[Webkit-unassigned] [Bug 284961] New: Touch events causing a seg fault causing memory corruption in iterator

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 19 10:21:47 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=284961

            Bug ID: 284961
           Summary: Touch events causing a seg fault causing memory
                    corruption in iterator
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: Blocker
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: himanshugaur2610 at gmail.com

Created attachment 473608

  --> https://bugs.webkit.org/attachment.cgi?id=473608&action=review

log file corresponding to that lambda function that indicate the memory corruption/segfault for addResult iterator

This is when I am rendering using the dmabuf API for wpewebkit version 2.44.4. I have added some debugging code(cout, cerr etc.). This happens in the down lambda function in Source/WebKit/WPEPlatform/wpe/wayland/WPEWaylandSeat.cpp:

Description: Seeing a seg fault where the iterator is out of bound and tries to access invalid memory location after about 5 or 6 touches. The logs clearly indicate that the memory and addresses for memory held by x and y values in the hashmap are fine but after like 5 to 6 touches (sometimes less or more), memory corruption is seen. 

Steps to Reproduce: Load any application that utilizes dmabuf API and render a webpage on the device running Linux.

2) The device has touch screen capability. Touch the screen multiple times and observe the value of the addResult iterator in the down lambda function in Source/WebKit/WPEPlatform/wpe/wayland/WPEWaylandSeat.cpp:

Actual Results: Segfault occurs causing application to crash.

Expected Results: The application should have not crashed and should have responded to the touch event without any issues. Moreover, the iterator value must have not been corrupted for the hashmap.

Build Date & Hardware: 2.44.4 wpewebkit version and also seeing this on all subsequent stable tarball releases.

Additional Builds and Platforms: Seen on an EVK that uses dmabuf API on a mali G57 GPU. The EVK is Genio 700 running libmali.

Additional Information: Added logging to the lambda function to demonstrate how the memory associated with iterator gets corrupted.

Here is the code:
const struct wl_touch_listener WaylandSeat::s_touchListener =
// down
[](void* data, struct wl_touch*, uint32_t, uint32_t time, struct wl_surface* surface, int32_t id, wl_fixed_t x, wl_fixed_t y)
{
if (!surface)
return;
auto* view = wl_surface_get_user_data(surface);
    if (!WPE_IS_VIEW(view))
        return;

    auto& seat = *static_cast<WaylandSeat*>(data);
    seat.m_touch.view.reset(WPE_VIEW(view));

    std::cerr << "Before adding: " << seat.m_touch.points.size() << std::endl;
    std::cerr << "Before adding: " << &seat.m_touch.points << std::endl;

    auto addResult = seat.m_touch.points.add(id, std::pair<double, double>(wl_fixed_to_double(x), wl_fixed_to_double(y)));
    ////////////
    std::cerr << "addResult iterator address: " << &(*addResult.iterator) << std::endl;
    std::cerr << "addResult isNewEntry: " << addResult.isNewEntry << std::endl;

    // Check the memory location of the iterator compared to other iterators
    std::cerr << "First iterator address: " << &(*seat.m_touch.points.begin()) << std::endl;

    std::cerr << "Iterator value.first address: " << &(addResult.iterator->value.first) << std::endl;
    std::cerr << "Iterator value.second address: " << &(addResult.iterator->value.second) << std::endl;

    // Compare iterators by their addresses (works around type mismatch)
   if (std::addressof(*addResult.iterator) != std::addressof(*seat.m_touch.points.end())) {
   // If the iterator is valid, check isNewEntry and then safely access the values
   if (addResult.isNewEntry) {
   std::cerr << "New entry added!" << std::endl;
     } else {
    std::cerr << "Iterator already exists!" << std::endl;
    }
  }
    std::cerr << "Touch Down Event: " << std::endl;
    std::cerr << "Time:" << time << std::endl;
    std::cerr << "Surface: " << surface << std::endl;
    std::cerr << "ID: " << id << std::endl;
    std::cerr << "WLX: " << wl_fixed_to_double(x) << std::endl;
    std::cerr << "WLY: " << wl_fixed_to_double(y) << std::endl;
    std::cerr << "IterX: " << addResult.iterator->value.first << std::endl;
    std::cerr << "IterY: " << addResult.iterator->value.second << std::endl;

    auto* event = wpe_event_touch_new(WPE_EVENT_TOUCH_DOWN, seat.m_touch.view.get(), seat.m_touch.source, time, seat.modifiers(),
        id, addResult.iterator->value.first, addResult.iterator->value.second);
    wpe_view_event(seat.m_touch.view.get(), event);
    wpe_event_unref(event);
}

This is 100% reproducible. I have already performed evtest to rule out the possibility that it has to do anything with the hardware.

Attached the log file corresponding to that lambda function that indicate the memory corruption/segfault for addResult iterator
[ITEARTOR_TOUCH_ISSUE.txt]

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241219/58e7b83d/attachment.htm>

More information about the webkit-unassigned mailing list