I get a crash on the following SVG testcase with r31841: http://www.w3.org/Graphics/SVG/Test/20061213/svgHarness/full-color-prof-01-f.svg FWIW, this is happening on the Gtk Port, built with gcc 4.2.3 on x86_64. The build happened with with -O2 and -g, but not with --enable-debug. Backtrace follows: $ gdb /usr/lib/webkit-1.0/GtkLauncher GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"... (gdb) set pagination off (gdb) run http://www.w3.org/Graphics/SVG/Test/20061213/svgHarness/full-color-prof-01-f.svg Starting program: /usr/lib/webkit-1.0/GtkLauncher http://www.w3.org/Graphics/SVG/Test/20061213/svgHarness/full-color-prof-01-f.svg [Thread debugging using libthread_db enabled] warning: Lowest section in /usr/lib/libicudata.so.38 is .hash at 0000000000000120 [New Thread 0x2b4b69604520 (LWP 7033)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x2b4b69604520 (LWP 7033)] 0x00002b4b5f79e7ab in WebCore::ScrollView::update (this=0x2b4b6a9faaf8) at ../WebCore/platform/gtk/ScrollViewGtk.cpp:331 331 ../WebCore/platform/gtk/ScrollViewGtk.cpp: No such file or directory. in ../WebCore/platform/gtk/ScrollViewGtk.cpp Current language: auto; currently c++ (gdb) bt full #0 0x00002b4b5f79e7ab in WebCore::ScrollView::update (this=0x2b4b6a9faaf8) at ../WebCore/platform/gtk/ScrollViewGtk.cpp:331 rect = {x = 0, y = 0, width = 0, height = 0} #1 0x00002b4b5f91f9c2 in WebCore::Document::implicitClose (this=0x2b4b6aa29b00) at ../WebCore/dom/Document.cpp:1580 wasLocationChangePending = <value optimized out> #2 0x00002b4b5fa4b482 in WebCore::FrameLoader::checkCompleted (this=0x2b4b6aaa4400) at ../WebCore/loader/FrameLoader.cpp:1287 No locals. #3 0x00002b4b5fa4ccfe in WebCore::FrameLoader::finishedParsing (this=0x0) at ../WebCore/loader/FrameLoader.cpp:1237 No locals. #4 0x00002b4b5f919ba2 in WebCore::Document::finishedParsing (this=0x2b4b6aa29b00) at ../WebCore/dom/Document.cpp:3669 f = <value optimized out> ec = 0 #5 0x00002b4b5fa4e9fc in WebCore::FrameLoader::endIfNotLoadingMainResource (this=0x2b4b6aaa4400) at ../WebCore/loader/FrameLoader.cpp:1063 No locals. #6 0x00002b4b5fc79abd in WebCore::SVGImage::dataChanged (this=0x2b4b6a9fab40, allDataReceived=<value optimized out>) at ../WebCore/svg/graphics/SVGImage.cpp:215 fakeRequest = {<WebCore::ResourceRequestBase> = {static defaultTimeoutInterval = 60, m_url = {m_string = {m_impl = {m_ptr = 0x2b4b601281a0}}, m_isValid = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0}, m_cachePolicy = WebCore::UseProtocolCachePolicy, m_timeoutInterval = 60, m_mainDocumentURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0}, m_httpMethod = {m_impl = {m_ptr = 0x2b4b6aaa3450}}, m_httpHeaderFields = {m_impl = {static m_minTableSize = 64, static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}, m_httpBody = {m_ptr = 0x0}, m_allowHTTPCookies = true, m_resourceRequestUpdated = true, m_platformRequestUpdated = false}, <No data fields>} dummyChromeClient = (class WebCore::ChromeClient *) 0x2b4b6a9f6618 dummyFrameLoaderClient = (class WebCore::FrameLoaderClient *) 0x2b4b6a9f6608 dummyEditorClient = (class WebCore::EditorClient *) 0x2b4b6a9f6600 dummyContextMenuClient = (class WebCore::ContextMenuClient *) 0x2b4b6a9f6610 dummyDragClient = (class WebCore::DragClient *) 0x2b4b6a9f67f8 dummyInspectorClient = (class WebCore::InspectorClient *) 0x2b4b6a9f67f0 #7 0x00002b4b5fabf364 in WebCore::Image::setData (this=0x2b4b6a9fab40, data=<value optimized out>, allDataReceived=false) at ../WebCore/platform/graphics/Image.cpp:72 No locals. #8 0x00002b4b5fa2b81f in WebCore::CachedImage::data (this=0x2b4b6aa49c60, data=<value optimized out>, allDataReceived=false) at ../WebCore/loader/CachedImage.cpp:233 sizeAvailable = <value optimized out> #9 0x00002b4b5fa5cb4c in WebCore::Loader::Host::didFinishLoading (this=0x2b4b6a9fd510, loader=0x2b4b6aa91c80) at ../WebCore/loader/loader.cpp:268 request = (class WebCore::Request *) 0x2b4b6aa65990 docLoader = (class WebCore::DocLoader *) 0x2b4b6a9fdea0 resource = (class WebCore::CachedResource *) 0x2b4b6aa49c60 #10 0x00002b4b5fa67fe3 in WebCore::SubresourceLoader::didFinishLoading (this=0x2b4b6aa91c80) at ../WebCore/loader/SubresourceLoader.cpp:193 No locals. #11 0x00002b4b5fb81d64 in WebCore::ResourceHandleManager::downloadTimerCallback (this=0x2b4b6aa7ad80, timer=<value optimized out>) at ../WebCore/platform/network/curl/ResourceHandleManager.cpp:340 msg = (CURLMsg *) 0x897660 handle = <value optimized out> job = (class WebCore::ResourceHandle *) 0x630900 messagesInQueue = 0 d = <value optimized out> fdread = {fds_bits = {1536, 0 <repeats 15 times>}} fdwrite = {fds_bits = {0 <repeats 16 times>}} fdexcep = {fds_bits = {0 <repeats 16 times>}} maxfd = 10 timeout = {tv_sec = 0, tv_usec = 5000} rc = <value optimized out> runningHandles = 1 started = <value optimized out> #12 0x00002b4b5fada763 in WebCore::TimerBase::fireTimers (fireTime=1208036241.1094639, firingTimers=@0x7fff4b7858d0) at ../WebCore/platform/Timer.cpp:347 timer = (class WebCore::TimerBase *) 0x2b4b6aa7ad80 interval = <value optimized out> i = 0 #13 0x00002b4b5fada81b in WebCore::TimerBase::sharedTimerFired () at ../WebCore/platform/Timer.cpp:368 fireTime = 1208036241.1094639 firingTimers = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<WebCore::TimerBase*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2b4b6aa9bb80, m_capacity = 16}, <No data fields>}} firingTimersSet = {m_impl = {static m_minTableSize = 64, static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x2b4b6aa01600, m_tableSize = 64, m_tableSizeMask = 63, m_keyCount = 0, m_deletedCount = 1}} #14 0x00002b4b5f7a0e22 in timeout_cb () at ../WebCore/platform/gtk/SharedTimerGtk.cpp:48 No locals. #15 0x00002b4b60ee681b in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #16 0x00002b4b60ee60f2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #17 0x00002b4b60ee9396 in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #18 0x00002b4b60ee9657 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #19 0x00002b4b607f6b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 tmp_list = (GList *) 0x62b0b0 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x662280 loop = (GMainLoop *) 0x881fb0 #20 0x0000000000401e9b in main (argc=2, argv=0x7fff4b785c18) at ../WebKitTools/GtkLauncher/main.c:200 vbox = (GtkWidget *) 0x62b0b0 uri = <value optimized out>
FYI: (gdb) print containingWindow() $1 = (GtkWidget *) 0x0
I just got the same crash with the last post on planet webkit seen in liferea-webkit
Created attachment 20822 [details] workaround? This fixes the issue for me on planet.webkit.org, and doesn't crash on full-color-prof-01-f.svg test anymore, but doesn't display properly either... I don't know if containingWindow is really supposed to never be NULL in update. Maybe something like addChild or setContainingWindow would be needed somewhere in SVGImage... or maybe in some unimplemented functions in FrameLoaderClient... but I just got that from a quick glance at the code. I'm not very familiar with it.
I think that the image is not rendering correctly because of other problems and not because of the workaround. This SVG crashes webkit because it has nested SVGs so new frame views without associated windows are created. I'm closing this bug as a dup as the other one has a longer discussion on the crash. *** This bug has been marked as a duplicate of 19370 ***