HTMLCanvasElement::createImageBuffer() does not check return of ImageBuffer::create! (And thus crashes). This is crashing an internal Google tool. Sadly, I don't have a reduction for you, but the crash is pretty easy to see from the code: void HTMLCanvasElement::createImageBuffer() const { ASSERT(!m_imageBuffer); m_createdImageBuffer = true; FloatSize unscaledSize(width(), height()); IntSize size = convertLogicalToDevice(unscaledSize); if (!size.width() || !size.height()) return; m_imageBuffer.set(ImageBuffer::create(size, false).release()); // THIS RETURNS NULL SOMETIMES m_imageBuffer->context()->scale(FloatSize(size.width() / unscaledSize.width(), size.height() / unscaledSize.height())); // CRASH! m_imageBuffer->context()->setShadowsIgnoreTransforms(true); }
Created attachment 28041 [details] stack trace of crash
Eric, isn't this just a duplicate of bug 23212?
*** This bug has been marked as a duplicate of 23212 ***