Bug 53830 - Crashes in ShadowBlur via WebKit2 FindController
Summary: Crashes in ShadowBlur via WebKit2 FindController
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Simon Fraser (smfr)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-04 18:15 PST by Simon Fraser (smfr)
Modified: 2011-02-04 20:59 PST (History)
1 user (show)

See Also:

Attachments
Patch (4.12 KB, patch)
2011-02-04 20:47 PST, Simon Fraser (smfr) 		mitz: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fraser (smfr) 2011-02-04 18:15:28 PST 
The FindController code uses a GraphicsContext to draw shadowed boxes, which triggers a re-entrant code path in ShadowBlur.
Comment 1 Simon Fraser (smfr) 2011-02-04 18:25:04 PST 
Bad stack is:

 -> WebCore::ScratchBuffer::getScratchBuffer(WebCore::IntSize const&)
 -> WebCore::ShadowBlur::drawRectShadowWithTiling(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&, WebCore::IntSize const&)
 -> WebCore::ShadowBlur::drawRectShadow(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&)
 -> WebCore::GraphicsContext::fillRect(WebCore::FloatRect const&)
 -> WebCore::ShadowBlur::drawRectShadowWithTiling(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&, WebCore::IntSize const&)
 -> WebCore::ShadowBlur::drawRectShadow(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::RoundedIntRect::Radii const&)
 -> WebCore::GraphicsContext::fillRect(WebCore::FloatRect const&)
 -> WebKit::FindController::drawRect(WebKit::PageOverlay*, WebCore::GraphicsContext&, WebCore::IntRect const&)
 -> WebKit::PageOverlay::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&)
 -> WebKit::WebPage::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&)
 -> WebKit::DrawingAreaImpl::display(WebKit::UpdateInfo&)
 -> WebKit::DrawingAreaImpl::display()
 -> RunLoop::Timer<WebKit::DrawingAreaImpl>::fired()
 -> RunLoop::TimerBase::timerFired(__CFRunLoopTimer*, void*)
Comment 2 Simon Fraser (smfr) 2011-02-04 20:47:17 PST 
Created attachment 81346 [details]
Patch
Comment 3 Simon Fraser (smfr) 2011-02-04 20:59:07 PST 
http://trac.webkit.org/changeset/77729
Comment 4 Simon Fraser (smfr) 2011-02-04 20:59:40 PST 
<rdar://problem/8962505>