RESOLVED FIXED 6947
reproducible crash in SVG Game (due to graphics context set-up) 
https://bugs.webkit.org/show_bug.cgi?id=6947
Summary reproducible crash in SVG Game (due to graphics context set-up)
Eric Seidel (no email)
Reported 2006-01-30 17:43:38 PST
Reproducible SVG Crash, p2 SVG Hitlist.
Attachments
reduction (1.24 KB, image/svg+xml)
2006-04-16 10:37 PDT, Alexander Kellett 		no flags
Details
More reduced test case (492 bytes, image/svg+xml)
2006-05-06 00:52 PDT, jonathanjohnsson 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2006-01-30 17:43:49 PST
http://www.codedread.com/yastframe.php
Darin Adler
Comment 2 2006-02-10 09:30:55 PST
Reproducible crashes, even in SVG, are P1.
Alexander Kellett
Comment 3 2006-02-12 11:39:39 PST
unfortunately the actual game itself cannot possibly work so it doesn't seem like a very useful test case alas... a reduced testcase would be very useful. on first glance it looks like a extreme duplicate of 6713
Alice Liu
Comment 4 2006-03-16 18:11:43 PST
<rdar://problem/4481614>
Alexander Kellett
Comment 5 2006-04-16 10:37:10 PDT
Created attachment 7745 [details] reduction
jonathanjohnsson
Comment 6 2006-05-06 00:52:16 PDT
Created attachment 8132 [details] More reduced test case I reduced the reduction a bit more, it still crashes every time. The difference in the crash logs are mainly in the beginning, as follows (then proceeding identical, except for some addresses): -- first reduction -- Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x000003e1 Thread 0 Crashed: 0 com.apple.CoreGraphics 0x903c5560 CGColorTransformGetColorSpace + 52 1 libRIP.A.dylib 0x9474d258 ripc_GetRenderingState + 88 2 libRIP.A.dylib 0x9474c450 ripc_DrawImage + 144 3 com.apple.CoreGraphics 0x903d9ef4 CGContextDelegateDrawImage + 76 4 com.apple.CoreGraphics 0x9046bac4 metalDelegate_FillRectWithImages + 360 5 com.apple.CoreGraphics 0x9046b944 CGContextDelegateFillRectWithImages + 116 6 com.apple.CoreGraphics 0x9046b728 Private_CGContextFillRectWithImagesPrivate + 124 -- second reduction -- Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000009 Thread 0 Crashed: 0 com.apple.CoreGraphics 0x9043e514 CGContextDelegateSupportsFeature + 28 1 com.apple.CoreGraphics 0x9046b6f0 Private_CGContextFillRectWithImagesPrivate + 68
jonathanjohnsson
Comment 7 2006-05-06 01:05:25 PDT
My added test case is practically identical to the test case in bug 8425 (and can be reduced to it). I don't know if that qualifies as a duplicate, someone in the know should look at it. (My reduction was iterative, slowly removing and rearranging elements, crashing every iteration.)
Eric Seidel (no email)
Comment 8 2006-05-06 14:37:41 PDT
Yeah, I'm pretty sure I know what's causing this. Beginning a transparency layer, then swapping out the current context (in order to draw the filter content into a temporary buffer) than swapping it back in, causes the problem. In your reduction we have <g opacity="0.5"><g filter="url(#foo)"/></g> which is what is causing the crash.
Dave MacLachlan
Comment 9 2006-07-23 09:30:19 PDT
There is a patch for this attached to bug 8425
Alexey Proskuryakov
Comment 10 2006-07-24 10:23:25 PDT
Fixed by a patch in bug 8425.
Note You need to log in before you can comment on or make changes to this bug.