33841 2010-01-19 07:22:23 -0800 Crash on dispatching SVG mouse events 2010-01-20 18:11:10 -0800 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 vitalyr zimmermann dglazkov zimmermann oldest_to_newest 182228 0 46907 vitalyr 2010-01-19 07:22:23 -0800 Created attachment 46907 Reproducible test case Crash on dispatching SVG mouse events Steps to reproduce: 1. Open attached svg_crash.svg. 2. Move the mouse over the blinking black rectangle. See http://crbug.com/32269 (in particular comment 8). This first appeared as chromium-specific bug, but then it turned out to be reproducible in Safari. 182329 1 vitalyr 2010-01-19 11:06:39 -0800 I verified it crashes even after http://trac.webkit.org/changeset/53446 182597 2 zimmermann 2010-01-19 20:16:54 -0800 Thanks, the testcase is evil :-) We need to add: if (!m_targetElementInstance) return 0; to SVGUseElement::instanceForShadowTreeElement. Can you try wheter that fixes it, my tree is jammed atm :-) 183002 3 47087 zimmermann 2010-01-20 18:02:46 -0800 Created attachment 47087 Initial patch As discussed on IRC, there is no way to test using DRT at the moment - that particular code in EventHandler leading to crashes is not reachable when moving mouse using DRT. Adding the original testcase as manual-test. 183007 4 zimmermann 2010-01-20 18:11:10 -0800 Landed in r53589. 46907 2010-01-19 07:22:23 -0800 2010-01-20 18:02:46 -0800 Reproducible test case svg_crash.svg image/svg+xml 1601 vitalyr PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJ QyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iIAogICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGlj cy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgo8c3ZnIGlkPSJzdmciIHdpZHRoPSIxMGNtIiBoZWln aHQ9IjNjbSIgdmlld0JveD0iMCAwIDEwMCAzMCIgdmVyc2lvbj0iMS4xIgogICAgIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3Jn LzE5OTkveGxpbmsiPgogIDxkZWZzPgogICAgPHJlY3QgaWQ9Ik15UmVjdCIgd2lkdGg9IjYwIiBo ZWlnaHQ9IjEwIi8+CiAgICA8cmVjdCBpZD0ib3RoZXIiIHdpZHRoPSI2MCIgaGVpZ2h0PSIxMCIv PgogIDwvZGVmcz4KICA8cmVjdCB4PSIuMSIgeT0iLjEiIHdpZHRoPSI5OS44IiBoZWlnaHQ9IjI5 LjgiCiAgICAgICAgZmlsbD0ibm9uZSIgc3Ryb2tlPSJibHVlIiBzdHJva2Utd2lkdGg9Ii4yIi8+ CiAgPHVzZSBpZD0idXNlMSIgeD0iMjAiIHk9IjEwIiB4bGluazpocmVmPSIjTXlSZWN0IiAvPgog IDxzY3JpcHQ+CjwhW0NEQVRBWwogICAgdmFyIHN2ZyA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlk KCJzdmciKTsKICAgIHZhciB1c2UxID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoInVzZTEiKTsK CiAgICBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCJET01Ob2RlSW5zZXJ0ZWQiLCBmdW5jdGlv bigpIHt9LCB0cnVlKTsKCiAgICBmdW5jdGlvbiBhZGQxKCkgewogICAgICBzdmcuYXBwZW5kQ2hp bGQodXNlMSwgdHJ1ZSk7CiAgICAgIHNldFRpbWVvdXQocmVtb3ZlMSwgMTAwKTsKICAgIH0KCiAg ICBmdW5jdGlvbiByZW1vdmUxKCkgewogICAgICB1c2UxLnBhcmVudEVsZW1lbnQucmVtb3ZlQ2hp bGQodXNlMSk7CiAgICAgIHNldFRpbWVvdXQoYWRkMSwgMTAwKTsKICAgIH0KCiAgICB2YXIgcm9v dDEgPSB1c2UxLmluc3RhbmNlUm9vdDsKCiAgICByZW1vdmUxKCk7CgogICAgLypmdW5jdGlvbiBz eW50aGVzaXplTW91c2VFdmVudChldmVudE5hbWUsIHRhcmdldCwgb3B0X3JlbGF0ZWRUYXJnZXQp IHsKICAgICAgdmFyIGUgPSBkb2N1bWVudC5jcmVhdGVFdmVudCgiTW91c2VFdmVudHMiKTsKICAg ICAgZS5pbml0TW91c2VFdmVudChldmVudE5hbWUsCiAgICAgICAgICAgICAgICAgICAgICAgdHJ1 ZSwKICAgICAgICAgICAgICAgICAgICAgICBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICB3 aW5kb3csCiAgICAgICAgICAgICAgICAgICAgICAgMCwKICAgICAgICAgICAgICAgICAgICAgICAx MCwgMTAsCiAgICAgICAgICAgICAgICAgICAgICAgMTAsIDEwLAogICAgICAgICAgICAgICAgICAg ICAgIGZhbHNlLAogICAgICAgICAgICAgICAgICAgICAgIGZhbHNlLAogICAgICAgICAgICAgICAg ICAgICAgIGZhbHNlLAogICAgICAgICAgICAgICAgICAgICAgIGZhbHNlLAogICAgICAgICAgICAg ICAgICAgICAgIDAsCiAgICAgICAgICAgICAgICAgICAgICAgb3B0X3JlbGF0ZWRUYXJnZXQpOwog ICAgICB0YXJnZXQuZGlzcGF0Y2hFdmVudChlKTsKICAgIH0qLwpdXT4KICA8L3NjcmlwdD4KPC9z dmc+Cgo= 47087 2010-01-20 18:02:46 -0800 2010-01-20 18:04:30 -0800 Initial patch UseCrashes.diff text/plain 2852 zimmermann SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1MzU4NykKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjEgQEAKKzIwMTAtMDEtMjAgIE5pa29sYXMgWmltbWVybWFubiAgPG56aW1tZXJt YW5uQHJpbS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAg ICAgICAgQ3Jhc2ggb24gZGlzcGF0Y2hpbmcgU1ZHIG1vdXNlIGV2ZW50cworICAgICAgICBodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MzM4NDEKKworICAgICAgICBSZXR1 cm4gZWFybHkgaWYgbV90YXJnZXRFbGVtZW50SW5zdGFuY2UgaXMgemVybywgdGhpcyBvbmx5IGhh cHBlbnMgaWYgdGhlIFNWR1VzZUVsZW1lbnQKKyAgICAgICAgaGFzIGp1c3QgYmVlbiByZW1vdmVk IGZyb20gdGhlIGRvY3VtZW50IC0gYWRkIGFuIGFzc2VydGlvbiBmb3IgdGhhdCAtIGFuZCBFdmVu dEhhbmRsZXIKKyAgICAgICAgdHJpZXMgdG8gZGlzcGF0Y2ggYSBtb3VzZW91dCBldmVudC4gVGhp cyBpcyBub3QgdGVzdGFibGUgdXNpbmcgRFJUIHVuZm9ydHVuYXRlbHksIHNvCisgICAgICAgIHdl IGhhdmUgdG8gYWRkIGFub3RoZXIgbWFudWFsIHRlc3RjYXNlIGZvciB0aGF0LgorCisgICAgICAg IFRlc3RzOiBtYW51YWwtdGVzdHMvc3ZnL3VzZS1jcmFzaC1vbi1tb3VzZS1ob3Zlci5zdmcKKwor ICAgICAgICAqIG1hbnVhbC10ZXN0cy9zdmctY3Jhc2gtaG92ZXJpbmctdXNlLnN2ZzogQWRkZWQu CisgICAgICAgICogc3ZnL1NWR1VzZUVsZW1lbnQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6U1ZH VXNlRWxlbWVudDo6aW5zdGFuY2VGb3JTaGFkb3dUcmVlRWxlbWVudCk6CisKIDIwMTAtMDEtMjAg IEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEBhcHBsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQg YnkgU2FtIFdlaW5pZy4KSW5kZXg6IFdlYkNvcmUvbWFudWFsLXRlc3RzL3N2Zy1jcmFzaC1ob3Zl cmluZy11c2Uuc3ZnCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvbWFudWFsLXRlc3RzL3N2Zy1jcmFz aC1ob3ZlcmluZy11c2Uuc3ZnCShyZXZpc2lvbiAwKQorKysgV2ViQ29yZS9tYW51YWwtdGVzdHMv c3ZnLWNyYXNoLWhvdmVyaW5nLXVzZS5zdmcJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMzAgQEAK Kzw/eG1sIHZlcnNpb249IjEuMCIgc3RhbmRhbG9uZT0ibm8iPz4KKzwhRE9DVFlQRSBzdmcgUFVC TElDICItLy9XM0MvL0RURCBTVkcgMS4xLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL0dyYXBoaWNz L1NWRy8xLjEvRFREL3N2ZzExLmR0ZCI+Cis8c3ZnIGlkPSJzdmciIHZpZXdCb3g9IjAgMCAxMDAg MzAiIHZlcnNpb249IjEuMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxu czp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayI+Cis8ZGVmcz4KKyAgICA8cmVj dCBpZD0icmVjdCIgd2lkdGg9IjYwIiBoZWlnaHQ9IjEwIi8+Cis8L2RlZnM+CisKKzx0ZXh0IHg9 IjMwIiB5PSIzMCI+SG92ZXIgb3ZlciB0aGUgcmVjdGFuZ2xlLCB3aGlsZSBpdCdzIGZsYXNoaW5n IC0gaXQgc2hvdWxkIG5vdCBmaXJlIGFuIGFzc2VydGlvbiBpbiBhIGRlYnVnIGJ1aWxkPC90ZXh0 PgorPHVzZSBpZD0idXNlIiB4PSIyMCIgeT0iMTAiIHhsaW5rOmhyZWY9IiNyZWN0IiAvPgorCis8 c2NyaXB0PgorPCFbQ0RBVEFbCisgICAgdmFyIHN2ZyA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlk KCJzdmciKTsKKyAgICB2YXIgdXNlID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoInVzZSIpOwor CisgICAgZnVuY3Rpb24gYWRkVXNlRWxlbWVudCgpIHsKKyAgICAgICAgc3ZnLmFwcGVuZENoaWxk KHVzZSwgdHJ1ZSk7CisgICAgICAgIHNldFRpbWVvdXQocmVtb3ZlVXNlRWxlbWVudCwgNTApOwor ICAgIH0KKworICAgIGZ1bmN0aW9uIHJlbW92ZVVzZUVsZW1lbnQoKSB7CisgICAgICAgIHVzZS5w YXJlbnRFbGVtZW50LnJlbW92ZUNoaWxkKHVzZSk7CisgICAgICAgIHNldFRpbWVvdXQoYWRkVXNl RWxlbWVudCwgNTApOworICAgIH0KKworICAgIGRvY3VtZW50LmFkZEV2ZW50TGlzdGVuZXIoIkRP TU5vZGVJbnNlcnRlZCIsIGZ1bmN0aW9uKCkge30sIHRydWUpOworICAgIHJlbW92ZVVzZUVsZW1l bnQoKTsKK11dPgorPC9zY3JpcHQ+Cis8L3N2Zz4KSW5kZXg6IFdlYkNvcmUvc3ZnL1NWR1VzZUVs ZW1lbnQuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvc3ZnL1NWR1VzZUVsZW1lbnQuY3BwCShy ZXZpc2lvbiA1MzU3MykKKysrIFdlYkNvcmUvc3ZnL1NWR1VzZUVsZW1lbnQuY3BwCSh3b3JraW5n IGNvcHkpCkBAIC04NTcsNiArODU3LDExIEBAIHZvaWQgU1ZHVXNlRWxlbWVudDo6YXNzb2NpYXRl SW5zdGFuY2VzV2kKIAogU1ZHRWxlbWVudEluc3RhbmNlKiBTVkdVc2VFbGVtZW50OjppbnN0YW5j ZUZvclNoYWRvd1RyZWVFbGVtZW50KE5vZGUqIGVsZW1lbnQpIGNvbnN0CiB7CisgICAgaWYgKCFt X3RhcmdldEVsZW1lbnRJbnN0YW5jZSkgeworICAgICAgICBBU1NFUlQoIWluRG9jdW1lbnQoKSk7 CisgICAgICAgIHJldHVybiAwOworICAgIH0KKwogICAgIHJldHVybiBpbnN0YW5jZUZvclNoYWRv d1RyZWVFbGVtZW50KGVsZW1lbnQsIG1fdGFyZ2V0RWxlbWVudEluc3RhbmNlLmdldCgpKTsKIH0K IAo=