8425 – opacity on a group containing a blur filtered rect crashes

Bug 8425 - opacity on a group containing a blur filtered rect crashes

Summary: opacity on a group containing a blur filtered rect crashes

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	420+
Hardware:	Mac OS X 10.4

Importance:	P1 Major
Assignee:	Dave MacLachlan

URL:
Keywords:	SVGHitList

Depends on:
Blocks:	6947
	Show dependency tree / graph

Reported:	2006-04-16 12:02 PDT by Alexander Kellett
Modified:	2006-07-24 10:21 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
reduced testcase (521 bytes, image/svg+xml) 2006-04-16 12:03 PDT, Alexander Kellett	no flags	Details
Fix for 8425 and by extension 6947 (8.76 KB, patch) 2006-07-23 01:24 PDT, Dave MacLachlan	eric: review-	Details \| Formatted Diff \| Diff
Fix for 8425 and by extension 6947 (10.67 KB, patch) 2006-07-23 09:16 PDT, Dave MacLachlan	darin: review-	Details \| Formatted Diff \| Diff
Fix for 8425 and by extension 6947 (11.15 KB, patch) 2006-07-23 18:02 PDT, Dave MacLachlan	darin: review+	Details \| Formatted Diff \| Diff
Fix for 8425 and by extension 6947 (14.17 KB, patch) 2006-07-24 10:08 PDT, Dave MacLachlan	ap: review+	Details \| Formatted Diff \| Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Kellett 2006-04-16 12:02:32 PDT

opacity on a group containing a blur filtered rect crashes

Comment 1 Alexander Kellett 2006-04-16 12:03:13 PDT

Created attachment 7748 [details]
reduced testcase

Comment 2 Eric Seidel (no email) 2006-04-16 12:06:40 PDT

This is probably caused by my bogus use of +[NSGraphicsContext setCurrentContext:].  Using opactiy will cause the parent to open a transparency layer.  Using a filter will cause the child to try and swap out the current context with setCurrentContext while the transparency layer is still open.  That's probably a bad thing :)  And probably what is causing the crash.

Comment 3 Alexey Proskuryakov 2006-07-11 10:49:48 PDT

Reproducible crash -> P1.

Comment 4 Alice Liu 2006-07-11 19:04:43 PDT

Date/Time:      2006-07-11 19:03:14.595 -0700
OS Version:     10.4.7 (Build 8J135)
Report Version: 4

Command: Safari
Path:    /Build/symroots/Debug/Safari.app/Contents/MacOS/Safari
Parent:  tcsh [219]

Version: 3.0 (521.15)

PID:    8003
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x7f80000f

Thread 0 Crashed:
0   libSystem.B.dylib        	0x9000197c pthread_mutex_lock + 36
1   <<00000000>> 	0x00000000 0 + 0
2   com.apple.CoreGraphics   	0x903bcf28 CGColorTransformGetColorSpace + 40
3   libRIP.A.dylib           	0x9470d018 ripc_GetRenderingState + 88
4   libRIP.A.dylib           	0x9470c1a4 ripc_DrawImage + 152
5   com.apple.CoreGraphics   	0x903d18e8 CGContextDelegateDrawImage + 76
6   com.apple.CoreGraphics   	0x904635a0 metalDelegate_FillRectWithImages + 360
7   com.apple.CoreGraphics   	0x90463420 CGContextDelegateFillRectWithImages + 116
8   com.apple.CoreGraphics   	0x90463204 Private_CGContextFillRectWithImagesPrivate + 124
9   com.apple.HIToolbox      	0x934dadd8 HIThemeDrawMetalWithProvider(CGRect const*, CGContext*) + 224
10  com.apple.HIToolbox      	0x9325a344 HIThemeDrawBackground + 220
11  com.apple.AppKit         	0x937fff80 -[NSGrayFrame drawWindowBackgroundRegion:level:] + 340
12  com.apple.AppKit         	0x937534a8 -[NSFrameView drawThemeContentFill:inView:] + 1028
13  com.apple.AppKit         	0x937ffd3c -[NSGrayFrame drawRect:] + 48
14  com.apple.AppKit         	0x9372f858 -[NSView _drawRect:clip:] + 2128
15  com.apple.AppKit         	0x9372e5fc -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 736
16  com.apple.AppKit         	0x9374f044 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 192
17  com.apple.AppKit         	0x93728054 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 384
18  com.apple.AppKit         	0x9371d348 -[NSView displayIfNeeded] + 248
19  com.apple.AppKit         	0x9371d1b8 -[NSWindow displayIfNeeded] + 180
20  com.apple.Safari         	0x000578d4 -[BrowserWindow displayIfNeeded] + 328 (BrowserWindow.m:301)
21  com.apple.AppKit         	0x9371d064 _handleWindowNeedsDisplay + 200
22  com.apple.CoreFoundation 	0x907db73c __CFRunLoopDoObservers + 352
23  com.apple.CoreFoundation 	0x907db9dc __CFRunLoopRun + 420
24  com.apple.CoreFoundation 	0x907db47c CFRunLoopRunSpecific + 268
25  com.apple.HIToolbox      	0x931e6740 RunCurrentEventLoopInMode + 264
26  com.apple.HIToolbox      	0x931e5dd4 ReceiveNextEventCommon + 380
27  com.apple.HIToolbox      	0x931e5c40 BlockUntilNextEventMatchingListInMode + 96
28  com.apple.AppKit         	0x936e9ae4 _DPSNextEvent + 384
29  com.apple.AppKit         	0x936e97a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
30  com.apple.Safari         	0x000322b4 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 292 (BrowserApplication.m:166)
31  com.apple.AppKit         	0x936e5cec -[NSApplication run] + 472
32  com.apple.AppKit         	0x937d687c NSApplicationMain + 452
33  com.apple.Safari         	0x00101de8 main + 420 (main.m:36)
34  com.apple.Safari         	0x0000265c _start + 340 (crt.c:272)
35  com.apple.Safari         	0x00002504 start + 60

Comment 5 Dave MacLachlan 2006-07-22 15:34:56 PDT

I'm not sure if it helps, but you can avoid the crash by not releasing the m_filterCIContext from the Filter in kCanvasFilterQuartz::applyFilter (approximately line 154 in kCanvasFilterQuarts.mm). Interestingly when you create the filter, the CGContext you pass in gets it's retain count incremented, but when you release the filter, the CGContext it wraps doesn't appear to get it's retain count decremented. 


CGLayerRelease(m_filterCGLayer);
m_filterCGLayer = 0;

->HardRelease(m_filterCIContext); //Remove this line and things seem fine...
m_filterCIContext = 0;

Also if you skip over the CGBegin/EndTransparencyGroup calls everything appears alright as well. Bugs with doing filters in transparency groups perhaps?

calling and restoring the context in a transparencygroup doesn't seem to be the problem, I wrote up quite a bit of sample test code and couldn't repro.

Comment 6 Dave MacLachlan 2006-07-23 01:24:10 PDT

Created attachment 9619 [details]
Fix for 8425 and by extension 6947

Comment 7 Eric Seidel (no email) 2006-07-23 01:32:14 PDT

Comment on attachment 9619 [details]
Fix for 8425 and by extension 6947

Looks great!  The only thing it needs is a changelog and your copyright.  Without those however, this can't be landed.

Comment 8 David Kilzer (:ddkilzer) 2006-07-23 03:29:19 PDT

(In reply to comment #7)
> (From update of attachment 9619 [details] [edit])
> Looks great!  The only thing it needs is a changelog and your copyright. 
> Without those however, this can't be landed.

Create a ChangeLog entry using the WebKitTools/Scripts/prepare-ChangeLog script.

Comment 9 Dave MacLachlan 2006-07-23 09:16:23 PDT

Created attachment 9630 [details]
Fix for 8425 and by extension 6947

This is the updated patch with ChangeLog and copyright notice attached. Thanks!

Comment 10 Darin Adler 2006-07-23 10:55:04 PDT

Comment on attachment 9630 [details]
Fix for 8425 and by extension 6947

But also, it's better to just do this with API instead of SPI. Just create and use an autorelease pool in the right place.
    NSAutoreleasePool* pool = [[NSAutoreleasePool alloc] init];
    m_filterCIContext = HardRetain([CIContext contextWithCGContext:cgContext options:contextOptions]);
    [pool drain];

KCanvasFilterQuartz::prepareFilter shhould not use this SPI either -- same technique can be used there.

Comment 11 Dave MacLachlan 2006-07-23 18:02:10 PDT

Created attachment 9641 [details]
Fix for 8425 and by extension 6947

Darin...good catch. Fixed it up how you suggested.

Comment 12 Darin Adler 2006-07-23 18:14:13 PDT

Comment on attachment 9641 [details]
Fix for 8425 and by extension 6947

r=me

Comment is a little long, but the fix is good.

Comment 13 Alexey Proskuryakov 2006-07-23 22:03:02 PDT

A few nitpicks: the test should ideally include pass criteria ("should not crash"), display something green to make success immediately obvious, and have a link to this Bugzilla issue. Also, onload on <svg> seems unnecessary, unless I'm missing something.

Neither of these is important enough to prevent landing, but since we're "waiting for the floodgates to open" anyway...

I'm also not quite sure about using -[NSAutoreleasePool release] here - if the goal is to manually control deallocation, isn't drain the right choice under GC?

Comment 14 Dave MacLachlan 2006-07-24 10:08:39 PDT

Created attachment 9652 [details]
Fix for 8425 and by extension 6947

New patch fixes up points raised by Alexey and Darin.
Filed Radar describing CGEndTransparencyGroup badness
<rdar://problem/4647735>

Comment 15 Alexey Proskuryakov 2006-07-24 10:11:12 PDT

Comment on attachment 9652 [details]
Fix for 8425 and by extension 6947

r=me

Comment 16 Alexey Proskuryakov 2006-07-24 10:21:14 PDT

Committed revision 15603.