Comment #9 on issue 17569 by [email protected]: Crash in
SkARGB32_Black_Blitter::blitMask
http://code.google.com/p/chromium/issues/detail?id=17569
From looking at the minidumps, it seems like memory corruption, but of the
stack
rather than the heap. It looks as if MaskSuperBlitter is overwriting
its stack-allocated temp buffer. E.g., the "clip" ptr in
SkARGB32_Opaque_Blitter::blitMask() in this particular minidump is
0xff333333, which
in
addition to being an invalid ptr looks suspiciously like an RGBA value (and
srcColor
in this case is in fact 0xff333333), so it looks as if the blitter is
falling off the end of its fStorage array and "rendering" to the stack.
"width" being 268435462 and "w" being 268414766 supports this thesis, since
it means
the loop had continued past the bounds of the array, but it's unclear if
this is
cause or effect: was "width" corrupted first (or computed badly), causing
the
blitter to go wild, or was the blitter already corrupting the stack, which
hosed
"width"?
----
from minidump 2349AE7E7EBF5E11:
(I've added * to stack entries which are probably corrupt).
.frame 0e:
this = 0x00000001 *
mask = 0x0fffaf2e *
clip = 0xff333333 *
width = 268435462 * (0x01000006)
height = 1076595 * (0x00106D73)
srcColor = 0xff333333
maskRB = 0xf0000000 *
devRB = 0xc0000c8c *
alpha = 0x00133000 "" *
w = 268414766 *
.frame 0f:
this = 0x00000001 *
.frame 10:
path = 0x0012e524 ?
clip = 0x0576dc88 *
blitter = 0x057a0240 *
clipper = class SkScanClipper
superRect = struct SkIRect *
ir = struct SkIRect
superBlit = class MaskSuperBlitter
superBlit = class SuperBlitter
0:000> dt /r path
Local var @ 0x12e3a0 Type SkPath*
0x0012e524
+0x000 fPts : SkTDArray<SkPoint>
+0x000 fArray : 0x056e2900 SkPoint
+0x000 fX : ??
+0x004 fY : ??
+0x004 fReserve : 0x44
+0x008 fCount : 0x42
+0x00c fVerbs : SkTDArray<unsigned char>
+0x000 fArray : 0x055826c0 ""
+0x004 fReserve : 0x32
+0x008 fCount : 0x24
+0x018 fBounds : SkRect
+0x000 fLeft : 15.5
+0x004 fTop : 429.5
+0x008 fRight : 20.5
+0x00c fBottom : 434.5
+0x028 fBoundsIsDirty : 0 ''
+0x029 fFillType : 0 ''
+0x02a fIsConvex : 0 ''
0:000> dt /r superRect
Local var @ 0x12e378 Type SkIRect
+0x000 fLeft : 1238772
+0x004 fTop : 1238772
+0x008 fRight : 0
+0x00c fBottom : 0
0:000> dt ir
Local var @ 0x12e388 Type SkIRect
+0x000 fLeft : 15
+0x004 fTop : 430
+0x008 fRight : 21
+0x00c fBottom : 435
0:000> dt /r superBlit
Local var @ 0x12dee4 Type MaskSuperBlitter
+0x000 __VFN_table : 0x02f718f8
+0x004 fRealBlitter : 0x057a0240 SkBlitter
+0x000 __VFN_table : ????
+0x008 fCurrIY : -1
+0x00c fWidth : 795
+0x010 fLeft : 0
+0x014 fSuperLeft : 0
+0x018 fMask : SkMask
+0x000 fImage : 0x0012df28 "???"
+0x004 fBounds : SkIRect
+0x000 fLeft : 15
+0x004 fTop : 430
+0x008 fRight : 21
+0x00c fBottom : 435
+0x014 fRowBytes : 6
+0x018 fFormat : 1 ( kA8_Format )
+0x034 fClipRect : SkIRect
+0x000 fLeft : 15
+0x004 fTop : 430
+0x008 fRight : 268435477 *
+0x00c fBottom : 1077025 *
+0x044 fStorage : [257] 0x9f9fea10 *
0:000> .frame 11
11 0012e564 0278b157 chrome_23a0000!SkDraw::drawPath+0x250
[c:\b\slave\chromium-rel-
xp\build\src\third_party\skia\src\core\skdraw.cpp @ 866]
0:000> dv
this = 0x00000001
origSrcPath = 0x3f800000
paint = 0x05569f0c
prePathMatrix = 0x00000000
pathIsMutable = false
matrix = 0x05569f0c
blitter = class SkAutoBlitterChoose
tmpPath = class SkPath
aprc = class SkAutoPaintRestoreColorStrokeWidth
tmpMatrix = class SkMatrix
doFill = true
pathPtr = 0x0012e524
width = 1
mask = struct SkMask
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---
