Bug 12458

Summary: Crash in W3C-SVG-1.1/animate-elem-09-t.svg running layout tests under guard malloc
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major Keywords: LayoutTestFailure
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   

Description Mark Rowe (bdash) 2007-01-29 05:25:17 PST 
During run-webkit-tests --svg --guard-malloc, DumpRenderTree crashes shortly after W3C-SVG-1.1/animate-elem-08-t.svg.  The buildbot appears to be seeing this *without* guard malloc.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0xef4ff000

Thread 0 Crashed:
0   com.apple.WebCore        	0x01050910 WebCore::isWhitespace(unsigned short const&) + 12 (SVGParserUtilities.h:35)
1   com.apple.WebCore        	0x01053e2f WebCore::parseValues(WTF::Vector<WebCore::String, (unsigned long)0>&, WebCore::String const&) + 145 (SVGAnimationElement.cpp:153)
2   com.apple.WebCore        	0x010550eb WebCore::SVGAnimationElement::parseMappedAttribute(WebCore::MappedAttribute*) + 1699 (SVGAnimationElement.cpp:303)
3   com.apple.WebCore        	0x0124116d WebCore::StyledElement::attributeChanged(WebCore::Attribute*, bool) + 489 (StyledElement.cpp:180)
4   com.apple.WebCore        	0x012465d7 WebCore::NamedAttrMap::addAttribute(WebCore::Attribute*) + 289 (NamedAttrMap.cpp:289)
5   com.apple.WebCore        	0x01249d5c WebCore::Element::setAttribute(WebCore::QualifiedName const&, WebCore::StringImpl*, int&) + 368 (Element.cpp:399)
6   com.apple.WebCore        	0x01249e8e WebCore::Element::setAttributeNS(WebCore::String const&, WebCore::String const&, WebCore::String const&, int&) + 202 (Element.cpp:809)
7   com.apple.WebCore        	0x0102b75d WebCore::handleElementAttributes(WebCore::Element*, unsigned char const**, int, int&) + 431 (XMLTokenizer.cpp:625)
8   com.apple.WebCore        	0x0102e7f3 WebCore::XMLTokenizer::startElementNs(unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) + 723 (XMLTokenizer.cpp:670)
9   com.apple.WebCore        	0x0102ec45 WebCore::startElementNsHandler(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) + 95 (XMLTokenizer.cpp:985)
10  libxml2.2.dylib          	0x9293aad5 xmlParseStartTag + 8465
11  libxml2.2.dylib          	0x9291a4df xmlParseChunk + 1912
12  com.apple.WebCore        	0x0102b95e WebCore::XMLTokenizer::write(WebCore::SegmentedString const&, bool) + 314 (XMLTokenizer.cpp:570)
13  com.apple.WebCore        	0x013b7d49 WebCore::FrameLoader::write(char const*, int, bool) + 923 (FrameLoader.cpp:898)
14  com.apple.WebCore        	0x013b7e7b WebCore::FrameLoader::addData(char const*, int) + 275 (FrameLoader.cpp:1519)
15  com.apple.WebCore        	0x010fc445 -[WebCoreFrameBridge addData:] + 163 (WebCoreFrameBridge.mm:293)
16  com.apple.WebCore        	0x010ff950 -[WebCoreFrameBridge receivedData:textEncodingName:] + 250 (WebCoreFrameBridge.mm:1508)
17  com.apple.WebKit         	0x002323c9 -[WebHTMLRepresentation receivedData:withDataSource:] + 199 (WebHTMLRepresentation.mm:174)
18  com.apple.WebKit         	0x0022db61 -[WebDataSource(WebInternal) _receivedData:] + 89 (WebDataSource.mm:178)
19  com.apple.WebKit         	0x0029361d WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 127 (WebFrameLoaderClient.mm:642)
20  com.apple.WebCore        	0x013b476d WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, int) + 53 (FrameLoader.cpp:2945)
21  com.apple.WebCore        	0x013c4d7f WebCore::DocumentLoader::commitLoad(char const*, int) + 87 (DocumentLoader.cpp:327)
22  com.apple.WebCore        	0x013c4dd8 WebCore::DocumentLoader::receivedData(char const*, int) + 76 (DocumentLoader.cpp:340)
23  com.apple.WebCore        	0x013b3ba7 WebCore::FrameLoader::receivedData(char const*, int) + 41 (FrameLoader.cpp:1910)
24  com.apple.WebCore        	0x013c5fc2 WebCore::MainResourceLoader::addData(char const*, int, bool) + 80 (MainResourceLoader.cpp:135)
25  com.apple.WebCore        	0x013c7e87 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 83
26  com.apple.WebCore        	0x013c62f7 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 281 (MainResourceLoader.cpp:304)
27  com.apple.WebCore        	0x013c7aee WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 58
28  com.apple.WebCore        	0x013a6b64 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 172 (ResourceHandleMac.mm:350)
29  com.apple.Foundation     	0x9265bb86 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 641
30  com.apple.Foundation     	0x92659e67 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 686
31  com.apple.Foundation     	0x92659b41 _sendCallbacks + 201
32  com.apple.CoreFoundation 	0x90829379 CFRunLoopRunSpecific + 1213
33  com.apple.CoreFoundation 	0x90828eb5 CFRunLoopRunInMode + 61
34  com.apple.Foundation     	0x9262adc6 -[NSRunLoop runMode:beforeDate:] + 182
35  DumpRenderTree           	0x00009d72 runTest + 943 (DumpRenderTree.m:1078)
36  DumpRenderTree           	0x00006d5b dumpRenderTree + 3355 (DumpRenderTree.m:403)
37  DumpRenderTree           	0x00006f7a main + 70 (DumpRenderTree.m:454)
38  DumpRenderTree           	0x00002dde _start + 216
39  DumpRenderTree           	0x00002d05 start + 41
Comment 1 Mark Rowe (bdash) 2007-01-29 06:14:16 PST 
The problem here is:

        while (ptr < end && *ptr != ';') // careful not to ignore whitespace inside values
            ptr++;
        if (ptr == valueStart)
            break;

        // walk backwards from the ; to ignore any whitespace
        const UChar* valueEnd = ptr;
        while (valueStart < valueEnd && isWhitespace(*valueEnd))
            valueEnd--;

When the first loop hits the end of the string, ptr will equal end.  This leads to *valueEnd attempting to access one element past the end of the buffer.
Comment 2 Mark Rowe (bdash) 2007-01-29 06:49:24 PST 
Fix landed in r19222.