15966 – Crash in SVGRootInlineBox::walkTextChunks() on mouse hover

RESOLVED FIXED 15966

Crash in SVGRootInlineBox::walkTextChunks() on mouse hover

https://bugs.webkit.org/show_bug.cgi?id=15966

Summary Crash in SVGRootInlineBox::walkTextChunks() on mouse hover

Alp Toker

Reported 2007-11-13 05:16:40 PST

The crash happens at: http://www.croczilla.com/svg/samples/paths1/paths1.xml when the mouse is moved over SVG text. The problem line is in SVGRootInlineBox.cpp: Vector<SVGInlineBoxCharacterRange>::iterator boxIt = curChunk.boxes.begin(); Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1521379120 (LWP 19211)] 0xa766b51e in WTF::VectorBufferBase<WebCore::SVGInlineBoxCharacterRange>::buffer (this=0x191) at ../../../JavaScriptCore/wtf/Vector.h:260 260 T* buffer() { return m_buffer; } (gdb) bt #0 0xa766b51e in WTF::VectorBufferBase<WebCore::SVGInlineBoxCharacterRange>::buffer (this=0x191) at ../../../JavaScriptCore/wtf/Vector.h:260 #1 0xa766b536 in WTF::Vector<WebCore::SVGInlineBoxCharacterRange, 0u>::data ( this=0x18d) at ../../../JavaScriptCore/wtf/Vector.h:438 #2 0xa766b549 in WTF::Vector<WebCore::SVGInlineBoxCharacterRange, 0u>::begin ( this=0x18d) at ../../../JavaScriptCore/wtf/Vector.h:441 #3 0xa77e3917 in WebCore::SVGRootInlineBox::walkTextChunks (this=0x817f894, walker=0xaff117fc, textBox=0x81b21e4) at ../../../WebCore/rendering/SVGRootInlineBox.cpp:1575 #4 0xa77e159a in WebCore::SVGInlineTextBox::selectionRect (this=0x81b21e4, startPos=0, endPos=32) at ../../../WebCore/rendering/SVGInlineTextBox.cpp:312 #5 0xa77e180c in WebCore::SVGInlineTextBox::nodeAtPoint (this=0x81b21e4, request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0) at ../../../WebCore/rendering/SVGInlineTextBox.cpp:291 #6 0xa75b6ded in WebCore::InlineFlowBox::nodeAtPoint (this=0x817f894, request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0) at ../../../WebCore/rendering/InlineFlowBox.cpp:582 #7 0xa766718d in WebCore::RootInlineBox::nodeAtPoint (this=0x817f894, request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0) at ../../../WebCore/rendering/RootInlineBox.cpp:180 #8 0xa75f4851 in WebCore::RenderFlow::hitTestLines (this=0x8172ae4, request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0, ---Type <return> to continue, or q <return> to quit---hitTestActQuit ) at ../../../WebCore/rendering/RenderFlow.cpp:471 #9 0xa75c897b in WebCore::RenderBlock::hitTestContents (this=0x8172ae4, request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0, hitTestAction=WebCore::HitTestForeground) at ../../../WebCore/rendering/RenderBlock.cpp:2948 q#10 0xa75c8dda in WebCore::RenderBlock::nodeAtPoint (this=0x8172ae4, request=@0xaff12308, result=@0xaff12198, _x=149, _y=46, _tx=0, _ty=0, hitTestAction=WebCore::HitTestForeground) at ../../../WebCore/rendering/RenderBlock.cpp:2868 #11 0xa77d2654 in WebCore::RenderForeignObject::nodeAtPoint (this=0x8172ae4, request=@0xaff12308, result=@0xaff12198, x=209, y=106, tx=0, ty=0, hitTestAction=WebCore::HitTestForeground) at ../../../WebCore/rendering/RenderForeignObject.cpp:127 #12 0xa77d50a5 in WebCore::RenderSVGContainer::nodeAtPoint (this=0x8389dec, request=@0xaff12308, result=@0xaff12198, _x=209, _y=106, _tx=0, _ty=0, hitTestAction=WebCore::HitTestForeground) at ../../../WebCore/rendering/RenderSVGContainer.cpp:415 #13 0xa77d914c in WebCore::RenderSVGRoot::nodeAtPoint (this=0x8177ed4, request=@0xaff12308, result=@0xaff12198, _x=209, _y=106, _tx=0, _ty=0, hitTestAction=WebCore::HitTestForeground) at ../../../WebCore/rendering/RenderSVGRoot.cpp:291 #14 0xa76171b6 in WebCore::RenderObject::hitTest (this=0x8177ed4, request=@0xaff12308, result=@0xaff12198, point=@0xaff12150, tx=0, ty=0, ---Type <return> to continue, or q <return> to quit--- hitTestFilter=WebCore::HitTestDescendants) at ../../../WebCore/rendering/RenderObject.cpp:2588 #15 0xa76055f4 in WebCore::RenderLayer::hitTestLayer (this=0x80d01e4, rootLayer=0x80d0324, request=@0xaff12308, result=@0xaff12198, hitTestRect=@0xaff12130, hitTestPoint=@0xaff12150) at ../../../WebCore/rendering/RenderLayer.cpp:1733 #16 0xa760547f in WebCore::RenderLayer::hitTestLayer (this=0x80d0324, rootLayer=0x80d0324, request=@0xaff12308, result=@0xaff12198, hitTestRect=@0xaff12130, hitTestPoint=@0xaff12150) at ../../../WebCore/rendering/RenderLayer.cpp:1717 #17 0xa7605a4d in WebCore::RenderLayer::hitTest (this=0x80d0324, request=@0xaff12308, result=@0xaff12198) at ../../../WebCore/rendering/RenderLayer.cpp:1639

Attachments
Initial patch (29.20 KB, patch) 2007-12-22 13:24 PST, Nikolas Zimmermann	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alp Toker

Comment 1 2007-11-28 12:31:53 PST

Seems this issue may also affect Mac. Needs more investigation, particularly to be sure it's not a security issue as well as a crasher.

Nikolas Zimmermann

Comment 2 2007-11-28 12:52:09 PST

Problem confirmed on Tiger with trunk. Investigating soon.

Nikolas Zimmermann

Comment 3 2007-12-22 13:24:23 PST

Created attachment 18061 [details] Initial patch

Oliver Hunt

Comment 4 2007-12-22 13:36:06 PST

Comment on attachment 18061 [details] Initial patch r=me

Nikolas Zimmermann

Comment 5 2007-12-22 13:40:09 PST

Landed in r28962.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component SVG

Assignee

Nikolas Zimmermann

Reported

2007-11-13 05:16 PST

Modified

2007-12-22 13:40 PST History

CC List

2 users Show

URL

http://www.croczilla.com/svg/samples/paths1/paths1.xml

Keywords Cairo, Gtk

Depends on

Blocks