18444 2008-04-12 14:41:02 -0700 Crash in WebCore::ScrollView::update on SVG test : full-color-prof-01-f.svg 2008-08-06 12:15:22 -0700 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) PC Linux RESOLVED DUPLICATE 19370 P2 Major --- 0 mh+webkit webkit-unassigned marco.barisione oldest_to_newest 77355 0 mh+webkit 2008-04-12 14:41:02 -0700 I get a crash on the following SVG testcase with r31841: http://www.w3.org/Graphics/SVG/Test/20061213/svgHarness/full-color-prof-01-f.svg FWIW, this is happening on the Gtk Port, built with gcc 4.2.3 on x86_64. The build happened with with -O2 and -g, but not with --enable-debug. Backtrace follows: $ gdb /usr/lib/webkit-1.0/GtkLauncher GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"... (gdb) set pagination off (gdb) run http://www.w3.org/Graphics/SVG/Test/20061213/svgHarness/full-color-prof-01-f.svg Starting program: /usr/lib/webkit-1.0/GtkLauncher http://www.w3.org/Graphics/SVG/Test/20061213/svgHarness/full-color-prof-01-f.svg [Thread debugging using libthread_db enabled] warning: Lowest section in /usr/lib/libicudata.so.38 is .hash at 0000000000000120 [New Thread 0x2b4b69604520 (LWP 7033)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x2b4b69604520 (LWP 7033)] 0x00002b4b5f79e7ab in WebCore::ScrollView::update (this=0x2b4b6a9faaf8) at ../WebCore/platform/gtk/ScrollViewGtk.cpp:331 331 ../WebCore/platform/gtk/ScrollViewGtk.cpp: No such file or directory. in ../WebCore/platform/gtk/ScrollViewGtk.cpp Current language: auto; currently c++ (gdb) bt full #0 0x00002b4b5f79e7ab in WebCore::ScrollView::update (this=0x2b4b6a9faaf8) at ../WebCore/platform/gtk/ScrollViewGtk.cpp:331 rect = {x = 0, y = 0, width = 0, height = 0} #1 0x00002b4b5f91f9c2 in WebCore::Document::implicitClose (this=0x2b4b6aa29b00) at ../WebCore/dom/Document.cpp:1580 wasLocationChangePending = <value optimized out> #2 0x00002b4b5fa4b482 in WebCore::FrameLoader::checkCompleted (this=0x2b4b6aaa4400) at ../WebCore/loader/FrameLoader.cpp:1287 No locals. #3 0x00002b4b5fa4ccfe in WebCore::FrameLoader::finishedParsing (this=0x0) at ../WebCore/loader/FrameLoader.cpp:1237 No locals. #4 0x00002b4b5f919ba2 in WebCore::Document::finishedParsing (this=0x2b4b6aa29b00) at ../WebCore/dom/Document.cpp:3669 f = <value optimized out> ec = 0 #5 0x00002b4b5fa4e9fc in WebCore::FrameLoader::endIfNotLoadingMainResource (this=0x2b4b6aaa4400) at ../WebCore/loader/FrameLoader.cpp:1063 No locals. #6 0x00002b4b5fc79abd in WebCore::SVGImage::dataChanged (this=0x2b4b6a9fab40, allDataReceived=<value optimized out>) at ../WebCore/svg/graphics/SVGImage.cpp:215 fakeRequest = {<WebCore::ResourceRequestBase> = {static defaultTimeoutInterval = 60, m_url = {m_string = {m_impl = {m_ptr = 0x2b4b601281a0}}, m_isValid = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0}, m_cachePolicy = WebCore::UseProtocolCachePolicy, m_timeoutInterval = 60, m_mainDocumentURL = {m_string = {m_impl = {m_ptr = 0x0}}, m_isValid = false, m_schemeEnd = 0, m_userStart = 0, m_userEnd = 0, m_passwordEnd = 0, m_hostEnd = 0, m_portEnd = 0, m_pathAfterLastSlash = 0, m_pathEnd = 0, m_queryEnd = 0, m_fragmentEnd = 0}, m_httpMethod = {m_impl = {m_ptr = 0x2b4b6aaa3450}}, m_httpHeaderFields = {m_impl = {static m_minTableSize = 64, static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x0, m_tableSize = 0, m_tableSizeMask = 0, m_keyCount = 0, m_deletedCount = 0}}, m_httpBody = {m_ptr = 0x0}, m_allowHTTPCookies = true, m_resourceRequestUpdated = true, m_platformRequestUpdated = false}, <No data fields>} dummyChromeClient = (class WebCore::ChromeClient *) 0x2b4b6a9f6618 dummyFrameLoaderClient = (class WebCore::FrameLoaderClient *) 0x2b4b6a9f6608 dummyEditorClient = (class WebCore::EditorClient *) 0x2b4b6a9f6600 dummyContextMenuClient = (class WebCore::ContextMenuClient *) 0x2b4b6a9f6610 dummyDragClient = (class WebCore::DragClient *) 0x2b4b6a9f67f8 dummyInspectorClient = (class WebCore::InspectorClient *) 0x2b4b6a9f67f0 #7 0x00002b4b5fabf364 in WebCore::Image::setData (this=0x2b4b6a9fab40, data=<value optimized out>, allDataReceived=false) at ../WebCore/platform/graphics/Image.cpp:72 No locals. #8 0x00002b4b5fa2b81f in WebCore::CachedImage::data (this=0x2b4b6aa49c60, data=<value optimized out>, allDataReceived=false) at ../WebCore/loader/CachedImage.cpp:233 sizeAvailable = <value optimized out> #9 0x00002b4b5fa5cb4c in WebCore::Loader::Host::didFinishLoading (this=0x2b4b6a9fd510, loader=0x2b4b6aa91c80) at ../WebCore/loader/loader.cpp:268 request = (class WebCore::Request *) 0x2b4b6aa65990 docLoader = (class WebCore::DocLoader *) 0x2b4b6a9fdea0 resource = (class WebCore::CachedResource *) 0x2b4b6aa49c60 #10 0x00002b4b5fa67fe3 in WebCore::SubresourceLoader::didFinishLoading (this=0x2b4b6aa91c80) at ../WebCore/loader/SubresourceLoader.cpp:193 No locals. #11 0x00002b4b5fb81d64 in WebCore::ResourceHandleManager::downloadTimerCallback (this=0x2b4b6aa7ad80, timer=<value optimized out>) at ../WebCore/platform/network/curl/ResourceHandleManager.cpp:340 msg = (CURLMsg *) 0x897660 handle = <value optimized out> job = (class WebCore::ResourceHandle *) 0x630900 messagesInQueue = 0 d = <value optimized out> fdread = {fds_bits = {1536, 0 <repeats 15 times>}} fdwrite = {fds_bits = {0 <repeats 16 times>}} fdexcep = {fds_bits = {0 <repeats 16 times>}} maxfd = 10 timeout = {tv_sec = 0, tv_usec = 5000} rc = <value optimized out> runningHandles = 1 started = <value optimized out> #12 0x00002b4b5fada763 in WebCore::TimerBase::fireTimers (fireTime=1208036241.1094639, firingTimers=@0x7fff4b7858d0) at ../WebCore/platform/Timer.cpp:347 timer = (class WebCore::TimerBase *) 0x2b4b6aa7ad80 interval = <value optimized out> i = 0 #13 0x00002b4b5fada81b in WebCore::TimerBase::sharedTimerFired () at ../WebCore/platform/Timer.cpp:368 fireTime = 1208036241.1094639 firingTimers = {m_size = 1, m_buffer = {<WTF::VectorBufferBase<WebCore::TimerBase*>> = {<WTFNoncopyable::Noncopyable> = {<No data fields>}, m_buffer = 0x2b4b6aa9bb80, m_capacity = 16}, <No data fields>}} firingTimersSet = {m_impl = {static m_minTableSize = 64, static m_maxLoad = 2, static m_minLoad = 6, m_table = 0x2b4b6aa01600, m_tableSize = 64, m_tableSizeMask = 63, m_keyCount = 0, m_deletedCount = 1}} #14 0x00002b4b5f7a0e22 in timeout_cb () at ../WebCore/platform/gtk/SharedTimerGtk.cpp:48 No locals. #15 0x00002b4b60ee681b in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #16 0x00002b4b60ee60f2 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #17 0x00002b4b60ee9396 in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #18 0x00002b4b60ee9657 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. #19 0x00002b4b607f6b63 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c:1163 tmp_list = (GList *) 0x62b0b0 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x662280 loop = (GMainLoop *) 0x881fb0 #20 0x0000000000401e9b in main (argc=2, argv=0x7fff4b785c18) at ../WebKitTools/GtkLauncher/main.c:200 vbox = (GtkWidget *) 0x62b0b0 uri = <value optimized out> 77356 1 mh+webkit 2008-04-12 14:44:07 -0700 FYI: (gdb) print containingWindow() $1 = (GtkWidget *) 0x0 78803 2 mh+webkit 2008-04-24 13:48:54 -0700 I just got the same crash with the last post on planet webkit seen in liferea-webkit 78935 3 20822 mh+webkit 2008-04-25 12:54:19 -0700 Created attachment 20822 workaround? This fixes the issue for me on planet.webkit.org, and doesn't crash on full-color-prof-01-f.svg test anymore, but doesn't display properly either... I don't know if containingWindow is really supposed to never be NULL in update. Maybe something like addChild or setContainingWindow would be needed somewhere in SVGImage... or maybe in some unimplemented functions in FrameLoaderClient... but I just got that from a quick glance at the code. I'm not very familiar with it. 87980 4 marco.barisione 2008-08-06 12:15:22 -0700 I think that the image is not rendering correctly because of other problems and not because of the workaround. This SVG crashes webkit because it has nested SVGs so new frame views without associated windows are created. I'm closing this bug as a dup as the other one has a longer discussion on the crash. *** This bug has been marked as a duplicate of 19370 *** 20822 2008-04-25 12:54:19 -0700 2008-04-25 12:54:19 -0700 workaround? diff text/plain 533 mh+webkit ZGlmZiAtLWdpdCBhL1dlYkNvcmUvcGxhdGZvcm0vZ3RrL1Njcm9sbFZpZXdHdGsuY3BwIGIvV2Vi Q29yZS9wbGF0Zm9ybS9ndGsvU2Nyb2xsVmlld0d0ay5jcHAKaW5kZXggYTU0OTVjNi4uZDg3MDg5 MiAxMDA2NDQKLS0tIGEvV2ViQ29yZS9wbGF0Zm9ybS9ndGsvU2Nyb2xsVmlld0d0ay5jcHAKKysr IGIvV2ViQ29yZS9wbGF0Zm9ybS9ndGsvU2Nyb2xsVmlld0d0ay5jcHAKQEAgLTMxOSw2ICszMTks NyBAQCB2b2lkIFNjcm9sbFZpZXc6OnVwZGF0ZUNvbnRlbnRzKGNvbnN0IEludFJlY3QmIHVwZGF0 ZVJlY3QsIGJvb2wgbm93KQogdm9pZCBTY3JvbGxWaWV3Ojp1cGRhdGUoKQogewogICAgIEFTU0VS VChjb250YWluaW5nV2luZG93KCkpOworICAgIGlmICghY29udGFpbmluZ1dpbmRvdygpKSByZXR1 cm47CiAKICAgICBHZGtSZWN0YW5nbGUgcmVjdCA9IGZyYW1lR2VvbWV0cnkoKTsKICAgICBnZGtf d2luZG93X2ludmFsaWRhdGVfcmVjdChHVEtfV0lER0VUKGNvbnRhaW5pbmdXaW5kb3coKSktPndp bmRvdywgJnJlY3QsIHRydWUpOwo=