[Webkit-unassigned] [Bug 39536] Crash:
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun May 23 04:38:06 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=39536
--- Comment #3 from Dirk Schulze <krit at webkit.org> 2010-05-23 04:38:05 PST ---
Created an attachment (id=56818)
--> (https://bugs.webkit.org/attachment.cgi?id=56818)
Test case - crashes WebKit!
This is a simple test case for the crash. It seems not possible, that a parent and a child element take the same filter:
<g filter="url(#filter)">
<rect width="100" height="100" filter="url(#filter)"/>
</g>
Not absolutely sure, what causes this crash, but I guess it's the following line:
http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderSVGResourceFilter.cpp#L253
This overwrites the reference to the temporary context. The problem is maybe, that we overwrite the saved context twice by calling it twice and so loose the reference to the original context. We might think about storing the sourceGraphicBuffer and the saved context in FilterData. This should fix this issue, but I did not test it yet.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list