Bug 218490

Summary: crash in WebCore::Cairo::strokePath
Product: WebKit Reporter: SUNG <tadinhsung>
Component: PlatformAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: cdumez, Hironori.Fujii
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Linux   
Attachments:
Description Flags
poc.html
none
crash log of WinCairo port
none
simplified poc
none
simplified poc none

Description SUNG 2020-11-03 01:54:47 PST 
Created attachment 413024 [details]
poc.html

VERSION
WebkitGTK Version: 2.30.2 stable.
Operating System: Ubuntu 18.04(Docker).

REPRODUCTION CASE
0. build WebkitGTK with ASAN flags or you can use my docker script at https://github.com/Mipu94/Docker_webkitASAN
1.open poc.html in MiniBrowser(ASAN build)

CRASH INFROMATION
root@8b2127d9cd7a:~/webkitASAN# ASAN_SYMBOLIZER_PATH=/root/clang/bin/llvm-symbolizer  ./bin/MiniBrowser test.html 
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==302==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f80b3c6d817 bp 0x62d000101848 sp 0x7fffbbd7b120 T0)
==302==The signal is caused by a READ memory access.
==302==Hint: address points to the zero page.
    #0 0x7f80b3c6d817  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x59817)
    #1 0x7f80b3c7f86e  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6b86e)
    #2 0x7f80b3c80401  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6c401)
    #3 0x7f80b3c3a236  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x26236)
    #4 0x7f80b3c4bf01  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x37f01)
    #5 0x7f80b3c842b8  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x702b8)
    #6 0x7f80b3c421c3  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x2e1c3)
    #7 0x7f80b3c3bbc8  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x27bc8)
    #8 0x7f80b3c349d4 in cairo_stroke (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x209d4)
    #9 0x7f80c2cc74ad in WebCore::Cairo::strokePath(WebCore::PlatformContextCairo&, WebCore::Path const&, WebCore::Cairo::StrokeSource const&, WebCore::Cairo::ShadowState const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/CairoOperations.cpp:820:5
    #10 0x7f80c2ceaf1d in WebCore::GraphicsContextImplCairo::strokePath(WebCore::Path const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/GraphicsContextImplCairo.cpp:219:5
    #11 0x7f80c2ce2358 in WebCore::GraphicsContext::strokePath(WebCore::Path const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp:197:17
    #12 0x7f80c317d528 in WebCore::RenderBoxModelObject::drawBoxSideFromPath(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::Path const&, WebCore::BorderEdge const*, float, float, WebCore::BoxSide, WebCore::RenderStyle const&, WebCore::Color, WebCore::BorderStyle, WebCore::BackgroundBleedAvoidance, bool, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:2048:25
    #13 0x7f80c3176af8 in WebCore::RenderBoxModelObject::paintOneBorderSide(WebCore::GraphicsContext&, WebCore::RenderStyle const&, WebCore::RoundedRect const&, WebCore::RoundedRect const&, WebCore::LayoutRect const&, WebCore::BoxSide, WebCore::BoxSide, WebCore::BoxSide, WebCore::BorderEdge const*, WebCore::Path const*, WebCore::BackgroundBleedAvoidance, bool, bool, bool, WebCore::Color const*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1687:9
    #14 0x7f80c317f291 in WebCore::RenderBoxModelObject::paintBorderSides(WebCore::GraphicsContext&, WebCore::RenderStyle const&, WebCore::RoundedRect const&, WebCore::RoundedRect const&, WebCore::IntPoint const&, WebCore::BorderEdge const*, unsigned int, WebCore::BackgroundBleedAvoidance, bool, bool, bool, WebCore::Color const*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1753:9
    #15 0x7f80c312cea7 in WebCore::RenderBoxModelObject::paintBorder(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::BackgroundBleedAvoidance, bool, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1993:9
    #16 0x7f80c31275a3 in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBox.cpp:1399:9
    #17 0x7f80c345c1f5 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderReplaced.cpp:180:9
    #18 0x7f80c31d6300 in WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderElement.cpp:1024:13
    #19 0x7f80c31d6300 in WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderElement.cpp:1039:9
    #20 0x7f80c3029a67 in WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/InlineElementBox.cpp:81:16
    #21 0x7f80c303ea8e in WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/InlineFlowBox.cpp:1217:23
    #22 0x7f80c35c55db in WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RootInlineBox.cpp:168:20
    #23 0x7f80c33cca9d in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLineBoxList.cpp:260:19
    #24 0x7f80c30a298e in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1129:9
    #25 0x7f80c30a298e in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1298:9
    #26 0x7f80c309ea74 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1108:5
    #27 0x7f80c30a0df2 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1185:19
    #28 0x7f80c30a070d in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1149:14
    #29 0x7f80c30a29d5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1142:9
    #30 0x7f80c30a29d5 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1298:9
    #31 0x7f80c309ea74 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1108:5
    #32 0x7f80c332f7f9 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:5134:20
    #33 0x7f80c33279c4 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:5111:9
    #34 0x7f80c331c261 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4706:17
    #35 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4414:5
    #36 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4396:5
    #37 0x7f80c331c449 in WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4824:21
    #38 0x7f80c331c449 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4722:13
    #39 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4414:5
    #40 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4396:5
    #41 0x7f80c3314a46 in WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4189:5
    #42 0x7f80c271faa4 in WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/page/FrameView.cpp:4313:16
    #43 0x7f80c2a4f037 in WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/ScrollView.cpp:1277:9
    #44 0x7f80beb56d47 in WebKit::WebPage::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/WebPage.cpp:1848:39
    #45 0x7f80bebde0ef in WebKit::DrawingAreaCoordinatedGraphics::display(WebKit::UpdateInfo&) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:800:23
    #46 0x7f80bebdb6f5 in WebKit::DrawingAreaCoordinatedGraphics::sendDidUpdateBackingStoreState() /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:480:9
    #47 0x7f80bebd894d in WebKit::DrawingAreaCoordinatedGraphics::display() /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:709:9
    #48 0x7f80bb44b5a4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
    #49 0x7f80bb44b5a4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43
    #50 0x7f80bb448b3c in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
    #51 0x7f80bb448b3c in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
    #52 0x7f80afa21284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284)
    #53 0x7f80afa2164f  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64f)
    #54 0x7f80afa21961 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c961)
    #55 0x7f80bb44a08e in WTF::RunLoop::run() /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
    #56 0x7f80bec13bec in int WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMainGtk>(int, char**) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/Shared/AuxiliaryProcessMain.h:68:5
    #57 0x7f80abe0cb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #58 0x41cfa9 in _start (/usr/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41cfa9)
Comment 1 Fujii Hironori 2020-11-03 12:33:34 PST 
Created attachment 413090 [details]
crash log of WinCairo port
Comment 2 Fujii Hironori 2020-11-03 13:08:40 PST 
Created attachment 413098 [details]
simplified poc
Comment 3 Fujii Hironori 2020-11-03 15:57:17 PST 
Thank you very much for taking time to report the bug, Sung.
You might be interested in this. https://blog.playstation.com/2020/06/24/announcing-the-playstation-bug-bounty-program/
Comment 4 Fujii Hironori 2020-11-03 16:53:56 PST 
Created attachment 413126 [details]
simplified poc
Comment 5 Fujii Hironori 2020-11-03 17:30:43 PST 
This crash can be reproduced in the tip of cairo main line.
https://gitlab.freedesktop.org/cairo/cairo/-/commit/c3e48e63a2d2deeae6205ee746cc00c960c8c5c5

right was null in active_edges. The following patch can work around the crash.

diff --git a/src/cairo-polygon-intersect.c b/src/cairo-polygon-intersect.c
index 001e55ee0..c716bd37c 100644
--- a/src/cairo-polygon-intersect.c
+++ b/src/cairo-polygon-intersect.c
@@ -1179,6 +1179,8 @@ active_edges (cairo_bo_edge_t		*left,
 		}
 
 		right = right->next;
+		if (! right)
+		    return;
 	    } while (1);
 
 	    edges_start_or_continue (left, right, top, polygon);
Comment 6 Fujii Hironori 2020-11-03 17:41:20 PST 

*** This bug has been marked as a duplicate of bug 218487 ***