Created attachment 104022 [details] Repro Repro: <script> oCanvas=document.createElement("canvas"); oContext2d=oCanvas.getContext("2d"); oContext2d.setShadow(5,6,'l'); oContext2d.setLineWidth(6308.); oContext2d.strokeText('$',0,0); </script> There is no sanity check in WebKit's WebCore::CanvasRenderingContext2D, WebCore::GraphicsContext or Skia's SkBlurMaskFilter code. We hit the first SkASSERT in the code below because radius is NaN. skia\src\effects\skblurmaskfilter.cpp SkBlurMaskFilterImpl::SkBlurMaskFilterImpl(SkScalar radius, SkBlurMaskFilter::BlurStyle style, uint32_t flags) : fRadius(radius), fBlurStyle(style), fBlurFlags(flags) { #if 0 fGamma = NULL; if (gammaScale) { fGamma = new U8[256]; if (gammaScale > 0) SkBlurMask::BuildSqrGamma(fGamma, gammaScale); else SkBlurMask::BuildSqrtGamma(fGamma, -gammaScale); } #endif SkASSERT(radius >= 0); SkASSERT((unsigned)style < SkBlurMaskFilter::kBlurStyleCount); SkASSERT(flags <= SkBlurMaskFilter::kAll_BlurFlag); } The invalid radius is later used in SkBlurMaskFilterImpl::filterMask, where the code tries to limit it to a sane value: bool SkBlurMaskFilterImpl::filterMask(SkMask* dst, const SkMask& src, const SkMatrix& matrix, SkIPoint* margin) { SkScalar radius; if (fBlurFlags & SkBlurMaskFilter::kIgnoreTransform_BlurFlag) radius = fRadius; else radius = matrix.mapRadius(fRadius); // To avoid unseemly allocation requests (esp. for finite platforms like // handset) we limit the radius so something manageable. (as opposed to // a request like 10,000) static const SkScalar MAX_RADIUS = SkIntToScalar(128); radius = SkMinScalar(radius, MAX_RADIUS); SkBlurMask::Quality blurQuality = (fBlurFlags & SkBlurMaskFilter::kHighQuality_BlurFlag) ? SkBlurMask::kHigh_Quality : SkBlurMask::kLow_Quality; if (SkBlurMask::Blur(dst, src, radius, (SkBlurMask::Style)fBlurStyle, blurQuality)) { if (margin) { // we need to integralize radius for our margin, so take the ceil // just to be safe. margin->set(SkScalarCeil(radius), SkScalarCeil(radius)); } return true; } return false; } The code for "SkMinScalar" which is used to limit the value does not handle NaN: inline SkScalar SkMinScalar(SkScalar a, SkScalar b) { return a < b ? a : b; } In this case, the value will be set to MAX_RADIUS, which has let to OOM on some of my test machines. I'm not sure which part(s) of the code is wrong; WebKit should probably throw an error when you specify an invalid blur value, but maybe Skia should just treat them as 0? I'll file bugs everywhere to get a discussion going.