Bug 15966 - Crash in SVGRootInlineBox::walkTextChunks() on mouse hover
Summary: Crash in SVGRootInlineBox::walkTextChunks() on mouse hover
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nikolas Zimmermann
URL: http://www.croczilla.com/svg/samples/...
Keywords: Cairo, Gtk
Depends on:
Blocks:
 
Reported: 2007-11-13 05:16 PST by Alp Toker
Modified: 2007-12-22 13:40 PST (History)
2 users (show)

See Also:

Attachments
Initial patch (29.20 KB, patch)
2007-12-22 13:24 PST, Nikolas Zimmermann 		oliver: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alp Toker 2007-11-13 05:16:40 PST 
The crash happens at:

http://www.croczilla.com/svg/samples/paths1/paths1.xml

when the mouse is moved over SVG text.

The problem line is in SVGRootInlineBox.cpp:
  Vector<SVGInlineBoxCharacterRange>::iterator boxIt = curChunk.boxes.begin();



Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1521379120 (LWP 19211)]
0xa766b51e in WTF::VectorBufferBase<WebCore::SVGInlineBoxCharacterRange>::buffer (this=0x191) at ../../../JavaScriptCore/wtf/Vector.h:260
260             T* buffer() { return m_buffer; }
(gdb) bt
#0  0xa766b51e in WTF::VectorBufferBase<WebCore::SVGInlineBoxCharacterRange>::buffer (this=0x191) at ../../../JavaScriptCore/wtf/Vector.h:260
#1  0xa766b536 in WTF::Vector<WebCore::SVGInlineBoxCharacterRange, 0u>::data (
    this=0x18d) at ../../../JavaScriptCore/wtf/Vector.h:438
#2  0xa766b549 in WTF::Vector<WebCore::SVGInlineBoxCharacterRange, 0u>::begin (
    this=0x18d) at ../../../JavaScriptCore/wtf/Vector.h:441
#3  0xa77e3917 in WebCore::SVGRootInlineBox::walkTextChunks (this=0x817f894, 
    walker=0xaff117fc, textBox=0x81b21e4)
    at ../../../WebCore/rendering/SVGRootInlineBox.cpp:1575
#4  0xa77e159a in WebCore::SVGInlineTextBox::selectionRect (this=0x81b21e4, 
    startPos=0, endPos=32)
    at ../../../WebCore/rendering/SVGInlineTextBox.cpp:312
#5  0xa77e180c in WebCore::SVGInlineTextBox::nodeAtPoint (this=0x81b21e4, 
    request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0)
    at ../../../WebCore/rendering/SVGInlineTextBox.cpp:291
#6  0xa75b6ded in WebCore::InlineFlowBox::nodeAtPoint (this=0x817f894, 
    request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0)
    at ../../../WebCore/rendering/InlineFlowBox.cpp:582
#7  0xa766718d in WebCore::RootInlineBox::nodeAtPoint (this=0x817f894, 
    request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0)
    at ../../../WebCore/rendering/RootInlineBox.cpp:180
#8  0xa75f4851 in WebCore::RenderFlow::hitTestLines (this=0x8172ae4, 
    request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0, 
---Type <return> to continue, or q <return> to quit---hitTestActQuit
) at ../../../WebCore/rendering/RenderFlow.cpp:471
#9  0xa75c897b in WebCore::RenderBlock::hitTestContents (this=0x8172ae4, 
    request=@0xaff12308, result=@0xaff12198, x=149, y=46, tx=0, ty=0, 
    hitTestAction=WebCore::HitTestForeground)
    at ../../../WebCore/rendering/RenderBlock.cpp:2948
q#10 0xa75c8dda in WebCore::RenderBlock::nodeAtPoint (this=0x8172ae4, 
    request=@0xaff12308, result=@0xaff12198, _x=149, _y=46, _tx=0, _ty=0, 
    hitTestAction=WebCore::HitTestForeground)
    at ../../../WebCore/rendering/RenderBlock.cpp:2868
#11 0xa77d2654 in WebCore::RenderForeignObject::nodeAtPoint (this=0x8172ae4, 
    request=@0xaff12308, result=@0xaff12198, x=209, y=106, tx=0, ty=0, 
    hitTestAction=WebCore::HitTestForeground)
    at ../../../WebCore/rendering/RenderForeignObject.cpp:127
#12 0xa77d50a5 in WebCore::RenderSVGContainer::nodeAtPoint (this=0x8389dec, 
    request=@0xaff12308, result=@0xaff12198, _x=209, _y=106, _tx=0, _ty=0, 
    hitTestAction=WebCore::HitTestForeground)
    at ../../../WebCore/rendering/RenderSVGContainer.cpp:415
#13 0xa77d914c in WebCore::RenderSVGRoot::nodeAtPoint (this=0x8177ed4, 
    request=@0xaff12308, result=@0xaff12198, _x=209, _y=106, _tx=0, _ty=0, 
    hitTestAction=WebCore::HitTestForeground)
    at ../../../WebCore/rendering/RenderSVGRoot.cpp:291
#14 0xa76171b6 in WebCore::RenderObject::hitTest (this=0x8177ed4, 
    request=@0xaff12308, result=@0xaff12198, point=@0xaff12150, tx=0, ty=0, 
---Type <return> to continue, or q <return> to quit---
    hitTestFilter=WebCore::HitTestDescendants)
    at ../../../WebCore/rendering/RenderObject.cpp:2588
#15 0xa76055f4 in WebCore::RenderLayer::hitTestLayer (this=0x80d01e4, 
    rootLayer=0x80d0324, request=@0xaff12308, result=@0xaff12198, 
    hitTestRect=@0xaff12130, hitTestPoint=@0xaff12150)
    at ../../../WebCore/rendering/RenderLayer.cpp:1733
#16 0xa760547f in WebCore::RenderLayer::hitTestLayer (this=0x80d0324, 

    rootLayer=0x80d0324, request=@0xaff12308, result=@0xaff12198, 
    hitTestRect=@0xaff12130, hitTestPoint=@0xaff12150)
    at ../../../WebCore/rendering/RenderLayer.cpp:1717
#17 0xa7605a4d in WebCore::RenderLayer::hitTest (this=0x80d0324, 
    request=@0xaff12308, result=@0xaff12198)
    at ../../../WebCore/rendering/RenderLayer.cpp:1639
Comment 1 Alp Toker 2007-11-28 12:31:53 PST 
Seems this issue may also affect Mac. Needs more investigation, particularly to be sure it's not a security issue as well as a crasher.
Comment 2 Nikolas Zimmermann 2007-11-28 12:52:09 PST 
Problem confirmed on Tiger with trunk. Investigating soon.
Comment 3 Nikolas Zimmermann 2007-12-22 13:24:23 PST 
Created attachment 18061 [details]
Initial patch
Comment 4 Oliver Hunt 2007-12-22 13:36:06 PST 
Comment on attachment 18061 [details]
Initial patch

r=me
Comment 5 Nikolas Zimmermann 2007-12-22 13:40:09 PST 
Landed in r28962.