QWebFrame::render SIGSEGV with HiDPI + filter CSS

[jkozera]

I've encountered a crash in the TP5 QWebView with a HiDPI display by trying to add a filter: invert(); CSS.

The full backtrace of an example app is available at http://pastebin.com/4QFFD2nR and the example app is available at http://pastebin.com/cNwjAgZU

It doesn't happen if AA_EnableHighDpiScaling is not enabled.

Excerpt from the traceback:

#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:242
#1  0x00007ffff6101a96 in WebCore::FilterEffect::copyUnmultipliedImage(JSC::GenericTypedArrayView<JSC::Uint8ClampedAdaptor>*, WebCore::IntRect const&) () from /home/jkozera/Qt/5.8/gcc_64/lib/libQt5WebKit.so.5
#2  0x00007ffff60fd3d1 in WebCore::FEComponentTransfer::platformApplySoftware() () from /home/jkozera/Qt/5.8/gcc_64/lib/libQt5WebKit.so.5
#3  0x00007ffff61014df in WebCore::FilterEffect::apply() () from /home/jkozera/Qt/5.8/gcc_64/lib/libQt5WebKit.so.5
(...)
#13 0x00007ffff4f24cef in QWebFrameAdapter::renderRelativeCoords(QPainter*, int, QRegion const&) ()
   from /home/jkozera/Qt/5.8/gcc_64/lib/libQt5WebKit.so.5
#14 0x00007ffff7fce82e in QWebFrame::render(QPainter*, QFlags<QWebFrame::RenderLayer>, QRegion const&) ()
(...)
#37 0x00007fffee801b0c in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#38 0x00007ffff3a3dcbf in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /home/jkozera/Qt/5.8/gcc_64/lib/libQt5Core.so.5
#39 0x00007ffff39eb9ca in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /home/jkozera/Qt/5.8/gcc_64/lib/libQt5Core.so.5
#40 0x00007ffff39f39f4 in QCoreApplication::exec() () from /home/jkozera/Qt/5.8/gcc_64/lib/libQt5Core.so.5

[annulen]

Try applying patches https://bugs.webkit.org/show_bug.cgi?id=159495 and https://webkit.org/b/163762

[jkozera]

@annulen sadly it didn't help.

• 159495 is already applied at 71c61be.
• After adapting and applying the patch from 163762 the same crash occurs. (see jkozera@30f0865)
• I've even tried some more patches from WebKit master which seemed like they could be useful (see https://github.com/jkozera/webkit/tree/issue-461) but the crash is still the same.

[annulen]

Does crash happen with old QtWebKit released with Qt?

[jkozera]

I have just built the one from http://download.qt.io/community_releases/5.8/5.8.0-final/ and checked - the crash doesn't happen there.

[annulen]

Reproduced

[annulen]

Valgrind: https://0x0.st/3Xl.txt

[annulen]

Somehow we have identical sizes of scaledRect and scaledPaintSize (and therefore equal destinationScanline and sourceScanline), but destination->length() is 4 times larger than source->length() when QT_SCALE_FACTOR=2. Hence invalid read after source ended but destination wants more

[annulen]

I guess it means that earlier in execution flow scale factor was mistakenly applied to destination, or mistakenly was not applied to source.

[annulen]

Related: #201

[annulen]

Fixed