Bug 14189

Summary: REPRODUCIBLE CRASH: Canvas createPattern(canvas, ...) crashes on Windows
Product: WebKit Reporter: Philip Taylor <excors>
Component: DOMAssignee: Oliver Hunt <oliver>
Status: CLOSED FIXED    
Severity: Normal CC: hmason, mrowe
Priority: P1 Keywords: InRadar, PlatformOnly
Version: 523.x (Safari 3)   
Hardware: PC   
OS: Windows 2000   
URL: http://canvex.lazyilluminati.com/misc/pattern2.html
Attachments:
Description Flags
stack trace
none
Possible fix for this crash
mrowe: review-
Fix and layout test mjs: review+

Philip Taylor
Reported 2007-06-16 07:02:50 PDT
Using nightly build r23540 ('Mozilla/5.0 (Windows; U; Windows NT 5.0; en) AppleWebKit/522.4.1+ (KHTML, like Gecko) Version/3.0.1 Safari/522.12.2'): The linked page just creates a canvas, and calls ctx.createPattern(canvas, ...) on it. Frequently (sometimes after having to reload the page a couple of times) it crashes, most commonly like: 'The instruction at "0x6fc02925" referenced memory at "0x00000040". The memory could not be "read".'
Attachments
stack trace (2.08 KB, text/plain)
2007-06-16 07:24 PDT, Philip Taylor 		no flags
Details
Possible fix for this crash (947 bytes, patch)
2007-08-16 23:31 PDT, Henry Mason 		mrowe: review-
DetailsFormatted DiffDiff
Fix and layout test (4.20 KB, patch)
2007-08-17 01:32 PDT, Oliver Hunt 		mjs: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2007-06-16 07:05:09 PDT
Thanks for the bug report, Philip! Could you please post a stack trace (as an attachment) of the crash?
Philip Taylor
Comment 2 2007-06-16 07:24:57 PDT
Created attachment 15079 [details] stack trace Not sure if there's a better way to get this information, but this is just copied from the call stack window in the VS2005 debugger.
David Kilzer (:ddkilzer)
Comment 3 2007-06-16 14:26:39 PDT
(In reply to comment #2) > Not sure if there's a better way to get this information, but this is just > copied from the call stack window in the VS2005 debugger. Thanks! I didn't realize you were on Windows--still getting used to bugs reported on that platform. :)
Alexey Proskuryakov
Comment 4 2007-07-06 05:37:05 PDT
Confirmed with r23677.
David Kilzer (:ddkilzer)
Comment 5 2007-07-07 13:10:23 PDT
<rdar://problem/5319511>
Henry Mason
Comment 6 2007-08-16 23:31:24 PDT
Created attachment 16005 [details] Possible fix for this crash I noticed in the current SVN version, this page crashes on Mac too. This patch seemed to fix the behavior on Mac. Not sure about Windows crashing though.
Mark Rowe (bdash)
Comment 7 2007-08-16 23:46:07 PDT
Comment on attachment 16005 [details] Possible fix for this crash A CGImageRetain would be preferable so as not to require the cast, and to balance the CGImageRelease in the destructor. A layout test should also be created that covers this crash.
Adam Roben (:aroben)
Comment 8 2007-08-16 23:53:16 PDT
Comment on attachment 16005 [details] Possible fix for this crash You could probably also use a RetainPtr to store m_platformImage.
Oliver Hunt
Comment 9 2007-08-17 01:32:13 PDT
Created attachment 16007 [details] Fix and layout test RetainPtr based fix
Maciej Stachowiak
Comment 10 2007-08-17 01:43:55 PDT
Comment on attachment 16007 [details] Fix and layout test r=me
Oliver Hunt
Comment 11 2007-08-17 02:48:34 PDT
Committed revision 25124. Original reporter please confirm this is fixed.
Oliver Hunt
Comment 12 2007-08-17 13:16:26 PDT
And corrected the reference to Henry in the ChangeLog in revision 25125.
Philip Taylor
Comment 13 2007-11-03 15:10:14 PDT
(In reply to comment #11) > Original reporter please confirm this is fixed. Confirmed with r27386. (Sorry for the delay!)
Note You need to log in before you can comment on or make changes to this bug.