65420 – WebKit2 crashes on attempt to decode null image

Bug 65420 - WebKit2 crashes on attempt to decode null image

Summary: WebKit2 crashes on attempt to decode null image

Status:	RESOLVED DUPLICATE of bug 64802

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	64321
	Show dependency tree / graph

Reported:	2011-07-30 16:54 PDT by Oleg Romashin (:romaxa)
Modified:	2011-07-31 20:21 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Fix crash on attempt to decode null image (1.12 KB, patch) 2011-07-30 22:46 PDT, Oleg Romashin (:romaxa)	darin: review-	Details \| Formatted Diff \| Diff
Fix crash on attempt to decode null image v2 (1.21 KB, patch) 2011-07-30 23:07 PDT, Oleg Romashin (:romaxa)	darin: review-	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oleg Romashin (:romaxa) 2011-07-30 16:54:43 PDT

I'm using Qt WebKit2 build http://svn.webkit.org/repository/webkit/trunk@91765 (before Qt5 changes)
open maps.google.com
try to scroll google maps content
Result: crash

Crash start happening after bug 64321 fixed.

#0  0xb55e880d in WebKit::ShareableBitmap::createQImage (this=0x0)
    at ../../../Source/WebKit2/Shared/qt/ShareableBitmapQt.cpp:42
#1  0xb55e89c1 in WebKit::ShareableBitmap::createGraphicsContext (this=0x0)
    at ../../../Source/WebKit2/Shared/qt/ShareableBitmapQt.cpp:56
#2  0xb55d0692 in CoreIPC::encodeImage (encoder=0xacc28758, image=0x9786a58)
    at ../../../Source/WebKit2/Shared/WebCoreArgumentCoders.cpp:294
#3  0xb55d0927 in CoreIPC::ArgumentCoder<WebCore::Cursor>::encode (
    encoder=0xacc28758, cursor=...)
    at ../../../Source/WebKit2/Shared/WebCoreArgumentCoders.cpp:324
#4  0xb563a720 in CoreIPC::ArgumentEncoder::encode<WebCore::Cursor> (
    this=0xacc28758, t=...)
    at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.h:66
#5  0xb563a634 in CoreIPC::Arguments1<WebCore::Cursor const&>::encode (
    this=0xbfd4bf9c, encoder=0xacc28758)
    at ../../../Source/WebKit2/Platform/CoreIPC/Arguments.h:72
#6  0xb563a3b5 in CoreIPC::ArgumentCoder<Messages::WebPageProxy::SetCursor>::encode (encoder=0xacc28758, t=...)
    at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentCoder.h:39
#7  0xb5639ed6 in CoreIPC::ArgumentEncoder::encode<Messages::WebPageProxy::SetCursor> (this=0xacc28758, t=...)
    at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.h:66
#8  0xb5638fe8 in CoreIPC::MessageSender<WebKit::WebPage>::send<Messages::WebPageProxy::SetCursor> (this=0xb0c00b10, message=..., destinationID=1)
---Type <return> to continue, or q <return> to quit---
    at ../../../Source/WebKit2/Platform/CoreIPC/MessageSender.h:44
#9  0xb56378f7 in CoreIPC::MessageSender<WebKit::WebPage>::send<Messages::WebPageProxy::SetCursor> (this=0xb0c00b10, message=...)
    at ../../../Source/WebKit2/Platform/CoreIPC/MessageSender.h:38
#10 0xb56352d3 in WebKit::WebChromeClient::setCursor (this=0xb0c00488, 
    cursor=...)
    at ../../../Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.cpp:648
#11 0xb5b0f9b7 in WebCore::Chrome::setCursor (this=0xb0c00fb8, cursor=...)
    at ../../../Source/WebCore/page/Chrome.cpp:487
#12 0xb5dd9d99 in QXmlStreamAttribute::namespaceUri (this=0xbfd4c0a0)
    at /usr/include/qt4/QtCore/qxmlstream.h:148
#13 0xb5b3862f in WebCore::EventHandler::handleMouseReleaseEvent (
    this=0x9668f44, mouseEvent=...)
    at ../../../Source/WebCore/page/EventHandler.cpp:1718
#14 0xb5b37e87 in WebCore::EventHandler::handleMouseMoveEvent (this=0x9668f44, 
    mouseEvent=..., hoveredNode=0xbfd4c178)
    at ../../../Source/WebCore/page/EventHandler.cpp:1636
#15 0xb5578f14 in WebKit::handleMouseEvent (mouseEvent=..., page=0xb0c00f00)
    at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1053
#16 0xb5579034 in WebKit::WebPage::mouseEvent (this=0xb0c00b10, mouseEvent=...)
    at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1079
#17 0xb559f779 in CoreIPC::callMemberFunction<WebKit::WebPage, void (WebKit::Web---Type <return> to continue, or q <return> to quit---
Page::*)(WebKit::WebMouseEvent const&), WebKit::WebMouseEvent> (args=..., 
    object=0xb0c00b10, function=
    (void (WebKit::WebPage::*)(WebKit::WebPage *, const WebKit::WebMouseEvent &)) 0xb5578f60 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>)
    at ../../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:19
#18 0xb559d553 in CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)> (
    argumentDecoder=0x9a18628, object=0xb0c00b10, function=
    (void (WebKit::WebPage::*)(WebKit::WebPage *, const WebKit::WebMouseEvent &)) 0xb5578f60 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>)
    at ../../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:277
#19 0xb559be44 in WebKit::WebPage::didReceiveWebPageMessage (this=0xb0c00b10, 
    messageID=..., arguments=0x9a18628)
    at generated/WebPageMessageReceiver.cpp:104
#20 0xb557d00f in WebKit::WebPage::didReceiveMessage (this=0xb0c00b10, 
    connection=0x963a528, messageID=..., arguments=0x9a18628)
    at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:2086
#21 0xb558950b in WebKit::WebProcess::didReceiveMessage (this=0x963a190, 
    connection=0x963a528, messageID=..., arguments=0x9a18628)
    at ../../../Source/WebKit2/WebProcess/WebProcess.cpp:641
#22 0xb55b80bc in CoreIPC::Connection::dispatchMessage (this=0x963a528, 
    message=...) at ../../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:677
#23 0xb55b8265 in CoreIPC::Connection::dispatchMessages (this=0x963a528)
---Type <return> to continue, or q <return> to quit---
    at ../../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:704
#24 0xb55c0a21 in MemberFunctionWorkItem0<CoreIPC::Connection>::execute (
    this=0x99f6c10) at ../../../Source/WebKit2/Platform/WorkItem.h:79
#25 0xb54be18d in RunLoop::performWork (this=0x9638048)
    at ../../../Source/WebKit2/Platform/RunLoop.cpp:63
#26 0xb54bf164 in RunLoop::TimerObject::performWork (this=0x9525840)
    at ../../../Source/WebKit2/Platform/qt/RunLoopQt.cpp:49
#27 0xb54bfc16 in RunLoop::TimerObject::qt_metacall (this=0x9525840, 
    _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x98f49d8)
    at ./RunLoopQt.moc:71
#28 0xb2a36e4d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) () from /usr/lib/libQtCore.so.4
#29 0xb2a41795 in QMetaCallEvent::placeMetaCall(QObject*) ()
   from /usr/lib/libQtCore.so.4
#30 0xb2a48caf in QObject::event(QEvent*) () from /usr/lib/libQtCore.so.4
#31 0xb2e090a4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/lib/libQtGui.so.4
#32 0xb2e0e432 in QApplication::notify(QObject*, QEvent*) ()
   from /usr/lib/libQtGui.so.4
#33 0xb2a30a9e in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
   from /usr/lib/libQtCore.so.4
#34 0xb2a34264 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQtCore.so.4

Comment 1 Oleg Romashin (:romaxa) 2011-07-30 22:46:01 PDT

Created attachment 102452 [details]
Fix crash on attempt to decode null image

Comment 2 Oleg Romashin (:romaxa) 2011-07-30 23:07:40 PDT

Created attachment 102455 [details]
Fix crash on attempt to decode null image v2

another version suggested in https://bugs.webkit.org/show_bug.cgi?id=64321#c6

Comment 3 Darin Adler 2011-07-30 23:08:42 PDT

Comment on attachment 102452 [details]
Fix crash on attempt to decode null image

This change is incorrect. While this will not crash, it will create an encoded argument that will not decode properly on the receiving end. The decode function will decode the cursor type, see that it is Custom, then call decodeImage. But decodeImage will read the data of the next thing encoded in the stream, and the decode process will then fail because we’ll be off by at least one byte.

The correct way to change this is to make the null image encode in a way that can be decoded on the other end. One way this could be accomplished would be to encode a boolean to indicate whether an image is present before encoding the image and then decode that boolean in the cursor decode function. If the boolean says the image is null the decoder knows not to try to decode the image. If the boolean says the image is non-null then it knows it must decode the image.

Comment 4 Darin Adler 2011-07-30 23:09:52 PDT

Comment on attachment 102455 [details]
Fix crash on attempt to decode null image v2

This is wrong for the same reason the other one is. Encoding no bytes at all does not work on the decoding side. The decodeImage function has no way to know that the image was null, and so will attempt to decode the image, and thus the decoding process will be off.

Comment 5 Alexey Proskuryakov 2011-07-31 20:16:39 PDT

Duplicate of bug 65420?

Comment 6 Alexey Proskuryakov 2011-07-31 20:16:59 PDT

I mean, duplicate of bug 64802?

Comment 7 Darin Adler 2011-07-31 20:21:13 PDT


*** This bug has been marked as a duplicate of bug 64802 ***