Bug 212415

Summary:

WebKit Crashes when SVG Filter Logging is Turned On

Product:

WebKit

Reporter:

frankhome61

Component:

SVG

Assignee:

frankhome61

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cdumez, changseok, darin, dino, esprehn+autocc, ews-watchlist, gyuyoung.kim, kondapallykalyan, mmaxfield, simon.fraser, webkit-bug-importer, zimmermann

Priority:

Keywords:

InRadar

Version:

Other

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	simon.fraser: review-
Patch	none
Patch	none
Patch - updated reviewer name	frankhome61: review+, ews-feeder: commit-queue-

Description frankhome61 2020-05-27 10:03:43 PDT

WebKit crashes when the flag -WebCoreLogging "Filters" is present, which turns on the logging for SVG Filters.
This is due to uncaught null pointers in 

FilterEffect::imageBufferResult(), 
FilterEffect::copyUnmultipliedResult() and 
FilterEffect::copyPremultipliedResult()

Step to reproduce: 
1. Turn on filter logging by adding the flag -WebCoreLogging "Filters" in build scheme
2. Launch MiniBrowser and load an html file with SVG

Result: 
MiniBrowser crashes

Comment 1 Radar WebKit Bug Importer 2020-05-27 10:04:37 PDT

<rdar://problem/63679095>

Comment 2 frankhome61 2020-05-27 10:08:58 PDT

Created attachment 400345 [details]
Patch

Comment 3 Myles C. Maxfield 2020-05-27 10:20:53 PDT

Comment on attachment 400345 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=400345&action=review

> Source/WebCore/ChangeLog:7
> +

Need some explanation.

> Source/WebCore/ChangeLog:8
> +        No new tests (OOPS!).

Need justification for why there are no tests

> Source/WebCore/platform/graphics/filters/FilterEffect.cpp:272
> +        LOG_WITH_STREAM(Filters, stream << " m_premultipliedImageResult " << m_premultipliedImageResult->data());

I think this will create new lines, which probably isn't the intention. "FilterEffect" looks like it was an intentional prefix, to aid for things like grepping through logs.

How about using StringBuilder to reduce this giant line into something more readable? Perhaps putting this stuff in its own function, too?

Comment 4 Simon Fraser (smfr) 2020-05-27 11:22:24 PDT

Comment on attachment 400345 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=400345&action=review

> Source/WebCore/platform/graphics/filters/FilterEffect.cpp:269
> -    LOG_WITH_STREAM(Filters, stream << "FilterEffect " << filterName() << " " << this << " imageBufferResult(). Existing image buffer " << m_imageBufferResult.get() <<  " m_premultipliedImageResult " << m_premultipliedImageResult->data() << " m_unmultipliedImageResult " << m_unmultipliedImageResult->data());
> +    LOG_WITH_STREAM(Filters, stream << "FilterEffect " << filterName() << " " << this << " imageBufferResult(). Existing image buffer " << m_imageBufferResult.get());

You want to do:
LOG_WITH_STREAM(Filters, stream << "FilterEffect " << filterName() << " " << this << " imageBufferResult(). Existing image buffer " << m_imageBufferResult.get() << " m_premultipliedImageResult " << (m_premultipliedImageResult  ? m_premultipliedImageResult->data() : nullptr) << " m_unmultipliedImageResult " << (m_unmultipliedImageResult  ? m_unmultipliedImageResult->data() : nullptr));

Comment 5 frankhome61 2020-06-04 10:55:52 PDT

Created attachment 401045 [details]
Patch

Comment 6 Simon Fraser (smfr) 2020-06-04 14:06:47 PDT

Comment on attachment 401045 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=401045&action=review

> Source/WebCore/platform/graphics/filters/FilterEffect.cpp:284
> +    StringBuilder builder;
> +    StringPrintStream logStream;
> +    logStream.printf("FilterEffect %s %p %s(). Existing image buffer %p", filterName(), this, resultType, m_imageBufferResult.get());
> +    
> +    if (m_premultipliedImageResult)
> +        logStream.printf(" m_premultipliedImageResult %p ", m_premultipliedImageResult->data());
> +    else
> +        logStream.printf(" m_premultipliedImageResult %p", nullptr);
> +        
> +    if (m_unmultipliedImageResult)
> +        logStream.printf(" m_unmultipliedImageResult %p", m_unmultipliedImageResult->data());
> +    else
> +        logStream.printf(" m_unmultipliedImageResult %p", nullptr);
> +    builder.append(logStream.toString());
> +    
> +    return builder.toString();

This seems worse than the original. 

Implement TextStream& operator<<(TextStream&, const ImageBuffer&)

then use ValueOrNull() in the logging.

Comment 7 frankhome61 2020-06-09 11:53:45 PDT

Created attachment 401456 [details]
Patch

Comment 8 frankhome61 2020-06-09 12:52:08 PDT

Created attachment 401463 [details]
Patch

Comment 9 frankhome61 2020-06-09 14:11:54 PDT

Created attachment 401474 [details]
Patch - updated reviewer name

Comment 10 EWS 2020-06-09 14:16:25 PDT

guowei_yang@apple.com does not have committer permissions according to https://trac.webkit.org/browser/webkit/trunk/Tools/Scripts/webkitpy/common/config/contributors.json.

Rejecting attachment 401474 [details] from commit queue.

Comment 11 EWS 2020-06-09 14:47:49 PDT

Committed r262813: <https://trac.webkit.org/changeset/262813>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 401463 [details].

Comment 12 Simon Fraser (smfr) 2020-06-09 15:02:28 PDT

Comment on attachment 401463 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=401463&action=review

> Source/WebCore/html/ImageData.cpp:122
> +    // Print out the address of the pixel data array
> +    return ts << imageData.data();

This comment can be removed.

This should also output the size.