67487 2011-09-02 07:27:26 -0700 Case of the missing shadow Tree 2012-05-21 13:44:34 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) PC Windows Vista RESOLVED FIXED P1 Normal --- 1 skylined schenney dglazkov eric krit leandro schenney zimmermann oldest_to_newest 461215 0 106130 skylined 2011-09-02 07:27:26 -0700 Created attachment 106130 Repro Repro: <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:x="x"> <foreignObject id="foreignObject"> <x:div id="x"></x:div> </foreignObject> <use id="use" xlink:href="#foreignObject" /> <use xlink:href="#use"/> <script> document.documentElement.insertBefore(document.getElementById("x")); </script> </svg> Not sure what happens exactly, but the foreignObject element ends up with a NULL shadow tree element, which triggers ASSERTS and a NULL ptr: void SVGElementInstance::invalidateAllInstancesOfElement(SVGElement* element) { if (!element || !element->inDocument()) return; if (element->isStyled() && static_cast<SVGStyledElement*>(element)->instanceUpdatesBlocked()) return; const HashSet<SVGElementInstance*>& set = element->instancesForElement(); if (set.isEmpty()) return; // Mark all use elements referencing 'element' for rebuilding const HashSet<SVGElementInstance*>::const_iterator end = set.end(); for (HashSet<SVGElementInstance*>::const_iterator it = set.begin(); it != end; ++it) { ASSERT((*it)->shadowTreeElement()); ASSERT((*it)->shadowTreeElement()->correspondingElement()); ASSERT((*it)->correspondingElement() == element); (*it)->shadowTreeElement()->setCorrespondingElement(0); if (SVGUseElement* element = (*it)->correspondingUseElement()) { ASSERT(element->inDocument()); element->invalidateShadowTree(); } } // Be sure to rebuild use trees, if needed element->document()->updateLayoutIgnorePendingStylesheets(); } id: chrome.dll!WebCore::SVGElement::ensureRareSVGData ReadAV@NULL (b5516c4ed1ba6200134db33c80c5ed49) description: Attempt to read from unallocated NULL pointer+0x27 in chrome.dll!WebCore::SVGElement::ensureRareSVGData stack: chrome.dll!WebCore::SVGElement::ensureRareSVGData chrome.dll!WebCore::SVGElement::setCorrespondingElement chrome.dll!WebCore::SVGElementInstance::invalidateAllInstancesOfElement chrome.dll!WebCore::SVGStyledElement::childrenChanged chrome.dll!WebCore::ContainerNode::removeChild chrome.dll!WebCore::ContainerNode::appendChild chrome.dll!WebCore::ContainerNode::insertBefore chrome.dll!WebCore::Node::insertBefore chrome.dll!WebCore::V8Node::insertBeforeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ... 461217 1 skylined 2011-09-02 07:29:10 -0700 Chromium: https://code.google.com/p/chromium/issues/detail?id=95201 629448 2 schenney 2012-05-21 13:44:34 -0700 This was fixed at some point and does not crash Chromium ToT. It does crash Chrome 19, but that does not have the fix in it, to my knowledge. I believe the relevant changes are: Initial patch: <http://trac.webkit.org/changeset/109299> And follow up: <http://trac.webkit.org/changeset/109333> These disallow foreign object inside a <use> element, as the spec demands. 106130 2011-09-02 07:27:26 -0700 2011-09-02 07:27:26 -0700 Repro repro.svg image/svg+xml 379 skylined PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRw Oi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KICA8Zm9yZWlnbk9iamVjdCBpZD0iZm9yZWlnbk9i amVjdCI+CiAgICA8eC8+CiAgPC9mb3JlaWduT2JqZWN0PgogIDx1c2UgaWQ9InVzZSIgeGxpbms6 aHJlZj0iI2ZvcmVpZ25PYmplY3QiIC8+CiAgPHVzZSB4bGluazpocmVmPSIjdXNlIi8+CiAgPHNj cmlwdD4KICAgIHZhciBvRm9yZWlnbk9iamVjdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJm b3JlaWduT2JqZWN0Iik7CiAgICBvRm9yZWlnbk9iamVjdC5yZW1vdmVDaGlsZChvRm9yZWlnbk9i amVjdC5maXJzdENoaWxkKTsKICA8L3NjcmlwdD4KPC9zdmc+Cg==