149460 2015-09-22 08:37:46 -0700 ASSERTION FAILED: !url.protocolIsData() in WebCore::SVGURIReference::isExternalURIReference 2024-10-17 01:24:57 -0700 1 1 1 Unclassified WebKit SVG WebKit Local Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=261806 InRadar P2 Normal --- 116980 1 rhodovan.u-szeged zsun ap bfulgham emilio fujii krit sabouhallawa simon.fraser webkit-bug-importer zimmermann oldest_to_newest 1128002 0 261744 rhodovan.u-szeged 2015-09-22 08:37:46 -0700 Created attachment 261744 Test Load this test with debug WebKit: <svg> <use xlink:href="data:foo.bar"></use> </svg> Backtrace: ASSERTION FAILED: !url.protocolIsData() ../../Source/WebCore/svg/SVGURIReference.h(48) : static bool WebCore::SVGURIReference::isExternalURIReference(const WTF::String&, WebCore::Document&) #0 0x00007fffec64eab6 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff287cad1 in WebCore::SVGURIReference::isExternalURIReference (uri=..., document=...) at ../../Source/WebCore/svg/SVGURIReference.h:48 #2 0x00007ffff36fc51c in WebCore::SVGUseElement::updateExternalDocument (this=0x7fffd5ad9000) at ../../Source/WebCore/svg/SVGUseElement.cpp:534 #3 0x00007ffff36f9965 in WebCore::SVGUseElement::insertedInto (this=0x7fffd5ad9000, rootParent=...) at ../../Source/WebCore/svg/SVGUseElement.cpp:110 #4 0x00007ffff28f88af in WebCore::notifyNodeInsertedIntoDocument (insertionPoint=..., node=..., postInsertionNotificationTargets=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:71 #5 0x00007ffff28f8ac2 in WebCore::notifyChildNodeInserted (insertionPoint=..., node=..., postInsertionNotificationTargets=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:97 #6 0x00007ffff28ebbd1 in WebCore::ContainerNode::notifyChildInserted (this=0x7fffd5adb000, child=..., source=WebCore::ContainerNode::ChildChangeSourceParser) at ../../Source/WebCore/dom/ContainerNode.cpp:331 #7 0x00007ffff28ed982 in WebCore::ContainerNode::parserAppendChild (this=0x7fffd5adb000, newChild=...) at ../../Source/WebCore/dom/ContainerNode.cpp:734 #8 0x00007ffff2ccb299 in WebCore::insert (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:107 #9 0x00007ffff2ccb33c in WebCore::executeInsertTask (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:114 #10 0x00007ffff2ccb58a in WebCore::executeTask (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:152 #11 0x00007ffff2ccb918 in WebCore::HTMLConstructionSite::executeQueuedTasks (this=0x7fffd5af7920) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:202 #12 0x00007ffff2cff2c7 in WebCore::HTMLTreeBuilder::constructTree (this=0x7fffd5af7900, token=...) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:355 #13 0x00007ffff2cd55d8 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x7fffd58165c0, rawToken=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:321 #14 0x00007ffff2cd5208 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x7fffd58165c0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:276 #15 0x00007ffff2cd4ac7 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x7fffd58165c0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:166 #16 0x00007ffff2cd5b3c in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (this=0x7fffd58165c0, inputSource=<unknown type in webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x6d8e5>) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:391 #17 0x00007ffff2908a65 in WebCore::DecodedDataDocumentParser::flush (this=0x7fffd58165c0, writer=...) at ../../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #18 0x00007ffff2e68c3e in WebCore::DocumentWriter::end (this=0x7fffd58360a0) at ../../Source/WebCore/loader/DocumentWriter.cpp:244 #19 0x00007ffff2e5264a in WebCore::DocumentLoader::finishedLoading (this=0x7fffd5836000, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:430 #20 0x00007ffff2e523a8 in WebCore::DocumentLoader::notifyFinished (this=0x7fffd5836000, resource=0x7fffd580f9c0) at ../../Source/WebCore/loader/DocumentLoader.cpp:377 #21 0x00007ffff2f10f7d in WebCore::CachedResource::checkNotify (this=0x7fffd580f9c0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:297 #22 0x00007ffff2f1108c in WebCore::CachedResource::finishLoading (this=0x7fffd580f9c0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:313 #23 0x00007ffff2f0d28a in WebCore::CachedRawResource::finishLoading (this=0x7fffd580f9c0, data=0x7fffd5bfde80) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:103 #24 0x00007ffff2ebd812 in WebCore::SubresourceLoader::didFinishLoading (this=0x7fffd5836c00, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:372 #25 0x00007ffff2eb828b in WebCore::ResourceLoader::didFinishLoading (this=0x7fffd5836c00, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:631 #26 0x00007ffff38e70f6 in WebCore::readCallback (asyncResult=0xb4e9b0, data=0x7fffd5bb7300) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1340 #27 0x00007fffe945796a in async_ready_callback_wrapper (source_object=0xa35db0, res=0xb4e9b0, user_data=0x7fffd5bb7300) at ginputstream.c:529 #28 0x00007fffe947d453 in g_task_return_now (task=0xb4e9b0) at gtask.c:1088 #29 0x00007fffe947d489 in complete_in_idle_cb (task=0xb4e9b0) at gtask.c:1102 #30 0x00007fffe8eb7a9d in g_main_dispatch (context=0x492400) at gmain.c:3122 #31 g_main_context_dispatch (context=context@entry=0x492400) at gmain.c:3737 #32 0x00007fffe8eb7e70 in g_main_context_iterate (context=0x492400, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3808 #33 0x00007fffe8eb8192 in g_main_loop_run (loop=0x5f15d0) at gmain.c:4002 #34 0x00007ffff406313f in WTF::RunLoop::run () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:67 #35 0x00007ffff2300a23 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd5b8) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #36 0x00007ffff2300880 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd5b8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:77 #37 0x00000000004008da in main (argc=2, argv=0x7fffffffd5b8) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44 1217679 1 bfulgham 2016-08-04 17:19:52 -0700 This reproduces in r204037. 1217680 2 webkit-bug-importer 2016-08-04 17:20:17 -0700 <rdar://problem/27710775> 1217789 3 sabouhallawa 2016-08-04 19:02:59 -0700 Correct SVG href should not be a data url. But if this happens we should not assert. This assertion was added by https://trac.webkit.org/changeset/183053. The changeLog does not describe why this assertion was added. But I think it was added because the assumption was the mask data URI was handled by the CSS parser and SVGURIReference should not be receiving a data URI which might correct for masks. But it is not the case for the SVG href itself which can be a data uri for incorrect SVG documents. So I think this assertion is not correct and should be removed. 1580602 4 emilio 2019-10-16 11:37:54 -0700 *** Bug 202809 has been marked as a duplicate of this bug. *** 2011589 5 fujii 2024-02-07 17:12:39 -0800 imported/w3c/web-platform-tests/css/filter-effects/svg-feimage-002.html is also crashing due to this assertion failure. 274235@main added the test. https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fcss%2Ffilter-effects%2Fsvg-feimage-002.html https://build.webkit.org/results/Apple-Sonoma-Debug-AppleSilicon-WK1-Tests/274239@main%20(1578)/imported/w3c/web-platform-tests/css/filter-effects/svg-feimage-002-stderr.txt 2068336 6 zsun 2024-10-16 01:27:30 -0700 Pull request: https://github.com/WebKit/WebKit/pull/34627 2068706 7 ews-feeder 2024-10-17 01:24:54 -0700 Committed 285321@main (04332cec0029): <https://commits.webkit.org/285321@main> Reviewed commits have been landed. Closing PR #34627 and removing active labels. 261744 2015-09-22 08:37:46 -0700 2015-09-22 08:37:46 -0700 Test crash.html text/html 54 rhodovan.u-szeged PHN2Zz4KICAgIDx1c2UgeGxpbms6aHJlZj0iZGF0YTpmb28uYmFyIj48L3VzZT4KPC9zdmc+