WebKit Bugzilla
Attachment 358765 Details for
Bug 193309
: Safari Crashing in Version 12.0.1 (14606.2.104.1.1) WebCore::GraphicsLayerCA::updateBackdropFilters
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-193309-20190110114040.patch (text/plain), 3.76 KB, created by
Dean Jackson
on 2019-01-09 16:40:42 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Dean Jackson
Created:
2019-01-09 16:40:42 PST
Size:
3.76 KB
patch
obsolete
>Subversion Revision: 239780 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index bea20b023cc10c5b589dfd5cf02f246afa288bad..24216edde167fdadd35845fdc8b11da7bf140cad 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,26 @@ >+2019-01-09 Dean Jackson <dino@apple.com> >+ >+ Safari Crashing in Version 12.0.1 (14606.2.104.1.1) WebCore::GraphicsLayerCA::updateBackdropFilters >+ https://bugs.webkit.org/show_bug.cgi?id=193309 >+ <rdar://problem/45279224> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ A speculative fix for a CheckedArithmetic crash triggered in updateBackdropFilters. >+ >+ The crash log indicates we crash in a Checked<> class that is not recording >+ overflow i.e. it is crashing due to an overflow. The only place in this function >+ where that could happen is when we convert the FloatRect for the backdrop >+ region into a Checked<unsigned> for width and height. This suggests that either >+ the width or height are negative, or the float values are too large for integers, >+ or the product of the two overflows. >+ >+ Avoid this by using RecordOverflow, but also changing the code a little to >+ bail if the rectangle is incorrect. >+ >+ * platform/graphics/ca/GraphicsLayerCA.cpp: >+ (WebCore::GraphicsLayerCA::updateBackdropFilters): >+ > 2019-01-09 Justin Fan <justin_fan@apple.com> > > [WebGPU] Fix vertex-buffer-triangle-strip test and small update to GPURenderPipeline >diff --git a/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp b/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp >index 650eb6c8e54ab7225ea8940c1d8213becdb0fd95..e574f978509560ca03a67f827e9c3a18229d1eb4 100644 >--- a/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp >+++ b/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp >@@ -2147,18 +2147,22 @@ void GraphicsLayerCA::updateFilters() > > void GraphicsLayerCA::updateBackdropFilters(CommitState& commitState) > { >+ using CheckedUnsigned = Checked<unsigned, RecordOverflow>; >+ > bool canHaveBackdropFilters = needsBackdrop(); > > if (canHaveBackdropFilters) { >- Checked<unsigned, RecordOverflow> backdropFilterArea = Checked<unsigned>(static_cast<int>(m_backdropFiltersRect.rect().width())) * Checked<unsigned>(static_cast<int>(m_backdropFiltersRect.rect().height())); >- if (backdropFilterArea.hasOverflowed()) >- canHaveBackdropFilters = false; >- else { >- Checked<unsigned, RecordOverflow> newTotalBackdropFilterArea = Checked<unsigned, RecordOverflow>(commitState.totalBackdropFilterArea) + backdropFilterArea; >- if (newTotalBackdropFilterArea.hasOverflowed() || newTotalBackdropFilterArea.unsafeGet() > cMaxTotalBackdropFilterArea) >- canHaveBackdropFilters = false; >- else >- commitState.totalBackdropFilterArea = newTotalBackdropFilterArea.unsafeGet(); >+ canHaveBackdropFilters = false; >+ IntRect backdropFilterRect = enclosingIntRect(m_backdropFiltersRect.rect()); >+ if (backdropFilterRect.width() > 0 && backdropFilterRect.height() > 0) { >+ CheckedUnsigned backdropFilterArea = CheckedUnsigned(backdropFilterRect.width()) * CheckedUnsigned(backdropFilterRect.height()); >+ if (!backdropFilterArea.hasOverflowed()) { >+ CheckedUnsigned newTotalBackdropFilterArea = CheckedUnsigned(commitState.totalBackdropFilterArea) + backdropFilterArea; >+ if (!newTotalBackdropFilterArea.hasOverflowed() && newTotalBackdropFilterArea.unsafeGet() <= cMaxTotalBackdropFilterArea) { >+ commitState.totalBackdropFilterArea = newTotalBackdropFilterArea.unsafeGet(); >+ canHaveBackdropFilters = true; >+ } >+ } > } > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=358765">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
graouts
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 193309
: 358765