17771 2008-03-11 09:34:34 -0700 SVGImage accesses m_frame w/o checking for NULL 2008-03-18 16:51:53 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED http://www.trilulilu.ro/audio/cele-mai-recente/ NeedsReduction P2 Normal --- 1 eric eric oldest_to_newest 73328 0 eric 2008-03-11 09:34:34 -0700 SVGImage accesses m_frame w/o checking for NULL I don't know how to get real crashlogs out of this machine (I'm on windows for the moment). But the top of the stack was something like this: Frame::document() SVGImage::hasRelativeWidth() RenderImage::calcReplacedWidth() RenderImage::calcPrefWidths() RenderBox::minPrefWidth() Looking at SVGImage.cpp it's clear we have many instances of un-guarded usage of m_frame. I'm sure there are other crashes like this to be found. We'll need to create a reduction (by staring @ the SVGImage source code) 73660 1 19753 eric 2008-03-13 20:23:21 -0700 Created attachment 19753 Fix crash WebCore/svg/graphics/SVGImage.cpp | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) 73661 2 eric 2008-03-13 20:29:24 -0700 (In reply to comment #1) > Created an attachment (id=19753) [edit] > Fix crash > > WebCore/svg/graphics/SVGImage.cpp | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > I failed to figure out how to make a test case for this. I've only seen this crash once, but the code definitely looks wrong. I expect this happens when the SVGImage not yet done loading, and is asked to layout. I tried using an empty SVGImage, but that just produced an error icon. I also tried creating an http test, but wasn't successful. Perhaps someone with some http test foo would like to guide me through such a process. 73662 3 19753 oliver 2008-03-13 20:39:59 -0700 Comment on attachment 19753 Fix crash r=me 73960 4 darin 2008-03-16 13:20:58 -0700 Assigning to Eric, assuming he's going to land his own patch. 74354 5 eric 2008-03-18 16:51:53 -0700 Landed as: http://trac.webkit.org/projects/webkit/changeset/31139 I was very sad that I was not able to create a test case for this. I'm certain there are ways to make the old code crash. 19753 2008-03-13 20:23:21 -0700 2008-03-13 20:39:59 -0700 Fix crash Fix-crash.patch text/plain 1556 eric MGJhZDA3MTU0MDI1YjVhYTc5Njg3MDI5YjZlYWIxZjkxYTc3MTMzNwpkaWZmIC0tZ2l0IGEvV2Vi Q29yZS9zdmcvZ3JhcGhpY3MvU1ZHSW1hZ2UuY3BwIGIvV2ViQ29yZS9zdmcvZ3JhcGhpY3MvU1ZH SW1hZ2UuY3BwCmluZGV4IDcyM2FiODIuLjk4NGI4MzIgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvc3Zn L2dyYXBoaWNzL1NWR0ltYWdlLmNwcAorKysgYi9XZWJDb3JlL3N2Zy9ncmFwaGljcy9TVkdJbWFn ZS5jcHAKQEAgLTcwLDYgKzcwLDggQEAgdm9pZCBTVkdJbWFnZTo6c2V0Q29udGFpbmVyU2l6ZShj b25zdCBJbnRTaXplJiBjb250YWluZXJTaXplKQogICAgIGlmIChjb250YWluZXJTaXplLndpZHRo KCkgPD0gMCB8fCBjb250YWluZXJTaXplLmhlaWdodCgpIDw9IDApCiAgICAgICAgIHJldHVybjsK IAorICAgIGlmICghbV9mcmFtZSB8fCAhbV9mcmFtZS0+ZG9jdW1lbnQoKSkKKyAgICAgICAgcmV0 dXJuOwogICAgIFNWR1NWR0VsZW1lbnQqIHJvb3RFbGVtZW50ID0gc3RhdGljX2Nhc3Q8U1ZHRG9j dW1lbnQqPihtX2ZyYW1lLT5kb2N1bWVudCgpKS0+cm9vdEVsZW1lbnQoKTsKICAgICBpZiAoIXJv b3RFbGVtZW50KQogICAgICAgICByZXR1cm47CkBAIC03OSw2ICs4MSw4IEBAIHZvaWQgU1ZHSW1h Z2U6OnNldENvbnRhaW5lclNpemUoY29uc3QgSW50U2l6ZSYgY29udGFpbmVyU2l6ZSkKIAogYm9v bCBTVkdJbWFnZTo6dXNlc0NvbnRhaW5lclNpemUoKSBjb25zdAogeworICAgIGlmICghbV9mcmFt ZSB8fCAhbV9mcmFtZS0+ZG9jdW1lbnQoKSkKKyAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgIFNW R1NWR0VsZW1lbnQqIHJvb3RFbGVtZW50ID0gc3RhdGljX2Nhc3Q8U1ZHRG9jdW1lbnQqPihtX2Zy YW1lLT5kb2N1bWVudCgpKS0+cm9vdEVsZW1lbnQoKTsKICAgICBpZiAoIXJvb3RFbGVtZW50KQog ICAgICAgICByZXR1cm4gZmFsc2U7CkBAIC0xMTQsNiArMTE4LDggQEAgSW50U2l6ZSBTVkdJbWFn ZTo6c2l6ZSgpIGNvbnN0CiAKIGJvb2wgU1ZHSW1hZ2U6Omhhc1JlbGF0aXZlV2lkdGgoKSBjb25z dAogeworICAgIGlmICghbV9mcmFtZSB8fCAhbV9mcmFtZS0+ZG9jdW1lbnQoKSkKKyAgICAgICAg cmV0dXJuIGZhbHNlOwogICAgIFNWR1NWR0VsZW1lbnQqIHJvb3RFbGVtZW50ID0gc3RhdGljX2Nh c3Q8U1ZHRG9jdW1lbnQqPihtX2ZyYW1lLT5kb2N1bWVudCgpKS0+cm9vdEVsZW1lbnQoKTsKICAg ICBpZiAoIXJvb3RFbGVtZW50KQogICAgICAgICByZXR1cm4gZmFsc2U7CkBAIC0xMjMsNiArMTI5 LDggQEAgYm9vbCBTVkdJbWFnZTo6aGFzUmVsYXRpdmVXaWR0aCgpIGNvbnN0CiAKIGJvb2wgU1ZH SW1hZ2U6Omhhc1JlbGF0aXZlSGVpZ2h0KCkgY29uc3QKIHsKKyAgICBpZiAoIW1fZnJhbWUgfHwg IW1fZnJhbWUtPmRvY3VtZW50KCkpCisgICAgICAgIHJldHVybiBmYWxzZTsKICAgICBTVkdTVkdF bGVtZW50KiByb290RWxlbWVudCA9IHN0YXRpY19jYXN0PFNWR0RvY3VtZW50Kj4obV9mcmFtZS0+ ZG9jdW1lbnQoKSktPnJvb3RFbGVtZW50KCk7CiAgICAgaWYgKCFyb290RWxlbWVudCkKICAgICAg ICAgcmV0dXJuIGZhbHNlOwo=