Bug 12502

Summary:	Reproducible crash when browsing SVG map.
Product:	WebKit	Reporter:	Eric Seidel (no email) <eric>
Component:	SVG	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Major	CC:	mrowe, zimmermann
Priority:	P1	Keywords:	NeedsReduction
Version:	420+
Hardware:	Mac
OS:	OS X 10.4
URL:	http://apps.arcwebservices.com/svgviewer/map.html

Description Eric Seidel (no email) 2007-01-31 05:39:15 PST

Crash when browsing SVG map.

I'm not sure which action I took to produce this, so I know this isn't a very useful bug report.  However perhaps code inspection will reveal a bug.

Date/Time:      2007-01-31 05:28:13.322 -0800
OS Version:     10.4.8 (Build 8L2127)
Report Version: 4

Command: Safari
Path:    /Applications/Safari.app/Contents/MacOS/Safari
Parent:  zsh [4985]

Version:        2.0.4 (419.3)
Build Version:  2
Project Name:   WebBrowser
Source Version: 4190300

PID:    9983
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x0000001a

Thread 0 Crashed:
0   com.apple.WebCore              	0x0118ca7d WebCore::RenderObject::setNeedsLayout(bool, bool) + 21 (RenderObject.cpp:658)
1   com.apple.WebCore              	0x010bfc70 WebCore::SVGUseElement::notifyAttributeChange() const + 58 (SVGUseElement.cpp:145)
2   com.apple.WebCore              	0x010b0050 WebCore::SVGStyledElement::attributeChanged(WebCore::Attribute*, bool) + 58 (SVGStyledElement.cpp:249)
3   com.apple.WebCore              	0x0124ade4 WebCore::Element::setAttribute(WebCore::String const&, WebCore::String const&, int&) + 752 (Element.cpp:377)
4   com.apple.WebCore              	0x0123a524 WebCore::JSElementPrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 610 (JSElement.cpp:274)
5   com.apple.JavaScriptCore       	0x004f5480 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
6   com.apple.JavaScriptCore       	0x004eb307 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 843 (nodes.cpp:772)
7   com.apple.JavaScriptCore       	0x004e8524 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1672)
8   com.apple.JavaScriptCore       	0x004e611c KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2449)
9   com.apple.JavaScriptCore       	0x004e4a54 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1648)
10  com.apple.JavaScriptCore       	0x004e847f KJS::IfNode::execute(KJS::ExecState*) + 523 (nodes.cpp:1698)
11  com.apple.JavaScriptCore       	0x004e611c KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2449)
12  com.apple.JavaScriptCore       	0x004e4a54 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1648)
13  com.apple.JavaScriptCore       	0x004e8418 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1691)
14  com.apple.JavaScriptCore       	0x004e6252 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2455)
15  com.apple.JavaScriptCore       	0x004e4a54 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1648)
16  com.apple.JavaScriptCore       	0x004e8418 KJS::IfNode::execute(KJS::ExecState*) + 420 (nodes.cpp:1691)
17  com.apple.JavaScriptCore       	0x004e6252 KJS::SourceElementsNode::execute(KJS::ExecState*) + 566 (nodes.cpp:2455)
18  com.apple.JavaScriptCore       	0x004e4a54 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1648)
19  com.apple.JavaScriptCore       	0x004d6926 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
20  com.apple.JavaScriptCore       	0x004d8c09 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
21  com.apple.JavaScriptCore       	0x004f5480 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
22  com.apple.JavaScriptCore       	0x004eb307 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 843 (nodes.cpp:772)
23  com.apple.JavaScriptCore       	0x004e8524 KJS::ExprStatementNode::execute(KJS::ExecState*) + 148 (nodes.cpp:1672)
24  com.apple.JavaScriptCore       	0x004e611c KJS::SourceElementsNode::execute(KJS::ExecState*) + 256 (nodes.cpp:2449)
25  com.apple.JavaScriptCore       	0x004e4a54 KJS::BlockNode::execute(KJS::ExecState*) + 140 (nodes.cpp:1648)
26  com.apple.JavaScriptCore       	0x004d6926 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 50 (function.cpp:362)
27  com.apple.JavaScriptCore       	0x004d8c09 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 573 (function.cpp:111)
28  com.apple.JavaScriptCore       	0x004f5480 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 210 (object.cpp:97)
29  com.apple.WebCore              	0x0125f0a6 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 574 (kjs_events.cpp:121)
30  com.apple.WebCore              	0x0122ac70 WebCore::EventTargetNode::handleLocalEvents(WebCore::Event*, bool) + 352 (EventTargetNode.cpp:167)
31  com.apple.WebCore              	0x0122b436 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 1108 (EventTargetNode.cpp:219)
32  com.apple.WebCore              	0x0122d032 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 332 (EventTargetNode.cpp:297)
33  com.apple.WebCore              	0x0122bec9 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::AtomicString const&, int, int, int, int, int, int, bool, bool, bool, bool, bool, WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 691 (EventTargetNode.cpp:455)
34  com.apple.WebCore              	0x0122c574 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WebCore::AtomicString const&, int, WebCore::Node*) + 398 (EventTargetNode.cpp:382)
35  com.apple.WebCore              	0x013ea858 WebCore::EventHandler::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 572 (EventHandler.cpp:1040)
36  com.apple.WebCore              	0x013eb48d WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 817 (EventHandler.cpp:746)
37  com.apple.WebCore              	0x013e69f8 WebCore::EventHandler::mouseDown(NSEvent*) + 654 (EventHandlerMac.mm:669)
38  com.apple.WebKit               	0x0033c393 -[WebHTMLView mouseDown:] + 413 (WebHTMLView.mm:2902)
39  com.apple.WebCore              	0x013e41bd WebCore::EventHandler::passMouseDownEventToWidget(WebCore::Widget*) + 1437 (EventHandlerMac.mm:285)
40  com.apple.WebCore              	0x013e42a0 WebCore::EventHandler::passWidgetMouseDownEventToWidget(WebCore::RenderWidget*) + 32 (EventHandlerMac.mm:202)
41  com.apple.WebCore              	0x013e5109 WebCore::EventHandler::passSubframeEventToSubframe(WebCore::MouseEventWithHitTestResults&, WebCore::Frame*) + 621 (EventHandlerMac.mm:582)
42  com.apple.WebCore              	0x013e5b09 WebCore::EventHandler::passMousePressEventToSubframe(WebCore::MouseEventWithHitTestResults&, WebCore::Frame*) + 31 (EventHandlerMac.mm:866)
43  com.apple.WebCore              	0x013eb2b7 WebCore::EventHandler::handleMousePressEvent(WebCore::PlatformMouseEvent const&) + 347 (EventHandler.cpp:728)
44  com.apple.WebCore              	0x013e69f8 WebCore::EventHandler::mouseDown(NSEvent*) + 654 (EventHandlerMac.mm:669)
45  com.apple.WebKit               	0x0033c393 -[WebHTMLView mouseDown:] + 413 (WebHTMLView.mm:2902)
46  com.apple.AppKit               	0x9334c3af -[NSWindow sendEvent:] + 5279
47  com.apple.Safari               	0x0002338e 0x1000 + 140174
48  com.apple.AppKit               	0x9333e350 -[NSApplication sendEvent:] + 5023
49  com.apple.Safari               	0x00022f1e 0x1000 + 139038
50  com.apple.AppKit               	0x93268dfe -[NSApplication run] + 547
51  com.apple.AppKit               	0x9325cd2f NSApplicationMain + 573
52  com.apple.Safari               	0x0005f7de 0x1000 + 387038
53  com.apple.Safari               	0x0005f6f9 0x1000 + 386809

Thread 1:
0   libSystem.B.dylib              	0x90009857 mach_msg_trap + 7
1   com.unsanity.ape               	0xc0001db2 __ape_agent + 307
2   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 2:
0   libSystem.B.dylib              	0x90019d3c select + 12
1   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 3:
0   libSystem.B.dylib              	0x90024427 semaphore_wait_signal_trap + 7
1   com.apple.Foundation           	0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39
2   com.apple.Syndication          	0x9a410052 -[AsyncDB _run:] + 181
3   com.apple.Foundation           	0x925f536c forkThreadForFunction + 123
4   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 4:
0   libSystem.B.dylib              	0x90009857 mach_msg_trap + 7
1   com.apple.CoreFoundation       	0x9082969a CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation       	0x90828eb5 CFRunLoopRunInMode + 61
3   com.apple.Foundation           	0x9262aa9b +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 259
4   com.apple.Foundation           	0x925f536c forkThreadForFunction + 123
5   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 5:
0   libSystem.B.dylib              	0x90009857 mach_msg_trap + 7
1   com.apple.CoreFoundation       	0x9082969a CFRunLoopRunSpecific + 2014
2   com.apple.CoreFoundation       	0x90828eb5 CFRunLoopRunInMode + 61
3   com.apple.Foundation           	0x92651c4e +[NSURLCache _diskCacheSyncLoop:] + 206
4   com.apple.Foundation           	0x925f536c forkThreadForFunction + 123
5   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 6:
0   libSystem.B.dylib              	0x90024427 semaphore_wait_signal_trap + 7
1   com.apple.ColorSync            	0x9159b6bf pthreadSemaphoreWait(t_pthreadSemaphore*) + 35
2   com.apple.ColorSync            	0x915b5dd0 CMMConvTask(void*) + 60
3   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 7:
0   libSystem.B.dylib              	0x90009857 mach_msg_trap + 7
1   com.apple.opengl               	0x931c46e4 glcDebugListener + 338
2   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 8:
0   libSystem.B.dylib              	0x90024427 semaphore_wait_signal_trap + 7
1   com.apple.Foundation           	0x9264b2f8 -[NSConditionLock lockWhenCondition:] + 39
2   com.apple.AppKit               	0x93346270 -[NSUIHeartBeat _heartBeatThread:] + 377
3   com.apple.Foundation           	0x925f536c forkThreadForFunction + 123
4   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 9:
0   libSystem.B.dylib              	0x900268bc kevent + 12
1   ...ple.CoreServices.CarbonCore 	0x90cb3f84 PrivateMPEntryPoint + 51
2   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 10:
0   libSystem.B.dylib              	0x90024427 semaphore_wait_signal_trap + 7
1   ...ple.CoreServices.CarbonCore 	0x90cb4129 MPWaitOnQueue + 198
2   com.apple.DesktopServices      	0x9251b943 TNodeSyncTask::SyncTaskProc(void*) + 143
3   ...ple.CoreServices.CarbonCore 	0x90cb3f84 PrivateMPEntryPoint + 51
4   libSystem.B.dylib              	0x90023d87 _pthread_body + 84

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x00000000    ebx: 0x0124ab02 ecx: 0x014cf9a3 edx: 0x00000001
  edi: 0x00000002    esi: 0x004e8490 ebp: 0xbfffdc98 esp: 0xbfffdc60
   ss: 0x0000001f    efl: 0x00010286 eip: 0x0118ca7d  cs: 0x00000017
   ds: 0x0000001f     es: 0x0000001f  fs: 0x00000000  gs: 0x00000037

Comment 1 Mark Rowe (bdash) 2007-01-31 05:44:05 PST

Steps to reproduce:
1. Load http://apps.arcwebservices.com/svgviewer/map.html
2. Click on Settings, then on Scale Bar.
3. *crash*

Comment 2 Eric Seidel (no email) 2007-02-02 05:09:17 PST

the <use> element seems to be missing a renderer.  I expect this is because a parent element is display: none.  I'm just not sure what should be done to
void SVGUseElement::notifyAttributeChange() const

as a result.  Should it check (!attached() || !renderer()) ?  As in, I'm not sure if anything needs to happen when it doesn't have a renderer.  Maybe the shadow tree still needs to be built?  Not sure.

Comment 3 Eric Seidel (no email) 2007-02-02 05:15:12 PST

I partially blame this crash on the evilness that is notifyAttributeChange.  Or at least my inability to fix it w/o better understanding what things are "expected" to happen even if <use> has display: none...  but WildFox would accuse me of scape-goating (probably correctly so).

Comment 4 Nikolas Zimmermann 2007-02-02 17:43:10 PST

Landed in r19378.