Bug 108603

Summary: ASSERT(m_transparencyCount > 0) in GraphicsContext
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: fmalita, krit, pdr, zherczeg, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    

Renata Hodovan
Reported 2013-02-01 02:09:41 PST
Assertion fauilre was found during SVG fuzzing: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5425878 in WebCore::GraphicsContext::endTransparencyLayer (this=0x7fffffffba10) at /home/reni/repos/webkit2/Source/WebCore/platform/graphics/GraphicsContext.cpp:356 356 ASSERT(m_transparencyCount > 0); The test: <svg xmlns="http://www.w3.org/2000/svg"> <mask id="mask2"> <rect x="50" y="50" width="100" height="100"></rect> </mask> <rect x="120" y="120" width="100" height="100" fill="lime" mask="url(#mask2)" opacity=".4"></rect> </svg>
Attachments
Add attachment proposed patch, testcase, etc.
Dirk Schulze
Comment 1 2013-02-01 02:48:45 PST
This looks extremely generic. Is it the end tag of the <rect> that makes the difference or really the opacity?
Renata Hodovan
Comment 2 2013-02-01 02:54:36 PST
(In reply to comment #1) > This looks extremely generic. Is it the end tag of the <rect> that makes the difference or really the opacity? No, the ending of the rect isn't responsible for the assertions (that's <rect ... /> also fails).
Renata Hodovan
Comment 3 2013-02-01 02:57:32 PST
According to the backtrace it comes from the destructor of GraphicsContext: #0 0x00007ffff5425878 in WebCore::GraphicsContext::endTransparencyLayer (this=0x7fffffffba10) at /home/reni/repos/webkit2/Source/WebCore/platform/graphics/GraphicsContext.cpp:356 #1 0x00007ffff57bf629 in WebCore::GraphicsContext::platformDestroy (this=0x7fffffffba10) at /home/reni/repos/webkit2/Source/WebCore/platform/graphics/qt/GraphicsContextQt.cpp:324 #2 0x00007ffff5424b85 in WebCore::GraphicsContext::~GraphicsContext (this=0x7fffffffba10, __in_chrg=<optimized out>) at /home/reni/repos/webkit2/Source/WebCore/platform/graphics/GraphicsContext.cpp:92 #3 0x00007ffff7915a04 in QWebFrameAdapter::renderRelativeCoords (this=0x716d90, painter=0x7fffffffbc20, layers=255, clip=...) at /home/reni/repos/webkit2/Source/WebKit/qt/WebCoreSupport/QWebFrameAdapter.cpp:546 #4 0x00007ffff7ba973a in QWebFrame::render (this=0x710760, painter=0x7fffffffbc20, layer=..., clip=...) at /home/reni/repos/webkit2/Source/WebKit/qt/WidgetApi/qwebframe.cpp:643 #5 0x00007ffff7ba980a in QWebFrame::render (this=0x710760, painter=0x7fffffffbc20, clip=...) at /home/reni/repos/webkit2/Source/WebKit/qt/WidgetApi/qwebframe.cpp:653
Florin Malita
Comment 4 2013-02-01 08:14:25 PST
This may be Qt-specific: I cannot repro it on CR/Skia ToT.
Dirk Schulze
Comment 5 2013-02-01 10:57:13 PST
Yeah, for some reason restore() is called more often then save().
Renata Hodovan
Comment 6 2013-11-08 05:04:59 PST
I can not repo it either anymore.
Note You need to log in before you can comment on or make changes to this bug.