Bug 132343

Summary: DOMException is thrown in WebCore::constructQualifiedName
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Martin Hodovan <mhodovan.u-szeged>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, d-r, fmalita, gyuyoung.kim, jochen, krit, pdr, schenney, sergio, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Proposed patch none

Renata Hodovan
Reported 2014-04-29 10:55:58 PDT
Created attachment 230389 [details] Test case The failing test case: <svg> <set attributeName="`&#58"></set> </svg> The issue is present in Blink, too: https://code.google.com/p/chromium/issues/detail?id=368325 The backtrace: ASSERTION FAILED: !m_code || m_code == defaultExceptionCode ../../Source/WebCore/svg/animation/SVGSMILElement.cpp(200) : 1 0x7ffff2f1dc5f /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(WTFCrash+0x1e) [0x7ffff2f1dc5f] 2 0x7ffff349e533 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore27NoExceptionAssertionCheckerD1Ev+0x4d) [0x7ffff349e533] 3 0x7ffff3feb18b /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x4fd418b) [0x7ffff3feb18b] 4 0x7ffff3fecbc4 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14SVGSMILElement19svgAttributeChangedERKNS_13QualifiedNameE+0x222) [0x7ffff3fecbc4] 5 0x7ffff3f117c5 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore19SVGAnimationElement19svgAttributeChangedERKNS_13QualifiedNameE+0x3d) [0x7ffff3f117c5] 6 0x7ffff3f2f1c5 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore10SVGElement16attributeChangedERKNS_13QualifiedNameERKN3WTF12AtomicStringES7_NS_7Element27AttributeModificationReasonE+0xb1) [0x7ffff3f2f1c5] 7 0x7ffff347f1cd /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore7Element19parserSetAttributesERKN3WTF6VectorINS_9AttributeELm0ENS1_15CrashOnOverflowEEE+0x1db) [0x7ffff347f1cd] 8 0x7ffff371cc27 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x4705c27) [0x7ffff371cc27] 9 0x7ffff371fb8f /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore20HTMLConstructionSite13createElementEPNS_15AtomicHTMLTokenERKN3WTF12AtomicStringE+0xa9) [0x7ffff371fb8f] 10 0x7ffff371f2ae /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore20HTMLConstructionSite20insertForeignElementEPNS_15AtomicHTMLTokenERKN3WTF12AtomicStringE+0xc4) [0x7ffff371f2ae] 11 0x7ffff3756ac1 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore15HTMLTreeBuilder28processTokenInForeignContentEPNS_15AtomicHTMLTokenE+0x7a5) [0x7ffff3756ac1] 12 0x7ffff374a565 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore15HTMLTreeBuilder13constructTreeEPNS_15AtomicHTMLTokenE+0x3b) [0x7ffff374a565] 13 0x7ffff372590e /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser26constructTreeFromHTMLTokenERNS_9HTMLTokenE+0x66) [0x7ffff372590e] 14 0x7ffff3725595 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser13pumpTokenizerENS0_15SynchronousModeE+0x44d) [0x7ffff3725595] 15 0x7ffff3724d9b /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser23pumpTokenizerIfPossibleENS0_15SynchronousModeE+0x9b) [0x7ffff3724d9b] 16 0x7ffff3725e55 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser6appendEN3WTF10PassRefPtrINS1_10StringImplEEE+0x259) [0x7ffff3725e55] 17 0x7ffff341d569 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore25DecodedDataDocumentParser5flushERNS_14DocumentWriterE+0x83) [0x7ffff341d569] 18 0x7ffff387857d /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentWriter3endEv+0xdf) [0x7ffff387857d] 19 0x7ffff3865963 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentLoader15finishedLoadingEd+0x209) [0x7ffff3865963] 20 0x7ffff38656cc /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentLoader14notifyFinishedEPNS_14CachedResourceE+0x10e) [0x7ffff38656cc] 21 0x7ffff39066b8 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14CachedResource11checkNotifyEv+0x68) [0x7ffff39066b8] 22 0x7ffff3906796 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14CachedResource13finishLoadingEPNS_14ResourceBufferE+0x3a) [0x7ffff3906796] 23 0x7ffff3903494 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore17CachedRawResource13finishLoadingEPNS_14ResourceBufferE+0xcc) [0x7ffff3903494] 24 0x7ffff38bf7a6 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore17SubresourceLoader16didFinishLoadingEd+0x1de) [0x7ffff38bf7a6] 25 0x7ffff38bbc6d /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14ResourceLoader16didFinishLoadingEPNS_14ResourceHandleEd+0x3b) [0x7ffff38bbc6d] 26 0x7ffff4150c11 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x5139c11) [0x7ffff4150c11] 27 0x7fffec3ab2ea /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x5a2ea) [0x7fffec3ab2ea] 28 0x7fffec3caceb /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x79ceb) [0x7fffec3caceb] 29 0x7fffec3cad09 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x79d09) [0x7fffec3cad09] 30 0x7fffeb6212e6 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x146) [0x7fffeb6212e6] 31 0x7fffeb621638 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0(+0x48638) [0x7fffeb621638] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff97334700 (LWP 6785)] 0x00007ffff2f1dc64 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff2f1dc64 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff349e533 in WebCore::NoExceptionAssertionChecker::~NoExceptionAssertionChecker (this=0x7fffffffcfb0, __in_chrg=<optimized out>) at ../../Source/WebCore/dom/ExceptionCodePlaceholder.cpp:47 #2 0x00007ffff3feb18b in WebCore::constructQualifiedName (svgElement=0x878310, attributeName=...) at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:200 #3 0x00007ffff3fecbc4 in WebCore::SVGSMILElement::svgAttributeChanged (this=0x878310, attrName=...) at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:492 #4 0x00007ffff3f117c5 in WebCore::SVGAnimationElement::svgAttributeChanged (this=0x878310, attrName=...) at ../../Source/WebCore/svg/SVGAnimationElement.cpp:227 #5 0x00007ffff3f2f1c5 in WebCore::SVGElement::attributeChanged (this=0x878310, name=..., oldValue=..., newValue=...) at ../../Source/WebCore/svg/SVGElement.cpp:719 #6 0x00007ffff347f1cd in WebCore::Element::parserSetAttributes (this=0x878310, attributeVector=...) at ../../Source/WebCore/dom/Element.cpp:1207 #7 0x00007ffff371cc27 in WebCore::setAttributes (element=0x878310, token=0x7fffffffd2a0, parserContentPolicy=WebCore::AllowScriptingContent) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:56 #8 0x00007ffff371fb8f in WebCore::HTMLConstructionSite::createElement (this=0x9f0e78, token=0x7fffffffd2a0, namespaceURI=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:612 #9 0x00007ffff371f2ae in WebCore::HTMLConstructionSite::insertForeignElement (this=0x9f0e78, token=0x7fffffffd2a0, namespaceURI=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:516 #10 0x00007ffff3756ac1 in WebCore::HTMLTreeBuilder::processTokenInForeignContent (this=0x9f0e60, token=0x7fffffffd2a0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2928 #11 0x00007ffff374a565 in WebCore::HTMLTreeBuilder::constructTree (this=0x9f0e60, token=0x7fffffffd2a0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:352 #12 0x00007ffff372590e in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x817b70, rawToken=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:352 #13 0x00007ffff3725595 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x817b70, mode=WebCore::HTMLDocumentParser::AllowYield) ---Type <return> to continue, or q <return> to quit--- at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:309 #14 0x00007ffff3724d9b in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x817b70, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:189 #15 0x00007ffff3725e55 in WebCore::HTMLDocumentParser::append (this=0x817b70, inputSource=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:428 #16 0x00007ffff341d569 in WebCore::DecodedDataDocumentParser::flush (this=0x817b70, writer=...) at ../../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #17 0x00007ffff387857d in WebCore::DocumentWriter::end (this=0x791110) at ../../Source/WebCore/loader/DocumentWriter.cpp:245 #18 0x00007ffff3865963 in WebCore::DocumentLoader::finishedLoading (this=0x791070, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:440 #19 0x00007ffff38656cc in WebCore::DocumentLoader::notifyFinished (this=0x791070, resource=0x91c8a0) at ../../Source/WebCore/loader/DocumentLoader.cpp:374 #20 0x00007ffff39066b8 in WebCore::CachedResource::checkNotify (this=0x91c8a0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:332 #21 0x00007ffff3906796 in WebCore::CachedResource::finishLoading (this=0x91c8a0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:348 #22 0x00007ffff3903494 in WebCore::CachedRawResource::finishLoading (this=0x91c8a0, data=0x7acbe0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:97 #23 0x00007ffff38bf7a6 in WebCore::SubresourceLoader::didFinishLoading (this=0x91cde0, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:310 #24 0x00007ffff38bbc6d in WebCore::ResourceLoader::didFinishLoading (this=0x91cde0, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:508 #25 0x00007ffff4150c11 in WebCore::readCallback (asyncResult=0x9091d0, data=0x8407d0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1340 #26 0x00007fffec3ab2ea in async_ready_callback_wrapper (source_object=0x9975b0, res=0x9091d0, user_data=0x8407d0) at ginputstream.c:519 #27 0x00007fffec3caceb in g_task_return_now (task=0x9091d0) at gtask.c:1108 #28 0x00007fffec3cad09 in complete_in_idle_cb (task=0x9091d0) at gtask.c:1117 #29 0x00007fffeb6212e6 in g_main_dispatch (context=0x67af50) at gmain.c:3065 #30 g_main_context_dispatch (context=context@entry=0x67af50) at gmain.c:3641 #31 0x00007fffeb621638 in g_main_context_iterate (context=0x67af50, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712 #32 0x00007fffeb621a3a in g_main_loop_run (loop=0x6c7790) at gmain.c:3906 #33 0x00007ffff2f6dae4 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #34 0x00007ffff2eb73d2 in WebKit::WebProcessMainGtk (argc=2, argv=0x7fffffffdaa8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:75 ---Type <return> to continue, or q <return> to quit--- #35 0x000000000040085d in main (argc=2, argv=0x7fffffffdaa8) at ../../Source/WebKit2/gtk/MainGtk.cpp:31
Attachments
Test case (50 bytes, text/html)
2014-04-29 10:55 PDT, Renata Hodovan 		no flags
Details
Proposed patch (4.92 KB, patch)
2014-05-09 02:16 PDT, Martin Hodovan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Martin Hodovan
Comment 1 2014-05-09 02:16:23 PDT
Created attachment 231137 [details] Proposed patch Blink merge: http://src.chromium.org/viewvc/blink?view=revision&revision=173564 Based on the patch made by Christophe Dumez <ch.dumez@samsung.com>.
WebKit Commit Bot
Comment 2 2014-05-09 03:58:43 PDT
Comment on attachment 231137 [details] Proposed patch Clearing flags on attachment: 231137 Committed r168524: <http://trac.webkit.org/changeset/168524>
WebKit Commit Bot
Comment 3 2014-05-09 03:58:49 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.