Bug 52732 - [CSS Gradients] Crash due to out-of-memory with repeating-linear-gradient and latter stop positioned before former
Summary: [CSS Gradients] Crash due to out-of-memory with repeating-linear-gradient and...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Critical
Assignee: Simon Fraser (smfr)
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2011-01-19 12:24 PST by Rafał Chłodnicki
Modified: 2011-01-19 14:41 PST (History)
5 users (show)

See Also:

Attachments
Testcase (277 bytes, text/html)
2011-01-19 12:32 PST, Simon Fraser (smfr) 		no flags Details
Patch (11.70 KB, patch)
2011-01-19 13:19 PST, Simon Fraser (smfr) 		aroben: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rafał Chłodnicki 2011-01-19 12:24:43 PST 
-webkit-repeating-linear-gradient(red, green 0)
or
-webkit-repeating-linear-gradient(red 0, green 0)
or
-webkit-repeating-linear-gradient(red 10%, green 9%)
or
-webkit-repeating-linear-gradient(red 110%, green)

freezes browser.
Comment 1 Simon Fraser (smfr) 2011-01-19 12:32:29 PST 
Created attachment 79466 [details]
Testcase
Comment 2 Simon Fraser (smfr) 2011-01-19 12:32:42 PST 
Testcase works fine on Mac.
Comment 3 Rafał Chłodnicki 2011-01-19 12:35:45 PST 
I've actually tested Chrome (10.0.634.0). Maybe it doesn't have latest fixes yet...
Comment 4 Adam Roben (:aroben) 2011-01-19 12:39:32 PST 
This crashes on Windows due to a failed allocation. Here's the backtrace:

 	JavaScriptCore.dll!WTF::fastMalloc(unsigned int n=379677936)  Line 260	C++
 	WebKit.dll!WTF::VectorBufferBase<WebCore::GradientStop>::allocateBuffer(unsigned int newCapacity=23729871)  Line 287 + 0xc bytes	C++
 	WebKit.dll!WTF::Vector<WebCore::GradientStop,0>::reserveCapacity(unsigned int newCapacity=23729871)  Line 872	C++
 	WebKit.dll!WTF::Vector<WebCore::GradientStop,0>::expandCapacity(unsigned int newMinCapacity=18983897)  Line 789	C++
 	WebKit.dll!WTF::Vector<WebCore::GradientStop,0>::expandCapacity(unsigned int newMinCapacity=18983897, const WebCore::GradientStop * ptr=0x0012e8c8)  Line 796	C++
 	WebKit.dll!WTF::Vector<WebCore::GradientStop,0>::append<WebCore::GradientStop>(const WebCore::GradientStop & val={...})  Line 967 + 0x18 bytes	C++
>	WebKit.dll!WebCore::CSSGradientValue::addStops(WebCore::Gradient * gradient=0x06eb8b38, WebCore::RenderObject * renderer=0x05c0e7bc, WebCore::RenderStyle * rootStyle=0x06917ae0, float maxLengthForRepeat=1.0000000)  Line 280	C++
 	WebKit.dll!WebCore::CSSLinearGradientValue::createGradient(WebCore::RenderObject * renderer=0x05c0e7bc, const WebCore::IntSize & size={...})  Line 532	C++
 	WebKit.dll!WebCore::CSSGradientValue::image(WebCore::RenderObject * renderer=0x05c0e7bc, const WebCore::IntSize & size={...})  Line 60 + 0x1f bytes	C++
 	WebKit.dll!WebCore::StyleGeneratedImage::image(WebCore::RenderObject * renderer=0x05c0e7bc, const WebCore::IntSize & size={...})  Line 77 + 0x1d bytes	C++
 	WebKit.dll!WebCore::RenderBoxModelObject::paintFillLayerExtended(const WebCore::PaintInfo & paintInfo={...}, const WebCore::Color & c={...}, const WebCore::FillLayer * bgLayer=0x06e37a80, int tx=8, int ty=8, int w=100, int h=100, WebCore::InlineFlowBox * box=0x00000000, WebCore::CompositeOperator op=CompositeSourceOver, WebCore::RenderObject * backgroundObject=0x00000000)  Line 695 + 0x23 bytes	C++
 	WebKit.dll!WebCore::RenderBox::paintFillLayer(const WebCore::PaintInfo & paintInfo={...}, const WebCore::Color & c={...}, const WebCore::FillLayer * fillLayer=0x06e37a80, int tx=8, int ty=8, int width=100, int height=100, WebCore::CompositeOperator op=CompositeSourceOver, WebCore::RenderObject * backgroundObject=0x00000000)  Line 943	C++
 	WebKit.dll!WebCore::RenderBox::paintFillLayers(const WebCore::PaintInfo & paintInfo={...}, const WebCore::Color & c={...}, const WebCore::FillLayer * fillLayer=0x06e37a80, int tx=8, int ty=8, int width=100, int height=100, WebCore::CompositeOperator op=CompositeSourceOver, WebCore::RenderObject * backgroundObject=0x00000000)  Line 938	C++
 	WebKit.dll!WebCore::RenderBox::paintBoxDecorationsWithSize(WebCore::PaintInfo & paintInfo={...}, int tx=8, int ty=8, int width=100, int height=100)  Line 821	C++
 	WebKit.dll!WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo & paintInfo={...}, int tx=8, int ty=8)  Line 800	C++
 	WebKit.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo={...}, int tx=8, int ty=8)  Line 2396 + 0x1e bytes	C++
 	WebKit.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo={...}, int tx=8, int ty=8)  Line 2205 + 0x1e bytes	C++
 	WebKit.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo={...}, int tx=8, int ty=8)  Line 2357 + 0x28 bytes	C++
 	WebKit.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo={...}, int tx=8, int ty=8)  Line 2317	C++
 	WebKit.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo={...}, int tx=8, int ty=8)  Line 2429	C++
 	WebKit.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo={...}, int tx=8, int ty=8)  Line 2205 + 0x1e bytes	C++
 	WebKit.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0)  Line 2357 + 0x28 bytes	C++
 	WebKit.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0)  Line 2317	C++
 	WebKit.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0)  Line 2429	C++
 	WebKit.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0)  Line 2205 + 0x1e bytes	C++
 	WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::RenderLayer * rootLayer=0x05c3cc14, WebCore::GraphicsContext * p=0x0012fb38, const WebCore::IntRect & paintDirtyRect={...}, unsigned int paintBehavior=0, WebCore::RenderObject * paintingRoot=0x00000000, WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > * overlapTestRequests=0x0012f968, unsigned int paintFlags=0)  Line 2506 + 0x3b bytes	C++
 	WebKit.dll!WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0> * list=[1](0x023f8dd4 {m_renderer=0x067cc784 m_parent=0x05c3cc14 m_previous=0x00000000 ...}), WebCore::RenderLayer * rootLayer=0x05c3cc14, WebCore::GraphicsContext * p=0x0012fb38, const WebCore::IntRect & paintDirtyRect={...}, unsigned int paintBehavior=0, WebCore::RenderObject * paintingRoot=0x00000000, WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > * overlapTestRequests=0x0012f968, unsigned int paintFlags=0)  Line 2566	C++
 	WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::RenderLayer * rootLayer=0x05c3cc14, WebCore::GraphicsContext * p=0x0012fb38, const WebCore::IntRect & paintDirtyRect={...}, unsigned int paintBehavior=0, WebCore::RenderObject * paintingRoot=0x00000000, WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > * overlapTestRequests=0x0012f968, unsigned int paintFlags=0)  Line 2535	C++
 	WebKit.dll!WebCore::RenderLayer::paint(WebCore::GraphicsContext * p=0x0012fb38, const WebCore::IntRect & damageRect={...}, unsigned int paintBehavior=0, WebCore::RenderObject * paintingRoot=0x00000000)  Line 2318	C++
 	WebKit.dll!WebCore::FrameView::paintContents(WebCore::GraphicsContext * p=0x0012fb38, const WebCore::IntRect & rect={...})  Line 2186	C++
 	WebKit.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext * context=0x0012fb38, const WebCore::IntRect & rect={...})  Line 895 + 0x1a bytes	C++

At the point when we crashed, the stops Vector in CSSGradientValue::addStops had 19 million items.
Comment 5 Adam Roben (:aroben) 2011-01-19 12:44:09 PST 
When we enter this bit of code:

        // Work forwards from the end, adding stops until we get one after 1.
        float lastOffset = stops[stops.size() - 1].offset;
        if (lastOffset < maxExtent) {
            float currOffset = lastOffset;
            size_t srcStopOrdinal = 0;

            while (true) {
                GradientStop newStop = stops[srcStopOrdinal];
                newStop.offset = currOffset;
                stops.append(newStop);
                if (currOffset > maxExtent)
                    break;
                if (srcStopOrdinal < originalNumStops - 1)
                    currOffset += stops[originalFirstStopIndex + srcStopOrdinal + 1].offset - stops[originalFirstStopIndex + srcStopOrdinal].offset;
                srcStopOrdinal = (srcStopOrdinal + 1) % originalNumStops;
            }
        }

stops has two items, both of which have offset 0. maxExtent is 1. So we basically keep doing 0 += 0, and then if (0 > 1) break;
Comment 6 Simon Fraser (smfr) 2011-01-19 12:46:38 PST 
<rdar://problem/8886781>
Comment 7 Simon Fraser (smfr) 2011-01-19 13:19:06 PST 
Created attachment 79472 [details]
Patch
Comment 8 Adam Roben (:aroben) 2011-01-19 13:21:09 PST 
Comment on attachment 79472 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=79472&action=review

> Source/WebCore/css/CSSGradientValue.cpp:240
> +        float gradientRange = stops[numStops - 1].offset - stops[0].offset;
> +        if (!gradientRange) {
> +            stops[0].offset = 0;
> +            stops[0].color = stops[numStops - 1].color;
> +            stops.shrink(1);
> +            numStops = 1;

I think using .first() and .last() would be clearer than [0] and [numStops - 1].
Comment 9 Simon Fraser (smfr) 2011-01-19 13:29:14 PST 
http://trac.webkit.org/changeset/76154
Comment 10 WebKit Review Bot 2011-01-19 14:41:01 PST 
http://trac.webkit.org/changeset/76154 might have broken GTK Linux 32-bit Release
The following tests are not passing:
fast/forms/input-text-scroll-left-on-blur.html
fast/forms/plaintext-mode-2.html