New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 144899: SkPaint::SkPaint - crash

Reported by slaw...@gmail.com, Aug 26 2012

Issue description

Crashes on windows dev 23.0.1243.2 (153013) and canary 23.0.1245.0 (153342).

Repro:
----- crash1.html -----
<style>
@-webkit-keyframes kf0 {
   to {
      -webkit-mask: -webkit-radial-gradient(#000, #000);
   }
}
</style>
<video src="foo">foo</video>
<span style="-webkit-animation: kf0 1s 1s backwards" >
   <iframe  style="-webkit-mask-box-image: -webkit-radial-gradient(#fff, #fff)">
-----------------------

(2df0.e98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0027dda8 ebx=01c65738 ecx=3ff00004 edx=00000001 esi=0027eb8c edi=0027ebd4
eip=56ef5104 esp=0027dd8c ebp=0027dd8c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
chrome_56e90000!SkPaint::SkPaint+0x23:
56ef5104 f00fc111        lock xadd dword ptr [ecx],edx ds:0023:3ff00004=????????

ExceptionAddress: 56ef5104 (chrome_56e90000!SkPaint::SkPaint+0x00000023)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 3ff00004
Attempt to write to address 3ff00004

ChildEBP RetAddr  
0027dd8c 576a9507 chrome_56e90000!SkPaint::SkPaint+0x23
0027de0c 57068479 chrome_56e90000!WebCore::OpaqueRegionSkia::popCanvasLayer+0x3a
0027df24 57067bd7 chrome_56e90000!WebCore::RenderLayer::paintLayerContents+0x87d
0027df58 57067a12 chrome_56e90000!WebCore::RenderLayer::paintLayerContentsAndReflection+0x7c
0027e174 570692c8 chrome_56e90000!WebCore::RenderLayer::paintLayer+0x3ba
0027e1b0 570682b8 chrome_56e90000!WebCore::RenderLayer::paintList+0x5e
0027e2e4 57067bd7 chrome_56e90000!WebCore::RenderLayer::paintLayerContents+0x6bc
0027e318 57067a12 chrome_56e90000!WebCore::RenderLayer::paintLayerContentsAndReflection+0x7c
0027e534 570692c8 chrome_56e90000!WebCore::RenderLayer::paintLayer+0x3ba
0027e570 570682b8 chrome_56e90000!WebCore::RenderLayer::paintList+0x5e
0027e6a4 57067bd7 chrome_56e90000!WebCore::RenderLayer::paintLayerContents+0x6bc
0027e6d8 57067a12 chrome_56e90000!WebCore::RenderLayer::paintLayerContentsAndReflection+0x7c
0027e8f4 57067503 chrome_56e90000!WebCore::RenderLayer::paintLayer+0x3ba
0027e96c 57066f1b chrome_56e90000!WebCore::RenderLayer::paint+0x9a
0027e9d4 582615fb chrome_56e90000!WebCore::FrameView::paintContents+0x276
0027ea04 582744ea chrome_56e90000!WebKit::WebViewImpl::paintRootLayer+0x3e
0027ea40 5767fbc2 chrome_56e90000!WebKit::NonCompositedContentHost::paintContents+0x7a
0027ea88 576839f8 chrome_56e90000!WebCore::GraphicsLayer::paintGraphicsLayerContents+0xff
0027ea98 576af5fd chrome_56e90000!WebCore::GraphicsLayerChromium::paint+0x1f
0027ed38 582889df chrome_56e90000!WebCore::OpaqueRectTrackingContentLayerDelegate::paintContents+0x147
0027ed74 579918ce chrome_56e90000!WebKit::WebContentLayerImpl::paintContents+0x48
0027eda4 56f8ed6e chrome_56e90000!WebCore::ContentLayerPainter::paint+0x2c
0027ede4 56ef102f chrome_56e90000!webkit_glue::WebKitPlatformSupportImpl::monotonicallyIncreasingTime+0xe
0027ee1c 56e94940 chrome_56e90000!SkMetaData::setPtr+0x2a
0027ee34 00000000 chrome_56e90000!tcmalloc::ThreadCache::Deallocate+0x30
 
crash1.html
279 bytes View Download
stack1.txt
3.3 KB View Download

Comment 1 by scarybea...@gmail.com, Aug 26 2012

Labels: reward-topanel

Comment 2 by palmer@google.com, Aug 27 2012

Cc: danakj@chromium.org reed@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals Internals-Skia SecImpacts-Stable SecImpacts-Beta OS-All Mstone-21
Status: Available
Easy reproducibility on Linux, stable and ToT. Thanks Slaweck!

Weirdly, Cluster Fuzz says it's unreproducible. That's not true, of course. inferno, any ideas as to why?

Depending on what field of SkPaint we are writing, it looks like it might be a small write, or it could be as big as an SkScalar. reed or danakj, any clues?

Comment 3 by danakj@chromium.org, Aug 27 2012

Owner: danakj@chromium.org
Status: Assigned

Comment 4 by danakj@chromium.org, Aug 27 2012

What are you doing to reproduce on linux? What command line flags?

Comment 5 by palmer@google.com, Aug 27 2012

I don't set any command line flags. (At least there are none explicitly entered by me.) Release+ASAN ToT, Debug ToT, and 21 stable all crash immediately and I don't have to tweak anything. FWIW, I cannot repro the problem on 21 for OS X. It does repro on ToT on OS X though. On that build, I get an ASSERT on line 91 of WebCore/platform/graphics/GraphicsContext.cpp (~GraphicsContext).

Comment 6 by danakj@chromium.org, Aug 27 2012

Cc: jam...@chromium.org
Ok sounds like the GraphicsContext stack is being popped beyond empty. A non-aura linux build is able to repro the crash for me also (though run-webkit-tests does not either).

Comment 7 by danakj@chromium.org, Aug 27 2012

Labels: webkit-id-95152
This change prevents the crash, the WebCore bug should be tracked down also though.

Comment 8 by danakj@chromium.org, Aug 28 2012

Cc: senorblanco@chromium.org

Comment 9 by infe...@chromium.org, Aug 28 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify SecSeverity-High
Status: FixUnreleased
http://trac.webkit.org/changeset/126901

Comment 10 by infe...@chromium.org, Aug 28 2012

Labels: Merge-Approved

Comment 11 by danakj@chromium.org, Aug 28 2012

Labels: webkit-id-95240
This is the underlying issue in WebCore that causes the crash.

Comment 12 by infe...@chromium.org, Aug 28 2012

Status: Assigned
Lets reopen this then. m22 needs the fix for the underlying cause.

Comment 13 by bugdroid1@chromium.org, Aug 28 2012

Project Member
Labels: -webkit-id-95240 WebKit-ID-95240-NEW
https://bugs.webkit.org/show_bug.cgi?id=95240

Comment 14 by danakj@chromium.org, Aug 29 2012

Status: Started

Comment 15 by infe...@chromium.org, Aug 31 2012

Status: FixUnreleased
We need to merge the good band-aid to m22. Talked to Dana. the long-term fix will take more time and better to just track it as a functional bug.

Comment 16 by scarybea...@gmail.com, Sep 5 2012

Labels: -Mstone-21 -Merge-Approved Mstone-22 Merge-Merged
M22: http://trac.webkit.org/changeset/127638

Comment 17 by scarybea...@gmail.com, Sep 25 2012

Labels: -reward-topanel reward-1000 reward-unpaid
@slaweck: nice discovery! And a $1000 reward.

Comment 18 by scarybea...@gmail.com, Oct 11 2012

Labels: -reward-unpaid

Comment 19 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-Internals -Internals-Skia -SecImpacts-Stable -SecImpacts-Beta -Mstone-22 -SecSeverity-High Cr-Internals-Skia Security-Impact-Stable Security-Impact-Beta M-22 Cr-Internals Security-Severity-High Type-Bug-Security

Comment 21 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 25 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 27 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 28 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment