Bug 12015 - svg/W3C-SVG-1.1/painting-marker-03-f.svg crashes
Summary: svg/W3C-SVG-1.1/painting-marker-03-f.svg crashes
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
Depends on:
Reported: 2006-12-28 11:44 PST by Alexey Proskuryakov
Modified: 2006-12-28 15:41 PST (History)
0 users

See Also:

Fix as described by ap (1.17 KB, patch)
2006-12-28 12:43 PST, Eric Seidel (no email)
rwlbuis: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2006-12-28 11:44:37 PST
Open this test in the browser, or 
run-webkit-tests --pixel svg/W3C-SVG-1.1/painting-marker-03-f.svg
to reproduce the crash. I'm running a debug build of TOT.

Thread 0 Crashed:
0   com.apple.WebCore        	0x014b0cd0 WebCore::drawStartAndMidMarkers(void*, WebCore::PathElement const*) + 104 (RenderPath.cpp:388)
1   com.apple.WebCore        	0x014d54ec WebCore::CGPathApplierToPathApplier(void*, CGPathElement const*) + 464 (PathCG.cpp:229)
2   com.apple.CoreGraphics   	0x90435c70 CGPathApply + 548
3   com.apple.WebCore        	0x014d5554 WebCore::Path::apply(void*, void (*)(void*, WebCore::PathElement const*)) const + 84 (PathCG.cpp:237)
4   com.apple.WebCore        	0x014b1034 WebCore::RenderPath::drawMarkersIfNeeded(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::Path const&) const + 628 (RenderPath.cpp:424)
5   com.apple.WebCore        	0x014b1664 WebCore::RenderPath::paint(WebCore::RenderObject::PaintInfo&, int, int) + 1528 (RenderPath.cpp:206)
Comment 1 Eric Seidel (no email) 2006-12-28 12:22:05 PST
I am unable to reproduce the crash in my local build.

I'll try with --guard and see if that causes a crash.
Comment 2 Eric Seidel (no email) 2006-12-28 12:23:27 PST
run-webkit-tests --guard --pixel svg/W3C-SVG-1.1/painting-marker-03-f.svg
also does not crash for me.
Comment 3 Eric Seidel (no email) 2006-12-28 12:24:48 PST
I'm not able to reproduce this with 18457.
Comment 4 Alexey Proskuryakov 2006-12-28 12:39:09 PST
The problem is in CGPathApplierToPathApplier(), points[2] is out of bounds.
Comment 5 Eric Seidel (no email) 2006-12-28 12:43:43 PST
Created attachment 12085 [details]
Fix as described by ap

I never saw it crash for me, but this should fix things.  Strange that ap was getting a crash and I was not.
Comment 6 David Kilzer (:ddkilzer) 2006-12-28 15:41:46 PST
Landed in r18458 by eseidel.