling
Comment 1 2010-10-29 19:37:47 PDT
Created attachment 72429 [details] Proposed patch
Andreas Kling
Comment 2 2010-10-29 19:40:12 PDT
Valgrind stack from such a crash (Invalid read of size 1): memcpy (mc_replace_strmem.c:497) qt_blend_rgb32_on_rgb32(unsigned char*, int, unsigned char const*, int, int, int, int) (string3.h:52) QRasterPaintEngine::drawImage(QPointF const&, QImage const&) (qpaintengine_raster.cpp:2490) QPainter::drawImage(QPointF const&, QImage const&) (qpainter.cpp:5618) WebKit::ChunkedUpdateDrawingAreaProxy::drawUpdateChunkIntoBackingStore(WebKit::UpdateChunk*) (qpainter.h:923) WebKit::ChunkedUpdateDrawingAreaProxy::didSetSize(WebKit::UpdateChunk*) (ChunkedUpdateDrawingAreaProxy.cpp:130) WebKit::ChunkedUpdateDrawingAreaProxy::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::ArgumentDecoder*) (ChunkedUpdateDrawingAreaProxy.cpp:168) WebKit::ChunkedUpdateDrawingAreaProxy::paint(WebCore::IntRect const&, QPainter*) (ChunkedUpdateDrawingAreaProxy.cpp:70) QWKPagePrivate::paint(QPainter*, QRect) (qwkpage.cpp:149) _q_paintItem(QGraphicsItem*, QPainter*, QStyleOptionGraphicsItem const*, QWidget*, bool, bool) (qgraphicsscene.cpp:4314) QGraphicsScenePrivate::drawItemHelper(QGraphicsItem*, QPainter*, QStyleOptionGraphicsItem const*, QWidget*, bool) (qgraphicsscene.cpp:4427) QGraphicsScenePrivate::draw(QGraphicsItem*, QPainter*, QTransform const*, QTransform const*, QRegion*, QWidget*, double, QTransform const*, bool, bool) (qgraphicsscene.cpp:4962) QGraphicsScenePrivate::drawSubtreeRecursive(QGraphicsItem*, QPainter*, QTransform const*, QRegion*, QWidget*, double, QTransform const*) (qgraphicsscene.cpp:4853) QGraphicsScenePrivate::drawItems(QPainter*, QTransform const*, QRegion*, QWidget*) (qgraphicsscene.cpp:4735) QGraphicsView::paintEvent(QPaintEvent*) (qgraphicsview.cpp:3472) QWidget::event(QEvent*) (qwidget.cpp:8407) QFrame::event(QEvent*) (qframe.cpp:557) QGraphicsView::viewportEvent(QEvent*) (qgraphicsview.cpp:2867) QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (qcoreapplication.cpp:870) QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4443) QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4326) QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:760) QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) (qcoreapplication.h:234) QWidgetBackingStore::sync() (qbackingstore.cpp:1325) QWidgetPrivate::syncBackingStore() (qwidget.cpp:1842) QWidget::event(QEvent*) (qwidget.cpp:8554) QMainWindow::event(QEvent*) (qmainwindow.cpp:1480) QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4447) QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4326) QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:760) QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.h:231) QGraphicsScenePrivate::_q_processDirtyItems() (qgraphicsview_p.h:200) QGraphicsScene::qt_metacall(QMetaObject::Call, int, void**) (moc_qgraphicsscene.cpp:130) QObject::event(QEvent*) (qobject.cpp:1192) QGraphicsScene::event(QEvent*) (qgraphicsscene.cpp:3545) QApplicationPrivate::notify_helper(QObject*, QEvent*) (qapplication.cpp:4447) QApplication::notify(QObject*, QEvent*) (qapplication.cpp:4326) QCoreApplication::notifyInternal(QObject*, QEvent*) (qcoreapplication.cpp:760) QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.h:231) postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qcoreapplication.h:236) g_main_context_dispatch (in /lib/libglib-2.0.so.0.2600.0) ??? (in /lib/libglib-2.0.so.0.2600.0) g_main_context_iteration (in /lib/libglib-2.0.so.0.2600.0) QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:417) QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qguieventdispatcher_glib.cpp:204) QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:149) QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:201) QCoreApplication::exec() (qcoreapplication.cpp:1032) main (main.cpp:53)
Kenneth Rohde Christiansen
Comment 3 2010-10-30 00:53:36 PDT
Comment on attachment 72429 [details] Proposed patch What size does it get by default?
Andreas Kling
Comment 4 2010-10-30 04:20:27 PDT
(In reply to comment #3) > What size does it get by default? It would allocate width * height * 4 bytes, (UpdateChunk::size() returns this) but the default QImage ctor will prefer making every scanline 32-bit aligned.
Andreas Kling
Comment 5 2010-10-30 07:50:03 PDT
Comment on attachment 72429 [details] Proposed patch Clearing flags on attachment: 72429 Committed r70981: <http://trac.webkit.org/changeset/70981>
Andreas Kling
Comment 6 2010-10-30 07:50:12 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.