85797 2012-05-07 06:18:42 -0700 REGRESSION (Safari 5.1.5 - ToT): Crash in RenderSVGRoot::computeReplacedLogicalWidth 2012-06-22 11:20:00 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED Regression P1 Normal --- 1 pdr fmalita ap eric fmalita krit thorton webkit.review.bot zimmermann oldest_to_newest 617557 0 pdr 2012-05-07 06:18:42 -0700 The following will cause a crash: <figcaption style="width:1px;"> <svg style="width:intrinsic;"/> In debug builds, the following assert is hit: ASSERTION FAILED: isEmbeddedThroughFrameContainingSVGDocument() ../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGRoot.cpp(177) : virtual WebCore::LayoutUnit WebCore::RenderSVGRoot::computeReplacedLogicalWidth(bool) const Original bug: http://crbug.com/126416 617670 1 ap 2012-05-07 10:13:22 -0700 Crashes ToT, but not Safari 5.1.5 for me. Release build stack trace: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010c31ee38 WebCore::RenderSVGRoot::computeReplacedLogicalWidth(bool) const + 344 1 com.apple.WebCore 0x000000010cb53295 WebCore::RenderBox::computeLogicalWidthInRegion(WebCore::RenderRegion*, WebCore::FractionalLayoutUnit) + 485 2 com.apple.WebCore 0x000000010c1b2c0a WebCore::RenderBox::computeLogicalWidth() + 26 3 com.apple.WebCore 0x000000010c31eb09 WebCore::RenderSVGRoot::layout() + 169 4 com.apple.WebCore 0x000000010cb4c461 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 913 ... 653766 2 fmalita 2012-06-20 12:27:22 -0700 The assert at the end of RenderSVGRoot::computeReplacedLogicalWidth() is wrong: we can also reach that point for inline SVGs when the width attribute doesn't establish the viewport (see SVGSVGElement::widthAttributeEstablishesViewport). The release crash happens in return document()->frame()->ownerRenderer()->availableLogicalWidth() because ownerRenderer() is NULL for the case of inline SVG. This also seems to affect RenderSVGRoot::computeReplacedLogicalHeight(). I guess the question is what to do when a) widthAttributeEstablishesViewport() == false and b) the SVG element is not embedded via object/iframe Fall back to RenderReplace:::computeReplacedLogicalWidth? 653849 3 148647 fmalita 2012-06-20 13:42:52 -0700 Created attachment 148647 Minimized crasher 655541 4 149049 fmalita 2012-06-22 10:09:04 -0700 Created attachment 149049 Patch 655629 5 149049 webkit.review.bot 2012-06-22 11:19:50 -0700 Comment on attachment 149049 Patch Clearing flags on attachment: 149049 Committed r121041: <http://trac.webkit.org/changeset/121041> 655630 6 webkit.review.bot 2012-06-22 11:20:00 -0700 All reviewed patches have been landed. Closing bug. 148647 2012-06-20 13:42:52 -0700 2012-06-20 13:42:52 -0700 Minimized crasher svg-intrinsic.html text/html 71 fmalita PGRpdiBzdHlsZT0id2lkdGg6IDEwMHB4OyI+CiAgPHN2ZyBzdHlsZT0id2lkdGg6IGludHJpbnNp YzsiLz4KPC9kaXY+Cgo= 149049 2012-06-22 10:09:04 -0700 2012-06-22 11:19:50 -0700 Patch bug-85797-20120622130904.patch text/plain 5230 fmalita U3VidmVyc2lvbiBSZXZpc2lvbjogMTIxMDMwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMzE5MDc0Y2YyODk3ZmNk YTc1YTIyY2Q5MDk0YjRlZmIyOTUxOGJhYS4uMTIwOTJmYTY5MGFiOGFmZjI5MzZhNDYyZDk2ZTk4 MjQzNzVlYmQzZCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI2IEBACisyMDEyLTA2LTIyICBGbG9y aW4gTWFsaXRhICA8Zm1hbGl0YUBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgUkVHUkVTU0lPTiAo U2FmYXJpIDUuMS41IC0gVG9UKTogQ3Jhc2ggaW4gUmVuZGVyU1ZHUm9vdDo6Y29tcHV0ZVJlcGxh Y2VkTG9naWNhbFdpZHRoCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD04NTc5NworCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisg ICAgICAgIFRlc3Q6IHN2Zy9jdXN0b20vc3ZnLXdpZHRoLWludHJpbnNpYy1jcmFzaC5odG1sCisK KyAgICAgICAgUmVuZGVyU1ZHUm9vdDo6Y29tcHV0ZVJlcGxhY2VkTG9naWNhbFdpZHRoIGFzc3Vt ZXMgdGhhdCBpZgorICAgICAgICBTVkdTVkdFbGVtZW50Ojp3aWR0aEF0dHJpYnV0ZUVzdGFibGlz aGVzVmlld3BvcnQgcmV0dXJucyBmYWxzZSwgdGhlCisgICAgICAgIFNWRyBtdXN0IGJlIGVtYmVk ZGVkIHZpYSA8b2JqZWN0Pi4gVGhpcyBpcyBub3QgYWx3YXlzIHRoZSBjYXNlLCB0aG91Z2g6Cisg ICAgICAgIHdpZHRoQXR0cmlidXRlRXN0YWJsaXNoZXNWaWV3cG9ydCBjYW4gYWxzbyByZXR1cm4g ZmFsc2UgZm9yIGlubGluZQorICAgICAgICBTVkcgaWYgaXQgZG9lc24ndCBoYXZlIGEgcmVwbGFj ZWQgbG9naWNhbCB3aWR0aC4KKworICAgICAgICBVcGRhdGVkIGNvbXB1dGVSZXBsYWNlZExvZ2lj YWx7V2lkdGgsSGVpZ2h0fSB0byBoYW5kbGUgdGhlCisgICAgICAgICF3aWR0aEF0dHJpYnV0ZUVz dGFibGlzaGVzVmlld3BvcnQgJiYgIWlzRW1iZWRkZWRUaHJvdWdoRnJhbWVDb250YWluaW5nU1ZH RG9jdW1lbnQKKyAgICAgICAgY2FzZSBncmFjZWZ1bGx5LgorCisgICAgICAgICogcmVuZGVyaW5n L3N2Zy9SZW5kZXJTVkdSb290LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlJlbmRlclNWR1Jvb3Q6 OmNvbXB1dGVSZXBsYWNlZExvZ2ljYWxXaWR0aCk6CisgICAgICAgIChXZWJDb3JlOjpSZW5kZXJT VkdSb290Ojpjb21wdXRlUmVwbGFjZWRMb2dpY2FsSGVpZ2h0KToKKwogMjAxMi0wNi0yMiAgQW5k cmV5IEtvc3lha292ICA8Y2FzZXFAY2hyb21pdW0ub3JnPgogCiAgICAgICAgIFdlYiBJbnNwZWN0 b3I6IHRpbWVsaW5lIGV2ZW50IGRldGFpbHMgcG9wdXAgbWlzc2VzIENQVSB0aW1lCmRpZmYgLS1n aXQgYS9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvc3ZnL1JlbmRlclNWR1Jvb3QuY3BwIGIvU291 cmNlL1dlYkNvcmUvcmVuZGVyaW5nL3N2Zy9SZW5kZXJTVkdSb290LmNwcAppbmRleCA5NTUyODk1 MjlmYTlmMTllOTFmY2VjMTk4YWFkOWViNzQyZTgyMzBmLi5jMDk0NTdlNjFiMWI3NTkxNDczNDdk ZmMwMDU4NTljNzIxMzA1ODRkIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcv c3ZnL1JlbmRlclNWR1Jvb3QuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3JlbmRlcmluZy9zdmcv UmVuZGVyU1ZHUm9vdC5jcHAKQEAgLTE3Myw5ICsxNzMsMTIgQEAgTGF5b3V0VW5pdCBSZW5kZXJT VkdSb290Ojpjb21wdXRlUmVwbGFjZWRMb2dpY2FsV2lkdGgoYm9vbCBpbmNsdWRlTWF4V2lkdGgp IGNvbnMKICAgICBpZiAoc3ZnLT53aWR0aEF0dHJpYnV0ZUVzdGFibGlzaGVzVmlld3BvcnQoKSkK ICAgICAgICAgcmV0dXJuIHJlc29sdmVMZW5ndGhBdHRyaWJ1dGVGb3JTVkcoc3ZnLT5pbnRyaW5z aWNXaWR0aChTVkdTVkdFbGVtZW50OjpJZ25vcmVDU1NQcm9wZXJ0aWVzKSwgc3R5bGUoKS0+ZWZm ZWN0aXZlWm9vbSgpLCBjb250YWluaW5nQmxvY2soKS0+YXZhaWxhYmxlTG9naWNhbFdpZHRoKCks IHZpZXcoKSk7CiAKLSAgICAvLyBPbmx5IFNWR3MgZW1iZWRkZWQgaW4gPG9iamVjdD4gcmVhY2gg dGhpcyBwb2ludC4KLSAgICBBU1NFUlQoaXNFbWJlZGRlZFRocm91Z2hGcmFtZUNvbnRhaW5pbmdT VkdEb2N1bWVudCgpKTsKLSAgICByZXR1cm4gZG9jdW1lbnQoKS0+ZnJhbWUoKS0+b3duZXJSZW5k ZXJlcigpLT5hdmFpbGFibGVMb2dpY2FsV2lkdGgoKTsKKyAgICAvLyBTVkcgZW1iZWRkZWQgdGhy b3VnaCBvYmplY3QvZW1iZWQvaWZyYW1lLgorICAgIGlmIChpc0VtYmVkZGVkVGhyb3VnaEZyYW1l Q29udGFpbmluZ1NWR0RvY3VtZW50KCkpCisgICAgICAgIHJldHVybiBkb2N1bWVudCgpLT5mcmFt ZSgpLT5vd25lclJlbmRlcmVyKCktPmF2YWlsYWJsZUxvZ2ljYWxXaWR0aCgpOworCisgICAgLy8g U1ZHIGVtYmVkZGVkIHZpYSBTVkdJbWFnZSAoYmFja2dyb3VuZC1pbWFnZS9ib3JkZXItaW1hZ2Uv ZXRjKSAvIElubGluZSBTVkcuCisgICAgcmV0dXJuIFJlbmRlclJlcGxhY2VkOjpjb21wdXRlUmVw bGFjZWRMb2dpY2FsV2lkdGgoaW5jbHVkZU1heFdpZHRoKTsKIH0KIAogTGF5b3V0VW5pdCBSZW5k ZXJTVkdSb290Ojpjb21wdXRlUmVwbGFjZWRMb2dpY2FsSGVpZ2h0KCkgY29uc3QKQEAgLTIwNSw5 ICsyMDgsMTIgQEAgTGF5b3V0VW5pdCBSZW5kZXJTVkdSb290Ojpjb21wdXRlUmVwbGFjZWRMb2dp Y2FsSGVpZ2h0KCkgY29uc3QKICAgICAgICAgcmV0dXJuIHJlc29sdmVMZW5ndGhBdHRyaWJ1dGVG b3JTVkcoaGVpZ2h0LCBzdHlsZSgpLT5lZmZlY3RpdmVab29tKCksIGNvbnRhaW5pbmdCbG9jaygp LT5hdmFpbGFibGVMb2dpY2FsSGVpZ2h0KCksIHZpZXcoKSk7CiAgICAgfQogCi0gICAgLy8gT25s eSBTVkdzIGVtYmVkZGVkIGluIDxvYmplY3Q+IHJlYWNoIHRoaXMgcG9pbnQuCi0gICAgQVNTRVJU KGlzRW1iZWRkZWRUaHJvdWdoRnJhbWVDb250YWluaW5nU1ZHRG9jdW1lbnQoKSk7Ci0gICAgcmV0 dXJuIGRvY3VtZW50KCktPmZyYW1lKCktPm93bmVyUmVuZGVyZXIoKS0+YXZhaWxhYmxlTG9naWNh bEhlaWdodCgpOworICAgIC8vIFNWRyBlbWJlZGRlZCB0aHJvdWdoIG9iamVjdC9lbWJlZC9pZnJh bWUuCisgICAgaWYgKGlzRW1iZWRkZWRUaHJvdWdoRnJhbWVDb250YWluaW5nU1ZHRG9jdW1lbnQo KSkKKyAgICAgICAgcmV0dXJuIGRvY3VtZW50KCktPmZyYW1lKCktPm93bmVyUmVuZGVyZXIoKS0+ YXZhaWxhYmxlTG9naWNhbEhlaWdodCgpOworCisgICAgLy8gU1ZHIGVtYmVkZGVkIHZpYSBTVkdJ bWFnZSAoYmFja2dyb3VuZC1pbWFnZS9ib3JkZXItaW1hZ2UvZXRjKSAvIElubGluZSBTVkcuCisg ICAgcmV0dXJuIFJlbmRlclJlcGxhY2VkOjpjb21wdXRlUmVwbGFjZWRMb2dpY2FsSGVpZ2h0KCk7 CiB9CiAKIHZvaWQgUmVuZGVyU1ZHUm9vdDo6bGF5b3V0KCkKZGlmZiAtLWdpdCBhL0xheW91dFRl c3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCBjY2ZhZWZhZGQzNDZj MzBiMGMyNGIxZDYyNzlhZjI3YjZlMjVhNTM3Li4zMThmYmYwNTVkMGFkNmY3MjdhNTY0MjBhZTBh ODFkMDI2OTFhNGI3IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5 b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTItMDYtMjIgIEZsb3JpbiBN YWxpdGEgIDxmbWFsaXRhQGNocm9taXVtLm9yZz4KKworICAgICAgICBSRUdSRVNTSU9OIChTYWZh cmkgNS4xLjUgLSBUb1QpOiBDcmFzaCBpbiBSZW5kZXJTVkdSb290Ojpjb21wdXRlUmVwbGFjZWRM b2dpY2FsV2lkdGgKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dp P2lkPTg1Nzk3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAg ICAgKiBzdmcvY3VzdG9tL3N2Zy13aWR0aC1pbnRyaW5zaWMtY3Jhc2gtZXhwZWN0ZWQudHh0OiBB ZGRlZC4KKyAgICAgICAgKiBzdmcvY3VzdG9tL3N2Zy13aWR0aC1pbnRyaW5zaWMtY3Jhc2guaHRt bDogQWRkZWQuCisKIDIwMTItMDYtMjIgIFRha2FzaGkgU2FrYW1vdG8gIDx0YXNha0Bnb29nbGUu Y29tPgogCiAgICAgICAgIFtTaGFkb3ddIHBhcmVudFRyZWVTY29wZSgpIG9mIG5lc3RlZCBzaGFk b3cgRE9NIHN1YnRyZWUgcmV0dXJucyBkb2N1bWVudCgpLgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVz dHMvc3ZnL2N1c3RvbS9zdmctd2lkdGgtaW50cmluc2ljLWNyYXNoLWV4cGVjdGVkLnR4dCBiL0xh eW91dFRlc3RzL3N2Zy9jdXN0b20vc3ZnLXdpZHRoLWludHJpbnNpYy1jcmFzaC1leHBlY3RlZC50 eHQKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMC4uNzk0MDg3OWFkYjI0OWQwNGQyZWQxYWRkODk3ZjlhODQ5ZDMwZDA3OAot LS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL3N2Zy9jdXN0b20vc3ZnLXdpZHRoLWludHJp bnNpYy1jcmFzaC1leHBlY3RlZC50eHQKQEAgLTAsMCArMSwyIEBACitQQVNTIChkaWRuJ3QgY3Jh c2gpLgorCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9zdmcvY3VzdG9tL3N2Zy13aWR0aC1pbnRy aW5zaWMtY3Jhc2guaHRtbCBiL0xheW91dFRlc3RzL3N2Zy9jdXN0b20vc3ZnLXdpZHRoLWludHJp bnNpYy1jcmFzaC5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLmQ3YTExZDhhM2M2NjZjZTJmMDQ1Njc2ZDczMDZk NjAzOTBlNTQzOWYKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9zdmcvY3VzdG9tL3N2 Zy13aWR0aC1pbnRyaW5zaWMtY3Jhc2guaHRtbApAQCAtMCwwICsxLDE1IEBACis8IURPQ1RZUEUg aHRtbD4KKzxodG1sPgorPGJvZHk+CisgIDwhLS0gVGVzdCBmb3IgaHR0cHM6Ly9idWdzLndlYmtp dC5vcmcvc2hvd19idWcuY2dpP2lkPTg1Nzk3IC0tPgorICA8ZGl2PlBBU1MgKGRpZG4ndCBjcmFz aCkuPC9kaXY+CisgIDxkaXYgc3R5bGU9IndpZHRoOiAxMDBweDsiPgorICAgIDxzdmcgc3R5bGU9 IndpZHRoOiBpbnRyaW5zaWM7Ii8+CisgIDwvZGl2PgorICA8c2NyaXB0PgorICAgIGlmICh3aW5k b3cubGF5b3V0VGVzdENvbnRyb2xsZXIpCisgICAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5kdW1w QXNUZXh0KCk7CisgIDwvc2NyaXB0PgorPC9ib2R5PgorPC9odG1sPgorCg==