Bug 12015

Summary: svg/W3C-SVG-1.1/painting-marker-03-f.svg crashes
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Fix as described by ap rwlbuis: review+

Alexey Proskuryakov
Reported 2006-12-28 11:44:37 PST
Open this test in the browser, or run-webkit-tests --pixel svg/W3C-SVG-1.1/painting-marker-03-f.svg to reproduce the crash. I'm running a debug build of TOT. Thread 0 Crashed: 0 com.apple.WebCore 0x014b0cd0 WebCore::drawStartAndMidMarkers(void*, WebCore::PathElement const*) + 104 (RenderPath.cpp:388) 1 com.apple.WebCore 0x014d54ec WebCore::CGPathApplierToPathApplier(void*, CGPathElement const*) + 464 (PathCG.cpp:229) 2 com.apple.CoreGraphics 0x90435c70 CGPathApply + 548 3 com.apple.WebCore 0x014d5554 WebCore::Path::apply(void*, void (*)(void*, WebCore::PathElement const*)) const + 84 (PathCG.cpp:237) 4 com.apple.WebCore 0x014b1034 WebCore::RenderPath::drawMarkersIfNeeded(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::Path const&) const + 628 (RenderPath.cpp:424) 5 com.apple.WebCore 0x014b1664 WebCore::RenderPath::paint(WebCore::RenderObject::PaintInfo&, int, int) + 1528 (RenderPath.cpp:206)
Attachments
Fix as described by ap (1.17 KB, patch)
2006-12-28 12:43 PST, Eric Seidel (no email) 		rwlbuis: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2006-12-28 12:22:05 PST
I am unable to reproduce the crash in my local build. I'll try with --guard and see if that causes a crash.
Eric Seidel (no email)
Comment 2 2006-12-28 12:23:27 PST
run-webkit-tests --guard --pixel svg/W3C-SVG-1.1/painting-marker-03-f.svg also does not crash for me.
Eric Seidel (no email)
Comment 3 2006-12-28 12:24:48 PST
I'm not able to reproduce this with 18457.
Alexey Proskuryakov
Comment 4 2006-12-28 12:39:09 PST
The problem is in CGPathApplierToPathApplier(), points[2] is out of bounds.
Eric Seidel (no email)
Comment 5 2006-12-28 12:43:43 PST
Created attachment 12085 [details] Fix as described by ap I never saw it crash for me, but this should fix things. Strange that ap was getting a crash and I was not.
David Kilzer (:ddkilzer)
Comment 6 2006-12-28 15:41:46 PST
Landed in r18458 by eseidel.
Note You need to log in before you can comment on or make changes to this bug.