Bug 13784

Summary: REGRESSION (r13744-13750): Crash with empty gradient when drawing to canvas
Product: WebKit Reporter: Philip Taylor <excors>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal Keywords: HasReduction, Regression
Priority: P1    
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://canvex.lazyilluminati.com/tests/tests/2d.gradient.empty.html
Attachments:
Description Flags
testcase
none
First attempt darin: review+

Philip Taylor
Reported 2007-05-18 17:50:59 PDT
When creating a linear gradient, not adding any colour stops, and then filling a rectangle with it, WebKit crashes.
Attachments
testcase (240 bytes, text/html)
2007-05-18 17:51 PDT, Philip Taylor 		no flags
Details
First attempt (31.53 KB, patch)
2007-05-19 05:11 PDT, Rob Buis 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Philip Taylor
Comment 1 2007-05-18 17:51:51 PDT
Created attachment 14616 [details] testcase
Matt Lilek
Comment 2 2007-05-18 18:22:08 PDT
With r21572, I get the following assertion failure: ASSERTION FAILED: i < size() (/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:401 T& WTF::Vector<T, inlineCapacity>::at(size_t) [with T = WebCore::CanvasGradient::ColorStop, long unsigned int inlineCapacity = 0ul]) Thread 0 Crashed: 0 com.apple.WebCore 0x016e5198 WTF::Vector<WebCore::CanvasGradient::ColorStop, (unsigned long)0>::at(unsigned long) + 120 (Vector.h:401) 1 com.apple.WebCore 0x016e5200 WTF::Vector<WebCore::CanvasGradient::ColorStop, (unsigned long)0>::first() + 36 (Vector.h:433) 2 com.apple.WebCore 0x012b2388 WebCore::CanvasGradient::getColor(float, float*, float*, float*, float*) + 272 (CanvasGradient.cpp:120) 3 com.apple.WebCore 0x012b262c WebCore::gradientCallback(void*, float const*, float*) + 84 (CanvasGradient.cpp:83) 4 com.apple.CoreGraphics 0x904859d0 CGFunctionEvaluate + 184 5 com.apple.CoreGraphics 0x904f3940 FunctionSamplesCreate + 360 6 com.apple.CoreGraphics 0x904851fc drawAxialShading + 384 7 com.apple.CoreGraphics 0x90484ffc CGContextDrawShading + 172 8 com.apple.WebCore 0x012af88c WebCore::CanvasRenderingContext2D::fillRect(float, float, float, float, int&) + 476 (CanvasRenderingContext2D.cpp:560) 9 com.apple.WebCore 0x012c2ab0 WebCore::JSCanvasRenderingContext2DPrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1696 (JSCanvasRenderingContext2D.cpp:342) 10 com.apple.JavaScriptCore 0x005816f4 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:98) 11 com.apple.JavaScriptCore 0x005b2d54 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:790) 12 com.apple.JavaScriptCore 0x005af414 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723) 13 com.apple.JavaScriptCore 0x005abd58 KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2529) 14 com.apple.JavaScriptCore 0x0057d220 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700) 15 com.apple.JavaScriptCore 0x0057d370 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:319) 16 com.apple.JavaScriptCore 0x0059cad0 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:107) 17 com.apple.JavaScriptCore 0x005816f4 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:98) 18 com.apple.WebCore 0x012ee04c KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 748 (kjs_events.cpp:127) 19 com.apple.WebCore 0x01106c44 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 416 (Document.cpp:2313) 20 com.apple.WebCore 0x012ac358 WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 360 (EventTargetNode.cpp:339) 21 com.apple.WebCore 0x01109b0c WebCore::Document::implicitClose() + 796 (Document.cpp:1363) 22 com.apple.WebCore 0x01495cf4 WebCore::FrameLoader::checkEmitLoadEvent() + 596 (FrameLoader.cpp:1206) 23 com.apple.WebCore 0x014a222c WebCore::FrameLoader::checkCompleted() + 404 (FrameLoader.cpp:1164) 24 com.apple.WebCore 0x014a35f0 WebCore::FrameLoader::finishedParsing() + 116 (FrameLoader.cpp:1112) 25 com.apple.WebCore 0x01103e88 WebCore::Document::finishedParsing() + 84 (Document.cpp:3390) 26 com.apple.WebCore 0x01022980 WebCore::HTMLParser::finished() + 272 (HTMLParser.cpp:1407) 27 com.apple.WebCore 0x01026bb0 WebCore::HTMLTokenizer::end() + 336 (HTMLTokenizer.cpp:1529) 28 com.apple.WebCore 0x01027094 WebCore::HTMLTokenizer::finish() + 1212 (HTMLTokenizer.cpp:1570) 29 com.apple.WebCore 0x01101b68 WebCore::Document::finishParsing() + 84 (Document.cpp:1511) 30 com.apple.WebCore 0x014a562c WebCore::FrameLoader::endIfNotLoading() + 160 (FrameLoader.cpp:981) 31 com.apple.WebCore 0x014a5688 WebCore::FrameLoader::end() + 44 (FrameLoader.cpp:966) 32 com.apple.WebCore 0x014a9350 WebCore::DocumentLoader::finishedLoading() + 92 (DocumentLoader.cpp:317) 33 com.apple.WebCore 0x0149f664 WebCore::FrameLoader::finishedLoading() + 96 (FrameLoader.cpp:2593) 34 com.apple.WebCore 0x014ab71c WebCore::MainResourceLoader::didFinishLoading() + 272 (MainResourceLoader.cpp:304) 35 com.apple.WebCore 0x014ad878 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 60 36 com.apple.WebCore 0x014829dc -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 144 (ResourceHandleMac.mm:370) 37 com.apple.Foundation 0x92c1389c -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 38 com.apple.Foundation 0x92c11b08 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 39 com.apple.Foundation 0x92c11860 _sendCallbacks + 156 [snip]
Matt Lilek
Comment 3 2007-05-18 19:21:25 PDT
This regressed between r13744 and r13750 - probably http://trac.webkit.org/projects/webkit/changeset/13748
Rob Buis
Comment 4 2007-05-19 05:11:20 PDT
Created attachment 14624 [details] First attempt Implement what HTML 5 says about zero stops (thus fixing the crash too): "When there are no stops, the gradient is transparent black." (http://www.whatwg.org/specs/web-apps/current-work/#the-2d) Cheers, Rob.
Darin Adler
Comment 5 2007-05-22 19:38:13 PDT
Comment on attachment 14624 [details] First attempt r=me -- I would have done isEmpty() rather than size() == 0
Rob Buis
Comment 6 2007-05-23 04:28:04 PDT
Landed in r21664.
Note You need to log in before you can comment on or make changes to this bug.