[Webkit-unassigned] [Bug 201755] New: [Cairo] Image::drawTiled → Cairo::drawSurface → cairo_paint_with_alpha → segfault happens in pixman

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 12 23:04:34 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=201755

            Bug ID: 201755
           Summary: [Cairo] Image::drawTiled → Cairo::drawSurface →
                    cairo_paint_with_alpha → segfault happens in pixman
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Hironori.Fujii at sony.com

[Cairo] Image::drawTiled → Cairo::drawSurface → cairo_paint_with_alpha → segfault happens in pixman

Today, I saw WinCairo crash in <https://news.yahoo.co.jp>.

Callstack:

> cairo.dll!_pixman_implementation_create_general()	C
> cairo.dll!_pixman_gradient_walker_write_wide()	C
> cairo.dll!pixman_image_composite32()	C
> cairo.dll!composite_boxes(void * _dst, _cairo_operator op, _cairo_surface * abstract_src, _cairo_surface * abstract_mask, int src_x, int src_y, int mask_x, int mask_y, int dst_x, int dst_y, _cairo_boxes_t * boxes, const _cairo_rectangle_int * extents) Line 538	C
> cairo.dll!composite_aligned_boxes(const cairo_spans_compositor * compositor, const _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 688	C
> cairo.dll!clip_and_composite_boxes(const cairo_spans_compositor * compositor, _cairo_composite_rectangles * extents, _cairo_boxes_t * boxes) Line 883	C
> cairo.dll!_cairo_spans_compositor_mask(const cairo_compositor * _compositor, _cairo_composite_rectangles * extents) Line 1000	C
> cairo.dll!_cairo_compositor_paint(const cairo_compositor * compositor, _cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 67	C
> cairo.dll!_cairo_image_surface_paint(void * abstract_surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 931	C
> cairo.dll!_cairo_surface_paint(_cairo_surface * surface, _cairo_operator op, const _cairo_pattern * source, const _cairo_clip * clip) Line 2199	C
> cairo.dll!_cairo_gstate_paint(_cairo_gstate * gstate) Line 1061	C
> cairo.dll!_cairo_default_context_paint_with_alpha(void * abstract_cr, double alpha) Line 971	C
> cairo.dll!cairo_paint_with_alpha(_cairo * cr, double alpha) Line 2248	C
> WebKit2.dll!WebCore::Cairo::drawPatternToCairoContext(_cairo * cr, _cairo_pattern * pattern, const WebCore::FloatRect & destRect, float alpha) Line 156	C++
> WebKit2.dll!WebCore::Cairo::drawSurface(WebCore::PlatformContextCairo & platformContext, _cairo_surface * surface, const WebCore::FloatRect & destRect, const WebCore::FloatRect & originalSrcRect, WebCore::InterpolationQuality imageInterpolationQuality, float globalAlpha, const WebCore::Cairo::ShadowState & shadowState) Line 988	C++
> WebKit2.dll!WebCore::Cairo::drawNativeImage(WebCore::PlatformContextCairo & platformContext, _cairo_surface * surface, const WebCore::FloatRect & destRect, const WebCore::FloatRect & srcRect, const WebCore::ImagePaintingOptions & options, float globalAlpha, const WebCore::Cairo::ShadowState & shadowState) Line 903	C++
> WebKit2.dll!WebCore::GraphicsContextImplCairo::drawNativeImage(const WTF::RefPtr<_cairo_surface,WTF::DumbPtrTraits<_cairo_surface> > & image, const WebCore::FloatSize & imageSize, const WebCore::FloatRect & destRect, const WebCore::FloatRect & srcRect, const WebCore::ImagePaintingOptions & options) Line 283	C++
> WebKit2.dll!WebCore::GraphicsContext::drawNativeImage(const WTF::RefPtr<_cairo_surface,WTF::DumbPtrTraits<_cairo_surface> > & image, const WebCore::FloatSize & imageSize, const WebCore::FloatRect & destRect, const WebCore::FloatRect & srcRect, const WebCore::ImagePaintingOptions & options) Line 130	C++
> WebKit2.dll!WebCore::drawNativeImage(const WTF::RefPtr<_cairo_surface,WTF::DumbPtrTraits<_cairo_surface> > & image, WebCore::GraphicsContext & context, const WebCore::FloatRect & destRect, const WebCore::FloatRect & srcRect, const WebCore::IntSize & imageSize, const WebCore::ImagePaintingOptions & options) Line 62	C++
> WebKit2.dll!WebCore::BitmapImage::draw(WebCore::GraphicsContext & context, const WebCore::FloatRect & destRect, const WebCore::FloatRect & srcRect, const WebCore::ImagePaintingOptions & options) Line 272	C++
> WebKit2.dll!WebCore::Image::drawTiled(WebCore::GraphicsContext & ctxt, const WebCore::FloatRect & destRect, const WebCore::FloatPoint & srcPoint, const WebCore::FloatSize & scaledTileSize, const WebCore::FloatSize & spacing, const WebCore::ImagePaintingOptions & options) Line 182	C++
> WebKit2.dll!WebCore::GraphicsContextImpl::drawTiledImageImpl(WebCore::GraphicsContext & context, WebCore::Image & image, const WebCore::FloatRect & destination, const WebCore::FloatPoint & source, const WebCore::FloatSize & tileSize, const WebCore::FloatSize & spacing, const WebCore::ImagePaintingOptions & options) Line 50	C++
> WebKit2.dll!WebCore::GraphicsContextImplCairo::drawTiledImage(WebCore::Image & image, const WebCore::FloatRect & destination, const WebCore::FloatPoint & source, const WebCore::FloatSize & tileSize, const WebCore::FloatSize & spacing, const WebCore::ImagePaintingOptions & imagePaintingOptions) Line 271	C++
> WebKit2.dll!WebCore::GraphicsContext::drawTiledImage(WebCore::Image & image, const WebCore::FloatRect & destination, const WebCore::FloatPoint & source, const WebCore::FloatSize & tileSize, const WebCore::FloatSize & spacing, const WebCore::ImagePaintingOptions & options) Line 740	C++
> WebKit2.dll!WebCore::RenderBoxModelObject::paintFillLayerExtended(const WebCore::PaintInfo & paintInfo, const WebCore::Color & color, const WebCore::FillLayer & bgLayer, const WebCore::LayoutRect & rect, WebCore::BackgroundBleedAvoidance bleedAvoidance, WebCore::InlineFlowBox * box, const WebCore::LayoutSize & boxSize, WebCore::CompositeOperator op, WebCore::RenderElement * backgroundObject, WebCore::BaseBackgroundColorUsage baseBgColorUsage) Line 963	C++
> WebKit2.dll!WebCore::RenderBox::paintFillLayer(const WebCore::PaintInfo & paintInfo, const WebCore::Color & c, const WebCore::FillLayer & fillLayer, const WebCore::LayoutRect & rect, WebCore::BackgroundBleedAvoidance bleedAvoidance, WebCore::CompositeOperator op, WebCore::RenderElement * backgroundObject, WebCore::BaseBackgroundColorUsage baseBgColorUsage) Line 1680	C++
> WebKit2.dll!WebCore::RenderBox::paintFillLayers(const WebCore::PaintInfo & paintInfo, const WebCore::Color & color, const WebCore::FillLayer & fillLayer, const WebCore::LayoutRect & rect, WebCore::BackgroundBleedAvoidance bleedAvoidance, WebCore::CompositeOperator op, WebCore::RenderElement * backgroundObject) Line 1670	C++
> WebKit2.dll!WebCore::RenderBox::paintBackground(const WebCore::PaintInfo & paintInfo, const WebCore::LayoutRect & paintRect, WebCore::BackgroundBleedAvoidance bleedAvoidance) Line 1395	C++
> WebKit2.dll!WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1350	C++
> WebKit2.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1224	C++
> WebKit2.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo, const WebCore::LayoutPoint & paintOffset) Line 1104	C++
> WebKit2.dll!WebCore::RenderLayer::paintBackgroundForFragments(const WTF::Vector<WebCore::LayerFragment,1,WTF::CrashOnOverflow,16> & layerFragments, WebCore::GraphicsContext & context, WebCore::GraphicsContext & contextForTransparencyLayer, const WebCore::LayoutRect & transparencyPaintDirtyRect, bool haveTransparency, const WebCore::RenderLayer::LayerPaintingInfo & localPaintingInfo, WTF::OptionSet<WebCore::PaintBehavior> paintBehavior, WebCore::RenderObject * subtreePaintRootForRenderer) Line 4913	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4554	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4250	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4233	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4172	C++
> WebKit2.dll!WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList layerIterator, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4689	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4581	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4250	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4233	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4172	C++
> WebKit2.dll!WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList layerIterator, WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4689	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4581	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4250	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4233	C++
> WebKit2.dll!WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext & context, const WebCore::RenderLayer::LayerPaintingInfo & paintingInfo, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags) Line 4172	C++
> WebKit2.dll!WebCore::RenderLayer::paint(WebCore::GraphicsContext & context, const WebCore::LayoutRect & damageRect, const WebCore::LayoutSize & subpixelOffset, WTF::OptionSet<WebCore::PaintBehavior> paintBehavior, WebCore::RenderObject * subtreePaintRoot, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag> paintFlags, WebCore::RenderLayer::SecurityOriginPaintPolicy paintPolicy) Line 4034	C++
> WebKit2.dll!WebCore::FrameView::paintContents(WebCore::GraphicsContext & context, const WebCore::IntRect & dirtyRect, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy) Line 4156	C++
> WebKit2.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext & context, const WebCore::IntRect & rect, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy) Line 1217	C++
> WebKit2.dll!WebKit::WebPage::drawRect(WebCore::GraphicsContext & graphicsContext, const WebCore::IntRect & rect) Line 1792	C++
> WebKit2.dll!WebKit::DrawingAreaCoordinatedGraphics::display(WebKit::UpdateInfo & updateInfo) Line 760	C++
> WebKit2.dll!WebKit::DrawingAreaCoordinatedGraphics::display() Line 673	C++
> WebKit2.dll!WebKit::DrawingAreaCoordinatedGraphics::displayTimerFired() Line 653	C++
> WebKit2.dll!WTF::RunLoop::Timer<WebKit::DrawingAreaCoordinatedGraphics>::fired() Line 152	C++
> WTF.dll!WTF::RunLoop::TimerBase::timerFired() Line 141	C++
> WTF.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 60	C++
> WTF.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 39	C++
> [External Code]	
> WTF.dll!WTF::RunLoop::run() Line 73	C++
> WebKit2.dll!WebKit::AuxiliaryProcessMain<WebKit::WebProcess,WebKit::WebProcessMain>(int argc, char * * argv) Line 67	C++
> WebKit2.dll!WebKit::WebProcessMainWin(int argc, char * * argv) Line 49	C++
> WebKitWebProcess.exe!main(int argc, char * * argv) Line 33	C++
> [External Code]	

This callstack is not reliable for pixman function names because the following issue isn't fixed yet.

pixman doesn't have the debug information · Issue #26 · WebKitForWindows/WinCairoRequirements
https://github.com/WebKitForWindows/WinCairoRequirements/issues/26

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190913/7d3aba81/attachment-0001.html>

More information about the webkit-unassigned mailing list