Bug 129757

Summary: Crash when applying an SVG filter to a pseudo element
Product: WebKit Reporter: Jon Honeycutt <jhoneycutt>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: CLOSED DUPLICATE    
Severity: Normal CC: dbates, ddkilzer, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Repro case none

Description Jon Honeycutt 2014-03-05 14:16:38 PST 
Created attachment 225911 [details]
Repro case

A null dereference occurs when applying an SVG filter to the :first-letter pseudo element.
Comment 1 Jon Honeycutt 2014-03-05 15:30:26 PST 
Backtrace:

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000014

VM Regions Near 0x14:
--> 
    __TEXT                 000000010cab7000-000000010cab9000 [    8K] r-x/rwx SM=COW  /Users/USER/*/WebKit2.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
Bundle controller class:
BrowserBundleController
 
Process Model:
Multiple Web Processes
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001125cda54 WebCore::Node::setNeedsStyleRecalc(WebCore::StyleChangeType) + 4 (Node.h:609)
1   com.apple.WebCore             	0x00000001126dca19 WebCore::RenderLayer::FilterInfo::notifyFinished(WebCore::CachedResource*) + 41 (RenderLayerFilterInfo.cpp:97)
2   com.apple.WebCore             	0x0000000111cc3fe6 WebCore::CachedResource::checkNotify() + 166 (CachedResourceClientWalker.h:51)
3   com.apple.WebCore             	0x000000011286ca89 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) + 233 (SubresourceLoader.cpp:338)
4   com.apple.WebKit2             	0x0000000110e99323 void IPC::handleMessage<Messages::WebResourceLoader::DidFailResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)) + 117 (RetainPtr.h:111)
5   com.apple.WebKit2             	0x0000000110e98f04 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection*, IPC::MessageDecoder&) + 432 (WebResourceLoaderMessageReceiver.cpp:76)
6   com.apple.WebKit2             	0x0000000110d6606a WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 138 (NetworkProcessConnection.cpp:60)
7   com.apple.WebKit2             	0x0000000110d03a44 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 94 (memory:2665)
8   com.apple.WebKit2             	0x0000000110d05bc4 IPC::Connection::dispatchOneMessage() + 106 (memory:2684)
9   com.apple.JavaScriptCore      	0x00000001118f6872 WTF::RunLoop::performWork() + 850 (RunLoop.cpp:106)
10  com.apple.JavaScriptCore      	0x00000001118f6da2 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39)
11  com.apple.CoreFoundation      	0x00007fff8b931731 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
12  com.apple.CoreFoundation      	0x00007fff8b922ea2 __CFRunLoopDoSources0 + 242
13  com.apple.CoreFoundation      	0x00007fff8b92262f __CFRunLoopRun + 831
14  com.apple.CoreFoundation      	0x00007fff8b9220b5 CFRunLoopRunSpecific + 309
15  com.apple.HIToolbox           	0x00007fff858b0a0d RunCurrentEventLoopInMode + 226
16  com.apple.HIToolbox           	0x00007fff858b07b7 ReceiveNextEventCommon + 479
17  com.apple.HIToolbox           	0x00007fff858b05bc _BlockUntilNextEventMatchingListInModeWithFilter + 65
18  com.apple.AppKit              	0x00007fff8db2e4ce _DPSNextEvent + 1434
19  com.apple.AppKit              	0x00007fff8db2db1b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
20  com.apple.AppKit              	0x00007fff8db21c1c -[NSApplication run] + 553
21  com.apple.AppKit              	0x00007fff8db0ca03 NSApplicationMain + 940
22  com.apple.XPCService          	0x00007fff845d0c0f _xpc_main + 385
23  libxpc.dylib                  	0x00007fff8d94bbde xpc_main + 399
24  com.apple.WebKit.WebContent.Development	0x000000010cab86a0 main + 16 (XPCServiceMain.Development.mm:91)
25  libdyld.dylib                 	0x00007fff904a55fd start + 1
Comment 2 Jon Honeycutt 2014-03-05 15:31:06 PST 
I suspect this has been here since this code was added in r121513.
Comment 3 David Kilzer (:ddkilzer) 2014-03-08 10:03:33 PST 
<rdar://problem/16270318>
Comment 4 David Kilzer (:ddkilzer) 2014-04-18 13:07:52 PDT 
This test case no longer crashes.  Instead, it's a dupe of Bug 131085.

*** This bug has been marked as a duplicate of bug 131085 ***