Bug 108603

Summary: ASSERT(m_transparencyCount > 0) in GraphicsContext
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: fmalita, krit, pdr, zherczeg, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    

Description Renata Hodovan 2013-02-01 02:09:41 PST 
Assertion fauilre was found during SVG fuzzing:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5425878 in WebCore::GraphicsContext::endTransparencyLayer (this=0x7fffffffba10)
    at /home/reni/repos/webkit2/Source/WebCore/platform/graphics/GraphicsContext.cpp:356
356	    ASSERT(m_transparencyCount > 0);


The test:

<svg xmlns="http://www.w3.org/2000/svg">
	<mask id="mask2">
		<rect x="50" y="50" width="100" height="100"></rect>
	</mask>
	<rect x="120" y="120" width="100" height="100" fill="lime" mask="url(#mask2)" opacity=".4"></rect>
</svg>
Comment 1 Dirk Schulze 2013-02-01 02:48:45 PST 
This looks extremely generic. Is it the end tag of the <rect> that makes the difference or really the opacity?
Comment 2 Renata Hodovan 2013-02-01 02:54:36 PST 
(In reply to comment #1)
> This looks extremely generic. Is it the end tag of the <rect> that makes the difference or really the opacity?

No, the ending of the rect isn't responsible for the assertions (that's <rect ... /> also fails).
Comment 3 Renata Hodovan 2013-02-01 02:57:32 PST 
According to the backtrace it comes from the destructor of GraphicsContext:

#0  0x00007ffff5425878 in WebCore::GraphicsContext::endTransparencyLayer (this=0x7fffffffba10)
    at /home/reni/repos/webkit2/Source/WebCore/platform/graphics/GraphicsContext.cpp:356
#1  0x00007ffff57bf629 in WebCore::GraphicsContext::platformDestroy (this=0x7fffffffba10)
    at /home/reni/repos/webkit2/Source/WebCore/platform/graphics/qt/GraphicsContextQt.cpp:324
#2  0x00007ffff5424b85 in WebCore::GraphicsContext::~GraphicsContext (this=0x7fffffffba10, __in_chrg=<optimized out>)
    at /home/reni/repos/webkit2/Source/WebCore/platform/graphics/GraphicsContext.cpp:92
#3  0x00007ffff7915a04 in QWebFrameAdapter::renderRelativeCoords (this=0x716d90, painter=0x7fffffffbc20, layers=255, clip=...)
    at /home/reni/repos/webkit2/Source/WebKit/qt/WebCoreSupport/QWebFrameAdapter.cpp:546
#4  0x00007ffff7ba973a in QWebFrame::render (this=0x710760, painter=0x7fffffffbc20, layer=..., clip=...)
    at /home/reni/repos/webkit2/Source/WebKit/qt/WidgetApi/qwebframe.cpp:643
#5  0x00007ffff7ba980a in QWebFrame::render (this=0x710760, painter=0x7fffffffbc20, clip=...)
    at /home/reni/repos/webkit2/Source/WebKit/qt/WidgetApi/qwebframe.cpp:653
Comment 4 Florin Malita 2013-02-01 08:14:25 PST 
This may be Qt-specific: I cannot repro it on CR/Skia ToT.
Comment 5 Dirk Schulze 2013-02-01 10:57:13 PST 
Yeah, for some reason restore() is called more often then save().
Comment 6 Renata Hodovan 2013-11-08 05:04:59 PST 
I can not repo it either anymore.