Bug 13801 - Crash when loading nonexisting symbol
Summary: Crash when loading nonexisting symbol
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-21 15:08 PDT by Gera Weiss
Modified: 2007-05-23 04:20 PDT (History)
0 users

See Also:


Attachments
Test case from Comment #0 (867 bytes, image/svg+xml)
2007-05-21 23:37 PDT, David Kilzer (:ddkilzer)
no flags Details
First attempt (20.35 KB, patch)
2007-05-22 11:18 PDT, Rob Buis
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gera Weiss 2007-05-21 15:08:54 PDT
The following SVG crashes Webkit:

<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg"
 xmlns:xlink="http://www.w3.org/1999/xlink" onload="init()">
 <script><![CDATA[
 var flag=1;
 var c;
 
 function init() {
  	c= document.getElementById("use")
  	setInterval("loop()",500);
 }
 
 function loop() {
  	c.setAttributeNS("http://www.w3.org/1999/xlink","href","#rec"+flag)
  	flag= (flag+1) % 3;
}
]]>
</script>


<symbol shape-rendering="optimizeSpeed" id="rec0" viewBox="0 0 64 64">
    <rect width="59" height="59" x="5" y="5" fill="blue" />
    <text x="17" y="56" font-size="60" click="none" > A </text>
 </symbol>


<symbol shape-rendering="optimizeSpeed" id="rec1" viewBox="0 0 64 64">
    <rect width="59" height="59" x="5" y="5" fill="magenta" />
    <text x="17" y="56" font-size="60" click="none" > B </text>
 </symbol>

<use id="use" xlink:href="#rec0"/> 

</svg>
Comment 1 David Kilzer (:ddkilzer) 2007-05-21 23:37:08 PDT
Created attachment 14649 [details]
Test case from Comment #0

Please add test cases as file attachments in the future.  Thanks!
Comment 2 David Kilzer (:ddkilzer) 2007-05-21 23:41:32 PDT
Confirmed with a local debug build of WebKit r21608 with Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135).

Console output:

ASSERTION FAILED: target
(/path/to/WebKit/WebCore/ksvg2/svg/SVGUseElement.cpp:242 virtual void WebCore::SVGUseElement::buildPendingResource())
Segmentation fault

Stack trace:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef

Thread 0 Crashed:
0   com.apple.WebCore        	0x010c85f4 WebCore::SVGUseElement::buildPendingResource() + 376 (SVGUseElement.cpp:242)
1   com.apple.WebCore        	0x010c5280 WebCore::SVGUseElement::attributeChanged(WebCore::Attribute*, bool) + 352 (SVGUseElement.cpp:149)
2   com.apple.WebCore        	0x012d38ec WebCore::Element::setAttribute(WebCore::QualifiedName const&, WebCore::StringImpl*, int&) + 600 (Element.cpp:478)
3   com.apple.WebCore        	0x012d39f0 WebCore::Element::setAttributeNS(WebCore::String const&, WebCore::String const&, WebCore::String const&, int&) + 240 (Element.cpp:907)
4   com.apple.WebCore        	0x012bccf0 WebCore::JSElementPrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 2112 (JSElement.cpp:344)
5   com.apple.JavaScriptCore 	0x00583690 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:98)
6   com.apple.JavaScriptCore 	0x005b4d3c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:790)
7   com.apple.JavaScriptCore 	0x005b13fc KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
8   com.apple.JavaScriptCore 	0x005adbec KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2523)
9   com.apple.JavaScriptCore 	0x0057f1a0 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
10  com.apple.JavaScriptCore 	0x0057f2f0 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:319)
11  com.apple.JavaScriptCore 	0x0059eab8 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:107)
12  com.apple.JavaScriptCore 	0x00583690 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:98)
13  com.apple.JavaScriptCore 	0x005b5588 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 792 (nodes.cpp:694)
14  com.apple.JavaScriptCore 	0x005b13fc KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
15  com.apple.JavaScriptCore 	0x005adbec KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2523)
16  com.apple.JavaScriptCore 	0x0057f1a0 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
17  com.apple.JavaScriptCore 	0x005aa594 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 1116 (interpreter.cpp:365)
18  com.apple.WebCore        	0x012fa51c WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::Node*) + 420 (kjs_proxy.cpp:78)
19  com.apple.WebCore        	0x014a456c WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::Node*, WebCore::String const&) + 136 (FrameLoader.cpp:732)
20  com.apple.WebCore        	0x014a4650 WebCore::FrameLoader::executeScript(WebCore::Node*, WebCore::String const&, bool) + 144 (FrameLoader.cpp:720)
21  com.apple.WebCore        	0x013030f8 KJS::ScheduledAction::execute(KJS::Window*) + 1092 (kjs_window.cpp:1921)
22  com.apple.WebCore        	0x01306490 KJS::Window::timerFired(KJS::DOMWindowTimer*) + 104 (kjs_window.cpp:2024)
23  com.apple.WebCore        	0x013066b8 KJS::DOMWindowTimer::fired() + 72 (kjs_window.cpp:2628)
24  com.apple.WebCore        	0x01280a98 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, (unsigned long)0> const&) + 236 (Timer.cpp:322)
25  com.apple.WebCore        	0x01280b64 WebCore::TimerBase::sharedTimerFired() + 132 (Timer.cpp:355)
26  com.apple.WebCore        	0x0127ff10 WebCore::timerFired(__CFRunLoopTimer*, void*) + 60 (SharedTimerMac.cpp:47)
27  com.apple.CoreFoundation 	0x907f2578 __CFRunLoopDoTimer + 184
28  com.apple.CoreFoundation 	0x907deef8 __CFRunLoopRun + 1680
29  com.apple.CoreFoundation 	0x907de4ac CFRunLoopRunSpecific + 268
30  com.apple.HIToolbox      	0x9329bb20 RunCurrentEventLoopInMode + 264
31  com.apple.HIToolbox      	0x9329b1b4 ReceiveNextEventCommon + 380
32  com.apple.HIToolbox      	0x9329b020 BlockUntilNextEventMatchingListInMode + 96
33  com.apple.AppKit         	0x937a1ae4 _DPSNextEvent + 384
34  com.apple.AppKit         	0x937a17a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116
35  com.apple.Safari         	0x00006740 0x1000 + 22336
36  com.apple.AppKit         	0x9379dcec -[NSApplication run] + 472
37  com.apple.AppKit         	0x9388e87c NSApplicationMain + 452
38  com.apple.Safari         	0x0005c77c 0x1000 + 374652
39  com.apple.Safari         	0x0005c624 0x1000 + 374308

Comment 3 Rob Buis 2007-05-22 11:18:27 PDT
Created attachment 14658 [details]
First attempt

Simple fix, probably enough for now.
Cheers,

Rob.
Comment 4 Darin Adler 2007-05-22 14:14:36 PDT
Comment on attachment 14658 [details]
First attempt

r=me
Comment 5 Rob Buis 2007-05-23 04:20:30 PDT
Landed in r21663.