RESOLVED WONTFIX 84055
[Chromium] css3/filters/huge-region-composited.html crashes 
https://bugs.webkit.org/show_bug.cgi?id=84055
Summary [Chromium] css3/filters/huge-region-composited.html crashes
Vincent Scheib
Reported 2012-04-16 11:19:27 PDT
css3/filters/huge-region-composited.html crashes since its introduction in http://trac.webkit.org/changeset/114172/ """ Don't process filters if the input region is exceptionally large. https://bugs.webkit.org/show_bug.cgi?id=83317 Reviewed by Simon Fraser. Source/WebCore: An extremely large element causes problems with filters, either by taking too long to compute the output or using too much memory. The filter engine already has some constants for maximum expected size. Make sure the render tree checks them before deciding to apply effects. Tests: css3/filters/huge-region-composited.html css3/filters/huge-region.html """ See test results http://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=css3%2Ffilters%2Fhuge-region-composited.html e.g. http://build.chromium.org/p/chromium.webkit/builders/Webkit%20Linux/builds/23874 Stack Trace: 10:29:13.896 6959 worker/1 css3/filters/huge-region-composited.html crashed, stack trace: 10:29:13.897 6959 base::debug::StackTrace::StackTrace() [0x66bede] 10:29:13.897 6959 base::(anonymous namespace)::StackDumpSignalHandler() [0x656a79] 10:29:13.897 6959 0x7f17e1857af0 10:29:13.897 6959 GrContext::gaussianBlur() [0x6afd28] 10:29:13.897 6959 filter_texture() [0x16b97ce] 10:29:13.897 6959 SkGpuDevice::drawSprite() [0x16bd930] 10:29:13.897 6959 SkCanvas::drawSprite() [0x67fc08] 10:29:13.897 6959 WebCore::CCRenderSurfaceFilters::apply() [0xbc896a] 10:29:13.897 6959 WebCore::CCRenderSurface::applyFilters() [0xbc77ec] 10:29:13.897 6959 WebCore::CCRenderSurface::drawContents() [0xbc78a2] 10:29:13.897 6959 WebCore::LayerRendererChromium::drawRenderSurfaceQuad() [0xc21a9a] 10:29:13.897 6959 WebCore::LayerRendererChromium::drawQuad() [0xc28293] 10:29:13.897 6959 WebCore::LayerRendererChromium::drawRenderPass() [0xc28373] 10:29:13.898 6959 WebCore::CCLayerTreeHostImpl::drawLayers() [0xbb98d5] 10:29:13.898 6959 WebCore::CCSingleThreadProxy::doComposite() [0xbc9c0f] 10:29:13.898 6959 WebCore::CCSingleThreadProxy::commitAndComposite() [0xbc9e17] 10:29:13.898 6959 WebCore::CCSingleThreadProxy::compositeAndReadback() [0xbca269] 10:29:13.898 6959 WebCore::CCLayerTreeHost::compositeAndReadback() [0xbaeebf] 10:29:13.898 6959 WebKit::WebLayerTreeView::compositeAndReadback() [0x4b9e11] 10:29:13.898 6959 WebKit::WebViewImpl::doPixelReadbackToCanvas() [0x47b78d] 10:29:13.898 6959 WebKit::WebViewImpl::paint() [0x47ba07] 10:29:13.898 6959 WebViewHost::paintRect() [0x450fb2] 10:29:13.898 6959 WebViewHost::paintInvalidatedRegion() [0x45112e] 10:29:13.898 6959 TestShell::dump() [0x44b6de] 10:29:13.898 6959 TestShell::testFinished() [0x44bcad] 10:29:13.899 6959 WebKit::FrameLoaderClientImpl::dispatchDidFinishLoad() [0x49c559] 10:29:13.899 6959 WebCore::FrameLoader::checkLoadCompleteForThisFrame() [0xe63c62] 10:29:13.899 6959 WebCore::FrameLoader::checkLoadComplete() [0xe63e32] 10:29:13.899 6959 WebCore::MainResourceLoader::didFinishLoading() [0xe731ac] 10:29:13.899 6959 webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest() [0x1543d1a] 10:29:13.899 6959 (anonymous namespace)::RequestProxy::NotifyCompletedRequest() [0x15c93d3] 10:29:13.899 6959 MessageLoop::RunTask() [0x648f7e] 10:29:13.899 6959 MessageLoop::DeferOrRunPendingTask() [0x6496a8] 10:29:13.899 6959 MessageLoop::DoWork() [0x649ca8] 10:29:13.899 6959 base::MessagePumpGlib::RunWithDispatcher() [0x6642e5] 10:29:13.899 6959 MessageLoop::RunInternal() [0x64ada5] 10:29:13.899 6959 MessageLoop::Run() [0x64aefc] 10:29:13.900 6959 TestShell::waitTestFinished() [0x44bd95] 10:29:13.900 6959 TestShell::runFileTest() [0x44a30c] 10:29:13.900 6959 runTest() [0x426563] 10:29:13.900 6959 main [0x426c03] 10:29:13.900 6959 0x7f17e1842c4d 10:29:13.900 6959 0x41a839 10:29:13.901 6959 worker/1 killing driver
Attachments
Add attachment proposed patch, testcase, etc.
Vincent Scheib
Comment 1 2012-04-16 11:19:58 PDT
css3/filters/huge-region.html is also missing test results, starting at the same time, likely same root cause. See: http://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=css3%2Ffilters%2Fhuge-region.html
Ryosuke Niwa
Comment 2 2012-06-05 18:09:03 PDT
The original bug was a security bug. This test crashing on trunk isn't a good sign.
Ryosuke Niwa
Comment 3 2012-06-05 18:11:24 PDT
Disabled erroneous image generation per discussion with smfr in http://trac.webkit.org/changeset/119545.
James Robinson
Comment 4 2012-06-05 18:34:31 PDT
It looks like this filter is getting through the filter engine checks, but our compositor can't actually handle it. We should probably reject it at some point in our compositor implementation either by ignoring this particular filter or just ditching the whole filter chain. What do you think, Stephen?
Note You need to log in before you can comment on or make changes to this bug.