Bug 12981

Summary: REGRESSION (r18975-r18999): Reproducible crash with <use>
Product: WebKit Reporter: mitz
Component: SVGAssignee: Nikolas Zimmermann <zimmermann>
Status: RESOLVED FIXED    
Severity: Critical CC: zimmermann
Priority: P1 Keywords: HasReduction, Regression
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Reduction (will crash) none

mitz
Reported 2007-03-06 07:32:21 PST
The attached SVG crashes WebKit. Backtrace: Command: Safari Path: /Applications/Safari.app/Contents/MacOS/Safari Parent: WindowServer [61] Version: ??? (19977) PID: 9191 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c Thread 0 Crashed: 0 com.apple.WebCore 0x014ce2a4 WTF::HashMap<WebCore::String, WTF::HashSet<WebCore::SVGStyledElement*, WTF::PtrHash<WebCore::SVGStyledElement*>, WTF::HashTraits<WebCore::SVGStyledElement*> >*, WTF::StrHash<WebCore::String>, WTF::HashTraits<WebCore::String>, WTF::HashTraits<WTF::HashSet<WebCore::SVGStyledElement*, WTF::PtrHash<WebCore::SVGStyledElement*>, WTF::HashTraits<WebCore::SVGStyledElement*> >*> >::add(WebCore::String const&, WTF::HashSet<WebCore::SVGStyledElement*, WTF::PtrHash<WebCore::SVGStyledElement*>, WTF::HashTraits<WebCore::SVGStyledElement*> >* const&) + 68 1 com.apple.WebCore 0x0119ec90 WebCore::SVGDocumentExtensions::addPendingResource(WebCore::AtomicString const&, WebCore::SVGStyledElement*) + 192 2 com.apple.WebCore 0x01097404 WebCore::SVGUseElement::insertedIntoDocument() + 324 3 com.apple.WebCore 0x010d662c WebCore::ContainerNode::addChild(WTF::PassRefPtr<WebCore::Node>) + 220 4 com.apple.WebCore 0x0102cf84 WebCore::XMLTokenizer::startElementNs(unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) + 3268 5 libxml2.2.dylib 0x92ca2480 xmlParseStartTag + 8228 6 libxml2.2.dylib 0x92ca42ec xmlParseDocument + 3368 7 libxml2.2.dylib 0x92c88c0c xmlParseChunk + 424 8 com.apple.WebCore 0x01028e84 WebCore::XMLTokenizer::write(WebCore::SegmentedString const&, bool) + 260 9 com.apple.WebCore 0x013cabc8 WebCore::FrameLoader::write(char const*, int, bool) + 856 10 com.apple.WebCore 0x010dfbb8 -[WebCoreFrameBridge receivedData:textEncodingName:] + 408 11 com.apple.WebKit 0x00327eec -[WebHTMLRepresentation receivedData:withDataSource:] + 156 12 com.apple.WebKit 0x003234b8 -[WebDataSource(WebInternal) _receivedData:] + 88 13 com.apple.WebKit 0x00378318 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 120 14 com.apple.WebCore 0x013deeac WebCore::DocumentLoader::commitLoad(char const*, int) + 92 15 com.apple.WebCore 0x013e6670 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 80 16 com.apple.WebCore 0x013e3244 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 52 17 com.apple.WebCore 0x013ba11c -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 156 18 com.apple.Foundation 0x929935d4 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 19 com.apple.Foundation 0x92991a74 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 20 com.apple.Foundation 0x92991810 _sendCallbacks + 156 21 com.apple.CoreFoundation 0x907dd4cc __CFRunLoopDoSources0 + 384 22 com.apple.CoreFoundation 0x907dc9fc __CFRunLoopRun + 452 23 com.apple.CoreFoundation 0x907dc47c CFRunLoopRunSpecific + 268 24 com.apple.Foundation 0x92970164 -[NSRunLoop runMode:beforeDate:] + 172 25 com.apple.Foundation 0x929b4e20 -[NSRunLoop runUntilDate:] + 80 26 com.apple.AppKit 0x9396b36c NSCoreDragReceiveProc + 916 27 com.apple.HIServices 0x91854de8 DoDropMessage + 96 28 com.apple.HIServices 0x9185628c CoreDragMessageHandler + 1332 29 com.apple.CoreFoundation 0x90824104 __CFMessagePortPerform + 304 30 com.apple.CoreFoundation 0x907ea734 __CFRunLoopDoSource1 + 152 31 com.apple.CoreFoundation 0x907dce4c __CFRunLoopRun + 1556 32 com.apple.CoreFoundation 0x907dc47c CFRunLoopRunSpecific + 268 33 com.apple.HIToolbox 0x93208740 RunCurrentEventLoopInMode + 264 34 com.apple.HIToolbox 0x93207dd4 ReceiveNextEventCommon + 380 35 com.apple.HIToolbox 0x93207c40 BlockUntilNextEventMatchingListInMode + 96 36 com.apple.AppKit 0x9370cae4 _DPSNextEvent + 384 37 com.apple.AppKit 0x9370c7a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 38 com.apple.Safari 0x00006740 0x1000 + 22336 39 com.apple.AppKit 0x93708cec -[NSApplication run] + 472 40 com.apple.AppKit 0x937f987c NSApplicationMain + 452 41 com.apple.Safari 0x0005c77c 0x1000 + 374652 42 com.apple.Safari 0x0005c624 0x1000 + 374308
Attachments
Reduction (will crash) (225 bytes, image/svg+xml)
2007-03-06 07:33 PST, mitz 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2007-03-06 07:33:07 PST
Created attachment 13489 [details] Reduction (will crash)
Nikolas Zimmermann
Comment 2 2007-03-06 15:54:29 PST
Bug fixed. Landed in r19989.
Note You need to log in before you can comment on or make changes to this bug.