Bug 12355

Summary: Reproducible crash in WebCore::parseNumber in svg/custom/js-update-bounce.svg under guard-malloc
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major Keywords: LayoutTestFailure
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Patch darin: review+

Description Mark Rowe (bdash) 2007-01-21 18:05:08 PST
Steps to reproduce:
run-webkit-tests --debug --guard-malloc svg/custom/js-update-bounce.svg

Results:
*boom*

Notes:
This crash happens occasionally running the layout tests at other times, though it's not easily reproduced without guard malloc.

Crash log:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0xcd290000
0x0140cf62 in WebCore::parseNumber (ptr=@0xbfffdb8c, end=0xcd290000, number=@0xbfffdb90, skip=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGParserUtilities.cpp:63
63          if (ptr < end && *ptr == 'e' || *ptr == 'E') { // read the exponent part
(gdb) bt
#0  0x0140cf62 in WebCore::parseNumber (ptr=@0xbfffdb8c, end=0xcd290000, number=@0xbfffdb90, skip=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGParserUtilities.cpp:63
#1  0x0108f7f2 in WebCore::SVGLength::setValueAsString (this=0xbfffdc08, s=@0xcd299ff4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGLength.cpp:244
#2  0x0108f887 in WebCore::SVGLength::SVGLength (this=0xbfffdc08, context=0xcd263f28, mode=WebCore::LengthModeWidth, valueAsString=@0xcd299ff4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGLength.cpp:121
#3  0x010579a6 in WebCore::SVGCircleElement::parseMappedAttribute (this=0xcd263f28, attr=0xcd299fe4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGCircleElement.cpp:56
#4  0x0123ff35 in WebCore::StyledElement::attributeChanged (this=0xcd263f28, attr=0xcd299fe4, preserveDecls=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/StyledElement.cpp:178
#5  0x010b0928 in WebCore::SVGStyledElement::attributeChanged (this=0xcd263f28, attr=0xcd299fe4, preserveDecls=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/ksvg2/svg/SVGStyledElement.cpp:225
#6  0x0124539f in WebCore::NamedAttrMap::addAttribute (this=0xcd27dfd8, attribute=0xcd299fe4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/NamedAttrMap.cpp:287
#7  0x01248b1c in WebCore::Element::setAttribute (this=0xcd263f28, name=@0xbfffdd50, value=0xcd291fe8, ec=@0xbfffde64) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Element.cpp:398
#8  0x01248c4e in WebCore::Element::setAttributeNS (this=0xcd263f28, namespaceURI=@0xbfffddd0, qualifiedName=@0xbfffddcc, value=@0xbfffddd8, ec=@0xbfffde64) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/Element.cpp:807
#9  0x0102b1c3 in handleElementAttributes (newElement=0xcd263f28, libxmlAttributes=0xccb42f24, nb_attributes=5, ec=@0xbfffde64) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/XMLTokenizer.cpp:624
#10 0x0102e259 in WebCore::XMLTokenizer::startElementNs (this=0xcca2af78, xmlLocalName=0xccaf1c7d "circle", xmlPrefix=0x0, xmlURI=0xccaf1c5b "http://www.w3.org/2000/svg", nb_namespaces=0, libxmlNamespaces=0x0, nb_attributes=5, nb_defaulted=0, libxmlAttributes=0xccb42f24) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/XMLTokenizer.cpp:669
#11 0x0102e6ab in startElementNsHandler (closure=0xccadbe48, localname=0xccaf1c7d "circle", prefix=0x0, uri=0xccaf1c5b "http://www.w3.org/2000/svg", nb_namespaces=0, namespaces=0x0, nb_attributes=5, nb_defaulted=0, libxmlAttributes=0xccb42f24) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/XMLTokenizer.cpp:984
#12 0x9293aad5 in xmlParseStartTag ()
#13 0x9291a4df in xmlParseChunk ()
#14 0x0102b3c4 in WebCore::XMLTokenizer::write (this=0xcca2af78, s=@0xbfffe13c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/dom/XMLTokenizer.cpp:567
#15 0x013b3c51 in WebCore::FrameLoader::write (this=0xb9db6d38, str=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., len=1986, flush=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/FrameLoader.cpp:882
#16 0x013b3d83 in WebCore::FrameLoader::addData (this=0xb9db6d38, bytes=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/FrameLoader.cpp:1497
#17 0x010fc0a3 in -[WebCoreFrameBridge addData:] (self=0xb9d86fe4, _cmd=0x90a96118, data=0xca592fe0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/mac/WebCoreFrameBridge.mm:293
#18 0x010ff662 in -[WebCoreFrameBridge receivedData:textEncodingName:] (self=0xb9d86fe4, _cmd=0x90aba160, data=0xca592fe0, textEncodingName=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/page/mac/WebCoreFrameBridge.mm:1584
#19 0x0023203d in -[WebHTMLRepresentation receivedData:withDataSource:] (self=0xca452ff4, _cmd=0x90aba180, data=0xca592fe0, dataSource=0xc7e25ff4) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebHTMLRepresentation.mm:172
#20 0x0022d7d7 in -[WebDataSource(WebInternal) _receivedData:] (self=0xc7e25ff4, _cmd=0x90a830f8, data=0xca592fe0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebView/WebDataSource.mm:177
#21 0x00294091 in WebFrameLoaderClient::committedLoad (this=0xb9dacfb0, loader=Internal: static symbol `WebCore::DocumentLoader' found in /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/DocumentLoader.cpp psymtab but not in symtab.
WebCore::DocumentLoader may be an inlined function, or may be a template function
(if a template, try specifying an instantiation: WebCore::DocumentLoader<type>).
) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKit/WebCoreSupport/WebFrameLoaderClient.mm:643
#22 0x013b07fb in WebCore::FrameLoader::committedLoad (this=0xb9db6d38, loader=0xc7e1ba38, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/FrameLoader.cpp:2923
#23 0x013c0869 in WebCore::DocumentLoader::commitLoad (this=0xc7e1ba38, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/DocumentLoader.cpp:327
#24 0x013c08c2 in WebCore::DocumentLoader::receivedData (this=0xc7e1ba38, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/DocumentLoader.cpp:339
#25 0x013afc77 in WebCore::FrameLoader::receivedData (this=0xb9db6d38, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/FrameLoader.cpp:1888
#26 0x013c1aac in WebCore::MainResourceLoader::addData (this=0xc8199d1c, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986, allAtOnce=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/MainResourceLoader.cpp:134
#27 0x013c3971 in WebCore::ResourceLoader::didReceiveData (this=0xc8199d1c, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986, lengthReceived=1986, allAtOnce=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/ResourceLoader.cpp:194
#28 0x013c1de1 in WebCore::MainResourceLoader::didReceiveData (this=0xc8199d1c, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986, lengthReceived=1986, allAtOnce=false) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/MainResourceLoader.cpp:304
#29 0x013c35d8 in WebCore::ResourceLoader::didReceiveData (this=0xc8199d1c, data=0xc8f2145c "<?xml version=\"1.0\" standalone=\"no\"?>\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\n<svg width=\"800\" height=\"600\" onload=\"startAnimati"..., length=1986, lengthReceived=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/loader/ResourceLoader.cpp:306
#30 0x013a352a in -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] (self=0xc8243ff4, _cmd=0x90a9d084, con=0xc824dff4, data=0xc8f1afec, lengthReceived=1986) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/platform/network/mac/ResourceHandleMac.mm:349
#31 0x9265bb86 in -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] ()
#32 0x92659e67 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] ()
#33 0x92659b41 in _sendCallbacks ()
#34 0x90829379 in CFRunLoopRunSpecific ()
#35 0x90828eb5 in CFRunLoopRunInMode ()
#36 0x9262adc6 in -[NSRunLoop runMode:beforeDate:] ()
#37 0x00008e94 in runTest (pathOrURL=0xbffff760 "LayoutTests/svg/custom/js-update-bounce.svg") at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKitTools/DumpRenderTree/DumpRenderTree.m:1051
#38 0x00006141 in dumpRenderTree (argc=2, argv=0xbffff62c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKitTools/DumpRenderTree/DumpRenderTree.m:422
#39 0x000062d6 in main (argc=2, argv=0xbffff62c) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebKitTools/DumpRenderTree/DumpRenderTree.m:459
Current language:  auto; currently c++
(gdb)
Comment 1 Darin Adler 2007-01-21 18:28:20 PST
This is a case of missing parentheses.

    if (ptr < end && *ptr == 'e' || *ptr == 'E') { // read the exponent part

The && binds tighter than the ||. Instead we need to put parentheses around the || part of the expression.
Comment 2 Mark Rowe (bdash) 2007-01-21 18:28:57 PST
Created attachment 12593 [details]
Patch
Comment 3 Darin Adler 2007-01-21 18:30:11 PST
Comment on attachment 12593 [details]
Patch

r=me
Comment 4 Mark Rowe (bdash) 2007-01-21 18:55:31 PST
Landed in r19021.