Bug 107292

Summary: Assertion failure during the expansion of an unloaded subresource
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: bfulgham, fmalita, pdr, zherczeg, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test none

Description Renata Hodovan 2013-01-18 09:06:03 PST 
During SVG fuzzing I've got an assertion failure in SVGUseElement::expandUseElementsInShadowTree().
If we were referring to a <use> element what were referring to a subresource of an external file and that part is invalid then we run into an assertion failure during the expansion of the shadowtree.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4afc89c in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x98ab70)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:732
732	        ASSERT(!use->cachedDocumentIsStillLoading());
(gdb) bt
#0  0x00007ffff4afc89c in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x98ab70)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:732
#1  0x00007ffff4afcd91 in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x99b050)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:776
#2  0x00007ffff4afb9d0 in WebCore::SVGUseElement::buildShadowAndInstanceTree (this=0x98fac0, target=0x98c4e0)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:500
#3  0x00007ffff4afb5ac in WebCore::SVGUseElement::buildPendingResource (this=0x98fac0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:440
#4  0x00007ffff4afddb0 in WebCore::SVGUseElement::finishParsingChildren (this=0x98fac0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:986
#5  0x00007ffff485579b in WebCore::XMLDocumentParser::endElementNs (this=0x72aaf0)
    at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:849
#6  0x00007ffff4856747 in endElementNsHandler (closure=0x72b2f0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:1098
...
Comment 1 Renata Hodovan 2013-01-18 09:07:11 PST 
Created attachment 183474 [details]
Test

Test to reproduce.
Comment 2 Brent Fulgham 2016-08-03 10:34:01 PDT 
I don't get an assert with the attached test case in GMalloc. Are you still able to reproduce this problem. We may have corrected things in the THREE YEARS since you reported this problem.

I'm sorry this was ignored for so long. :-(
Comment 3 Brent Fulgham 2016-08-03 10:52:18 PDT 
I cannot reproduce the assert (or any other error) under ASAN with this test case. I assume we should not actually have a "dummy.svg" file, per your comments.

I do see console errors complaining that 'dummy.svg' could not be loaded since the URL was not found on the server.

I'm closing this as unable to reproduce. Please reopen the bug with a reproducible test case. Otherwise I will assume we fixed this via other changes in the past few years.