Bug 69681 - Fix crash with toDataURL to JPEG
Summary: Fix crash with toDataURL to JPEG
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Canvas (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac Unspecified
: P2 Normal
Assignee: John Bauman
URL:
Keywords:
Depends on:
Blocks: 69991
  Show dependency treegraph
 
Reported: 2011-10-07 17:39 PDT by John Bauman
Modified: 2011-10-12 21:56 PDT (History)
6 users (show)

See Also:

Attachments
Patch (1.77 KB, patch)
2011-10-07 17:41 PDT, John Bauman 		no flags Details | Formatted Diff | Diff
Patch (1.74 KB, patch)
2011-10-10 17:01 PDT, John Bauman 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Bauman 2011-10-07 17:39:42 PDT 
Fix crash with toDataURL to JPEG
Comment 1 John Bauman 2011-10-07 17:41:26 PDT 
Created attachment 110236 [details]
Patch
Comment 2 Darin Adler 2011-10-07 17:44:01 PDT 
Comment on attachment 110236 [details]
Patch

Can we make a test case to cover this?
Comment 3 WebKit Review Bot 2011-10-07 18:48:31 PDT 
Comment on attachment 110236 [details]
Patch

Rejecting attachment 110236 [details] from commit-queue.

Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2

Last 500 characters of output:
381db9f538a72509ddceba74bc8fa72d7ba8a196
r96996 = 597be029117bbf6b1591194e17018dff0ce3fbd4
Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc
First, rewinding head to replay your work on top of it...
Fast-forwarded master to refs/remotes/origin/master.
Updating chromium port dependencies using gclient...

________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium'
Updating webkit projects from gyp files...

Full output: http://queues.webkit.org/results/9995417
Comment 4 John Bauman 2011-10-10 17:01:50 PDT 
Created attachment 110439 [details]
Patch
Comment 5 WebKit Review Bot 2011-10-10 17:05:05 PDT 
Comment on attachment 110439 [details]
Patch

Rejecting attachment 110439 [details] from commit-queue.

jbauman@chromium.org does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/committers.py.

- If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags.

- If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/committers.py by adding yourself to the file (no review needed).  The commit-queue restarts itself every 2 hours.  After restart the commit-queue will correctly respect your committer rights.
Comment 6 Kenneth Russell 2011-10-10 17:54:01 PDT 
Comment on attachment 110439 [details]
Patch

Looks good. r=me
Comment 7 WebKit Review Bot 2011-10-11 01:27:06 PDT 
Comment on attachment 110439 [details]
Patch

Clearing flags on attachment: 110439

Committed r97132: <http://trac.webkit.org/changeset/97132>
Comment 8 WebKit Review Bot 2011-10-11 01:27:10 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 9 Abhishek Arya 2011-10-11 22:27:11 PDT 
This looks like a use after free bug. Can you please confirm soon so that we can merge to m15 ? Do you have a crash id or crash stack ??
Comment 10 John Bauman 2011-10-12 06:35:11 PDT 
This is a use after free, but it's not in M15 - it was introduced in r96000.
Comment 11 noel gordon 2011-10-12 19:55:41 PDT 
(In reply to comment #2)
> Can we make a test case to cover this?

I reproduced with http://persistent.info/chromium/test-cases/canvas-crash.html, filed bug 69991 about creating a test case.