Bug 107292

Summary: Assertion failure during the expansion of an unloaded subresource
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: bfulgham, fmalita, pdr, zherczeg, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test none

Renata Hodovan
Reported 2013-01-18 09:06:03 PST
During SVG fuzzing I've got an assertion failure in SVGUseElement::expandUseElementsInShadowTree(). If we were referring to a <use> element what were referring to a subresource of an external file and that part is invalid then we run into an assertion failure during the expansion of the shadowtree. Program received signal SIGSEGV, Segmentation fault. 0x00007ffff4afc89c in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x98ab70) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:732 732 ASSERT(!use->cachedDocumentIsStillLoading()); (gdb) bt #0 0x00007ffff4afc89c in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x98ab70) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:732 #1 0x00007ffff4afcd91 in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x99b050) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:776 #2 0x00007ffff4afb9d0 in WebCore::SVGUseElement::buildShadowAndInstanceTree (this=0x98fac0, target=0x98c4e0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:500 #3 0x00007ffff4afb5ac in WebCore::SVGUseElement::buildPendingResource (this=0x98fac0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:440 #4 0x00007ffff4afddb0 in WebCore::SVGUseElement::finishParsingChildren (this=0x98fac0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:986 #5 0x00007ffff485579b in WebCore::XMLDocumentParser::endElementNs (this=0x72aaf0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:849 #6 0x00007ffff4856747 in endElementNsHandler (closure=0x72b2f0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:1098 ...
Attachments
Test (187 bytes, image/svg+xml)
2013-01-18 09:07 PST, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2013-01-18 09:07:11 PST
Created attachment 183474 [details] Test Test to reproduce.
Brent Fulgham
Comment 2 2016-08-03 10:34:01 PDT
I don't get an assert with the attached test case in GMalloc. Are you still able to reproduce this problem. We may have corrected things in the THREE YEARS since you reported this problem. I'm sorry this was ignored for so long. :-(
Brent Fulgham
Comment 3 2016-08-03 10:52:18 PDT
I cannot reproduce the assert (or any other error) under ASAN with this test case. I assume we should not actually have a "dummy.svg" file, per your comments. I do see console errors complaining that 'dummy.svg' could not be loaded since the URL was not found on the server. I'm closing this as unable to reproduce. Please reopen the bug with a reproducible test case. Otherwise I will assume we fixed this via other changes in the past few years.
Note You need to log in before you can comment on or make changes to this bug.