[Webkit-unassigned] [Bug 218490] New: crash in WebCore::Cairo::strokePath
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 3 01:54:47 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=218490
Bug ID: 218490
Summary: crash in WebCore::Cairo::strokePath
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: Bindings
Assignee: webkit-unassigned at lists.webkit.org
Reporter: tadinhsung at gmail.com
CC: cdumez at apple.com
Created attachment 413024
--> https://bugs.webkit.org/attachment.cgi?id=413024&action=review
poc.html
VERSION
WebkitGTK Version: 2.30.2 stable.
Operating System: Ubuntu 18.04(Docker).
REPRODUCTION CASE
0. build WebkitGTK with ASAN flags or you can use my docker script at https://github.com/Mipu94/Docker_webkitASAN
1.open poc.html in MiniBrowser(ASAN build)
CRASH INFROMATION
root at 8b2127d9cd7a:~/webkitASAN# ASAN_SYMBOLIZER_PATH=/root/clang/bin/llvm-symbolizer ./bin/MiniBrowser test.html
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==302==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f80b3c6d817 bp 0x62d000101848 sp 0x7fffbbd7b120 T0)
==302==The signal is caused by a READ memory access.
==302==Hint: address points to the zero page.
#0 0x7f80b3c6d817 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x59817)
#1 0x7f80b3c7f86e (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6b86e)
#2 0x7f80b3c80401 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6c401)
#3 0x7f80b3c3a236 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x26236)
#4 0x7f80b3c4bf01 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x37f01)
#5 0x7f80b3c842b8 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x702b8)
#6 0x7f80b3c421c3 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x2e1c3)
#7 0x7f80b3c3bbc8 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x27bc8)
#8 0x7f80b3c349d4 in cairo_stroke (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x209d4)
#9 0x7f80c2cc74ad in WebCore::Cairo::strokePath(WebCore::PlatformContextCairo&, WebCore::Path const&, WebCore::Cairo::StrokeSource const&, WebCore::Cairo::ShadowState const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/CairoOperations.cpp:820:5
#10 0x7f80c2ceaf1d in WebCore::GraphicsContextImplCairo::strokePath(WebCore::Path const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/GraphicsContextImplCairo.cpp:219:5
#11 0x7f80c2ce2358 in WebCore::GraphicsContext::strokePath(WebCore::Path const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp:197:17
#12 0x7f80c317d528 in WebCore::RenderBoxModelObject::drawBoxSideFromPath(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::Path const&, WebCore::BorderEdge const*, float, float, WebCore::BoxSide, WebCore::RenderStyle const&, WebCore::Color, WebCore::BorderStyle, WebCore::BackgroundBleedAvoidance, bool, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:2048:25
#13 0x7f80c3176af8 in WebCore::RenderBoxModelObject::paintOneBorderSide(WebCore::GraphicsContext&, WebCore::RenderStyle const&, WebCore::RoundedRect const&, WebCore::RoundedRect const&, WebCore::LayoutRect const&, WebCore::BoxSide, WebCore::BoxSide, WebCore::BoxSide, WebCore::BorderEdge const*, WebCore::Path const*, WebCore::BackgroundBleedAvoidance, bool, bool, bool, WebCore::Color const*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1687:9
#14 0x7f80c317f291 in WebCore::RenderBoxModelObject::paintBorderSides(WebCore::GraphicsContext&, WebCore::RenderStyle const&, WebCore::RoundedRect const&, WebCore::RoundedRect const&, WebCore::IntPoint const&, WebCore::BorderEdge const*, unsigned int, WebCore::BackgroundBleedAvoidance, bool, bool, bool, WebCore::Color const*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1753:9
#15 0x7f80c312cea7 in WebCore::RenderBoxModelObject::paintBorder(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::BackgroundBleedAvoidance, bool, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1993:9
#16 0x7f80c31275a3 in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBox.cpp:1399:9
#17 0x7f80c345c1f5 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderReplaced.cpp:180:9
#18 0x7f80c31d6300 in WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderElement.cpp:1024:13
#19 0x7f80c31d6300 in WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderElement.cpp:1039:9
#20 0x7f80c3029a67 in WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/InlineElementBox.cpp:81:16
#21 0x7f80c303ea8e in WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/InlineFlowBox.cpp:1217:23
#22 0x7f80c35c55db in WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RootInlineBox.cpp:168:20
#23 0x7f80c33cca9d in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLineBoxList.cpp:260:19
#24 0x7f80c30a298e in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1129:9
#25 0x7f80c30a298e in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1298:9
#26 0x7f80c309ea74 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1108:5
#27 0x7f80c30a0df2 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1185:19
#28 0x7f80c30a070d in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1149:14
#29 0x7f80c30a29d5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1142:9
#30 0x7f80c30a29d5 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1298:9
#31 0x7f80c309ea74 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1108:5
#32 0x7f80c332f7f9 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:5134:20
#33 0x7f80c33279c4 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:5111:9
#34 0x7f80c331c261 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4706:17
#35 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4414:5
#36 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4396:5
#37 0x7f80c331c449 in WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4824:21
#38 0x7f80c331c449 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4722:13
#39 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4414:5
#40 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4396:5
#41 0x7f80c3314a46 in WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4189:5
#42 0x7f80c271faa4 in WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/page/FrameView.cpp:4313:16
#43 0x7f80c2a4f037 in WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/ScrollView.cpp:1277:9
#44 0x7f80beb56d47 in WebKit::WebPage::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/WebPage.cpp:1848:39
#45 0x7f80bebde0ef in WebKit::DrawingAreaCoordinatedGraphics::display(WebKit::UpdateInfo&) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:800:23
#46 0x7f80bebdb6f5 in WebKit::DrawingAreaCoordinatedGraphics::sendDidUpdateBackingStoreState() /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:480:9
#47 0x7f80bebd894d in WebKit::DrawingAreaCoordinatedGraphics::display() /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:709:9
#48 0x7f80bb44b5a4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
#49 0x7f80bb44b5a4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43
#50 0x7f80bb448b3c in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
#51 0x7f80bb448b3c in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
#52 0x7f80afa21284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
#53 0x7f80afa2164f (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64f)
#54 0x7f80afa21961 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c961)
#55 0x7f80bb44a08e in WTF::RunLoop::run() /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
#56 0x7f80bec13bec in int WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMainGtk>(int, char**) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/Shared/AuxiliaryProcessMain.h:68:5
#57 0x7f80abe0cb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#58 0x41cfa9 in _start (/usr/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41cfa9)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201103/daf9163c/attachment-0001.htm>
More information about the webkit-unassigned
mailing list