Bug 129757

Summary: Crash when applying an SVG filter to a pseudo element
Product: WebKit Reporter: Jon Honeycutt <jhoneycutt>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: CLOSED DUPLICATE    
Severity: Normal CC: dbates, ddkilzer, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Repro case none

Jon Honeycutt
Reported 2014-03-05 14:16:38 PST
Created attachment 225911 [details] Repro case A null dereference occurs when applying an SVG filter to the :first-letter pseudo element.
Attachments
Repro case (68 bytes, text/html)
2014-03-05 14:16 PST, Jon Honeycutt 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Jon Honeycutt
Comment 1 2014-03-05 15:30:26 PST
Backtrace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000014 VM Regions Near 0x14: --> __TEXT 000000010cab7000-000000010cab9000 [ 8K] r-x/rwx SM=COW /Users/USER/*/WebKit2.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: Bundle controller class: BrowserBundleController Process Model: Multiple Web Processes Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001125cda54 WebCore::Node::setNeedsStyleRecalc(WebCore::StyleChangeType) + 4 (Node.h:609) 1 com.apple.WebCore 0x00000001126dca19 WebCore::RenderLayer::FilterInfo::notifyFinished(WebCore::CachedResource*) + 41 (RenderLayerFilterInfo.cpp:97) 2 com.apple.WebCore 0x0000000111cc3fe6 WebCore::CachedResource::checkNotify() + 166 (CachedResourceClientWalker.h:51) 3 com.apple.WebCore 0x000000011286ca89 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) + 233 (SubresourceLoader.cpp:338) 4 com.apple.WebKit2 0x0000000110e99323 void IPC::handleMessage<Messages::WebResourceLoader::DidFailResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)) + 117 (RetainPtr.h:111) 5 com.apple.WebKit2 0x0000000110e98f04 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection*, IPC::MessageDecoder&) + 432 (WebResourceLoaderMessageReceiver.cpp:76) 6 com.apple.WebKit2 0x0000000110d6606a WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 138 (NetworkProcessConnection.cpp:60) 7 com.apple.WebKit2 0x0000000110d03a44 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 94 (memory:2665) 8 com.apple.WebKit2 0x0000000110d05bc4 IPC::Connection::dispatchOneMessage() + 106 (memory:2684) 9 com.apple.JavaScriptCore 0x00000001118f6872 WTF::RunLoop::performWork() + 850 (RunLoop.cpp:106) 10 com.apple.JavaScriptCore 0x00000001118f6da2 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 11 com.apple.CoreFoundation 0x00007fff8b931731 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 12 com.apple.CoreFoundation 0x00007fff8b922ea2 __CFRunLoopDoSources0 + 242 13 com.apple.CoreFoundation 0x00007fff8b92262f __CFRunLoopRun + 831 14 com.apple.CoreFoundation 0x00007fff8b9220b5 CFRunLoopRunSpecific + 309 15 com.apple.HIToolbox 0x00007fff858b0a0d RunCurrentEventLoopInMode + 226 16 com.apple.HIToolbox 0x00007fff858b07b7 ReceiveNextEventCommon + 479 17 com.apple.HIToolbox 0x00007fff858b05bc _BlockUntilNextEventMatchingListInModeWithFilter + 65 18 com.apple.AppKit 0x00007fff8db2e4ce _DPSNextEvent + 1434 19 com.apple.AppKit 0x00007fff8db2db1b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 20 com.apple.AppKit 0x00007fff8db21c1c -[NSApplication run] + 553 21 com.apple.AppKit 0x00007fff8db0ca03 NSApplicationMain + 940 22 com.apple.XPCService 0x00007fff845d0c0f _xpc_main + 385 23 libxpc.dylib 0x00007fff8d94bbde xpc_main + 399 24 com.apple.WebKit.WebContent.Development 0x000000010cab86a0 main + 16 (XPCServiceMain.Development.mm:91) 25 libdyld.dylib 0x00007fff904a55fd start + 1
Jon Honeycutt
Comment 2 2014-03-05 15:31:06 PST
I suspect this has been here since this code was added in r121513.
David Kilzer (:ddkilzer)
Comment 3 2014-03-08 10:03:33 PST
<rdar://problem/16270318>
David Kilzer (:ddkilzer)
Comment 4 2014-04-18 13:07:52 PDT
This test case no longer crashes. Instead, it's a dupe of Bug 131085. *** This bug has been marked as a duplicate of bug 131085 ***
Note You need to log in before you can comment on or make changes to this bug.