Closed Bug 801821 Opened 13 years ago Closed 10 years ago

Canvas clip & strokeText crash [@ CA::ScanConverter::Path::add_monotonic_cube]

Tracking

()

Status:

RESOLVED WONTFIX

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files)

testcase (crashes Firefox when loaded) 13 years ago Jesse Ruderman 470 bytes, text/html		Details
stacks 13 years ago Jesse Ruderman 132.84 KB, text/plain		Details
Reduced test case 13 years ago Matt Woodrow (:mattwoodrow) 478 bytes, text/html		Details
Add crashtests for these bugs 13 years ago Matt Woodrow (:mattwoodrow) 2.50 KB, patch	roc : review+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

13 years ago

Attached file testcase (crashes Firefox when loaded) — Details

Firefox trunk, Mac OS X 10.7.5 With: user_pref("gfx.canvas.azure.accelerated", true); This is similar to bug 799326 in three ways: * The crash happens in the "CA::" module. * The crash only happens with gfx.canvas.azure.accelerated = true * If the canvas isn't in the document tree, the crash happens during shutdown instead of immediately.

Jesse Ruderman

Reporter

Comment 1

•

13 years ago

Attached file stacks — Details

Nightly: bp-90af29ce-739f-4b9c-95ea-9ec432121015

Matt Woodrow (:mattwoodrow)

Comment 2

•

13 years ago

Attached file Reduced test case — Details

Matt Woodrow (:mattwoodrow)

Comment 3

•

13 years ago

I believe this is related to the huge radius value passed to arcTo. It seems to require the translation though, unsure why that is. I don't really know this code well enough to know if this is a bug in our arcTo implementation, or just a CA bug. The points that we pass to bezierTo (within the arcTo implementation) are huge, but finite at least. Example: $12 = { <mozilla::gfx::BasePoint<float, mozilla::gfx::Point>> = { x = 6.76686969e+15, y = 4.23787074e+14 }, <No data fields>} $13 = { <mozilla::gfx::BasePoint<float, mozilla::gfx::Point>> = { x = 2.99415243e+15, y = -3.85304576e+15 }, <No data fields>} $14 = { <mozilla::gfx::BasePoint<float, mozilla::gfx::Point>> = { x = 3.30508176e+15, y = -8.81785777e+15 }, <No data fields>} Bas, do you have any educated guesses here? Safari manages not to crash here, so they are either decomposing arcTo differently, or they manage to detect invalid input and bail out (nothing gets drawn). I've had a browse though the WebKit source and can't see anything obvious.

Matt Woodrow (:mattwoodrow)

Updated

•

13 years ago

Blocks: 836130

Matt Woodrow (:mattwoodrow)

Comment 4

•

13 years ago

Attached patch Add crashtests for these bugs — Details — Splinter Review

Attachment #708001 - Flags: review?(roc)

Robert O'Callahan (:roc) (email my personal email if necessary)

Updated

•

13 years ago

Attachment #708001 - Flags: review?(roc) → review+

Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/message/reply/question/etc.)

Comment 5

•

10 years ago

Per bug #836130 comment #24

Status: NEW → RESOLVED

Closed: 10 years ago

Resolution: --- → WONTFIX

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Canvas clip & strokeText crash [@ CA::ScanConverter::Path::add_monotonic_cube]

Categories

(Core :: Graphics, defect)

Tracking

()

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Attachments

(4 files)

Description

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Updated

Comment 5

Attachment

General

Description

File Name

Content Type