[Webkit-unassigned] [Bug 93412] New: [SVG][Canvas] Crash when drawing an SVG image to a canvas

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Aug 7 17:02:23 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=93412

           Summary: [SVG][Canvas] Crash when drawing an SVG image to a
                    canvas
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Canvas
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: achicu at adobe.com


The following snippet crashes WebKit. 

<!doctype html>
<body>
  <canvas id="c" width="500" height="500"></canvas>
  <script>
  var svgString = '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">' +
                  '<rect width="200" height="250" fill="green"/>' +
                  '</svg>';
  var c = document.getElementById("c");
  var ctx = c.getContext("2d");
  var img =new Image();
  img.src = "data:image/svg+xml;charset=utf-8," + svgString;
  img.onload = function() {
      ctx.drawImage(img, 0, 0);
  }
  </script>
</body>

I get an assert in debug mode:

ASSERTION FAILED: client
../../third_party/WebKit/Source/WebCore/svg/graphics/SVGImageCache.cpp(79) : SVGImageCache::SizeAndScales WebCore::SVGImageCache::requestedSizeAndScales(const WebCore::CachedImageClient *) const
1   0x91772b WebCore::SVGImageCache::requestedSizeAndScales(WebCore::CachedImageClient const*) const
2   0x145e394 WebCore::CachedImage::imageSizeForRenderer(WebCore::RenderObject const*, float)
3   0x2f4ac90 _ZN7WebCoreL4sizeEPNS_16HTMLImageElementE
4   0x2f4ab45 WebCore::CanvasRenderingContext2D::drawImage(WebCore::HTMLImageElement*, float, float, int&)
5   0x401a9d _ZN7WebCore34CanvasRenderingContext2DV8InternalL18drawImage1CallbackERKN2v89ArgumentsE
6   0x3f96a4 _ZN7WebCore34CanvasRenderingContext2DV8InternalL17drawImageCallbackERKN2v89ArgumentsE
7   0x797a2b6 _ZN2v88internalL19HandleApiCallHelperILb0EEEPNS0_11MaybeObjectENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE
8   0x7979d5a _ZN2v88internalL26Builtin_Impl_HandleApiCallENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE
9   0x796fdac _ZN2v88internalL21Builtin_HandleApiCallENS0_12_GLOBAL__N_116BuiltinArgumentsILNS0_21BuiltinExtraArgumentsE1EEEPNS0_7IsolateE
10  0x5f80a336

It seems like the problem is triggered by the following line in CanvasRenderingContext2D.cpp. In this case the image is not yet added to the DOM and it has no renderer attached to it.
return cachedImage->imageSizeForRenderer(image->renderer(), 1.0f);

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list