Bug 132343

Summary: DOMException is thrown in WebCore::constructQualifiedName
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Martin Hodovan <mhodovan.u-szeged>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, d-r, fmalita, gyuyoung.kim, jochen, krit, pdr, schenney, sergio, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Proposed patch none

Description Renata Hodovan 2014-04-29 10:55:58 PDT 
Created attachment 230389 [details]
Test case

The failing test case:

<svg>
    <set attributeName="`&#58"></set>
</svg>


The issue is present in Blink, too: https://code.google.com/p/chromium/issues/detail?id=368325

The backtrace:

ASSERTION FAILED: !m_code || m_code == defaultExceptionCode
../../Source/WebCore/svg/animation/SVGSMILElement.cpp(200) : 
1   0x7ffff2f1dc5f /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(WTFCrash+0x1e) [0x7ffff2f1dc5f]
2   0x7ffff349e533 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore27NoExceptionAssertionCheckerD1Ev+0x4d) [0x7ffff349e533]
3   0x7ffff3feb18b /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x4fd418b) [0x7ffff3feb18b]
4   0x7ffff3fecbc4 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14SVGSMILElement19svgAttributeChangedERKNS_13QualifiedNameE+0x222) [0x7ffff3fecbc4]
5   0x7ffff3f117c5 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore19SVGAnimationElement19svgAttributeChangedERKNS_13QualifiedNameE+0x3d) [0x7ffff3f117c5]
6   0x7ffff3f2f1c5 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore10SVGElement16attributeChangedERKNS_13QualifiedNameERKN3WTF12AtomicStringES7_NS_7Element27AttributeModificationReasonE+0xb1) [0x7ffff3f2f1c5]
7   0x7ffff347f1cd /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore7Element19parserSetAttributesERKN3WTF6VectorINS_9AttributeELm0ENS1_15CrashOnOverflowEEE+0x1db) [0x7ffff347f1cd]
8   0x7ffff371cc27 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x4705c27) [0x7ffff371cc27]
9   0x7ffff371fb8f /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore20HTMLConstructionSite13createElementEPNS_15AtomicHTMLTokenERKN3WTF12AtomicStringE+0xa9) [0x7ffff371fb8f]
10  0x7ffff371f2ae /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore20HTMLConstructionSite20insertForeignElementEPNS_15AtomicHTMLTokenERKN3WTF12AtomicStringE+0xc4) [0x7ffff371f2ae]
11  0x7ffff3756ac1 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore15HTMLTreeBuilder28processTokenInForeignContentEPNS_15AtomicHTMLTokenE+0x7a5) [0x7ffff3756ac1]
12  0x7ffff374a565 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore15HTMLTreeBuilder13constructTreeEPNS_15AtomicHTMLTokenE+0x3b) [0x7ffff374a565]
13  0x7ffff372590e /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser26constructTreeFromHTMLTokenERNS_9HTMLTokenE+0x66) [0x7ffff372590e]
14  0x7ffff3725595 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser13pumpTokenizerENS0_15SynchronousModeE+0x44d) [0x7ffff3725595]
15  0x7ffff3724d9b /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser23pumpTokenizerIfPossibleENS0_15SynchronousModeE+0x9b) [0x7ffff3724d9b]
16  0x7ffff3725e55 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore18HTMLDocumentParser6appendEN3WTF10PassRefPtrINS1_10StringImplEEE+0x259) [0x7ffff3725e55]
17  0x7ffff341d569 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore25DecodedDataDocumentParser5flushERNS_14DocumentWriterE+0x83) [0x7ffff341d569]
18  0x7ffff387857d /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentWriter3endEv+0xdf) [0x7ffff387857d]
19  0x7ffff3865963 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentLoader15finishedLoadingEd+0x209) [0x7ffff3865963]
20  0x7ffff38656cc /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14DocumentLoader14notifyFinishedEPNS_14CachedResourceE+0x10e) [0x7ffff38656cc]
21  0x7ffff39066b8 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14CachedResource11checkNotifyEv+0x68) [0x7ffff39066b8]
22  0x7ffff3906796 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14CachedResource13finishLoadingEPNS_14ResourceBufferE+0x3a) [0x7ffff3906796]
23  0x7ffff3903494 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore17CachedRawResource13finishLoadingEPNS_14ResourceBufferE+0xcc) [0x7ffff3903494]
24  0x7ffff38bf7a6 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore17SubresourceLoader16didFinishLoadingEd+0x1de) [0x7ffff38bf7a6]
25  0x7ffff38bbc6d /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(_ZN7WebCore14ResourceLoader16didFinishLoadingEPNS_14ResourceHandleEd+0x3b) [0x7ffff38bbc6d]
26  0x7ffff4150c11 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libwebkit2gtk-3.0.so.25(+0x5139c11) [0x7ffff4150c11]
27  0x7fffec3ab2ea /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x5a2ea) [0x7fffec3ab2ea]
28  0x7fffec3caceb /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x79ceb) [0x7fffec3caceb]
29  0x7fffec3cad09 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libgio-2.0.so.0(+0x79d09) [0x7fffec3cad09]
30  0x7fffeb6212e6 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x146) [0x7fffeb6212e6]
31  0x7fffeb621638 /home/reni2/data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0(+0x48638) [0x7fffeb621638]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff97334700 (LWP 6785)]
0x00007ffff2f1dc64 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff2f1dc64 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff349e533 in WebCore::NoExceptionAssertionChecker::~NoExceptionAssertionChecker (this=0x7fffffffcfb0, __in_chrg=<optimized out>)
    at ../../Source/WebCore/dom/ExceptionCodePlaceholder.cpp:47
#2  0x00007ffff3feb18b in WebCore::constructQualifiedName (svgElement=0x878310, attributeName=...)
    at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:200
#3  0x00007ffff3fecbc4 in WebCore::SVGSMILElement::svgAttributeChanged (this=0x878310, attrName=...)
    at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:492
#4  0x00007ffff3f117c5 in WebCore::SVGAnimationElement::svgAttributeChanged (this=0x878310, attrName=...)
    at ../../Source/WebCore/svg/SVGAnimationElement.cpp:227
#5  0x00007ffff3f2f1c5 in WebCore::SVGElement::attributeChanged (this=0x878310, name=..., oldValue=..., newValue=...)
    at ../../Source/WebCore/svg/SVGElement.cpp:719
#6  0x00007ffff347f1cd in WebCore::Element::parserSetAttributes (this=0x878310, attributeVector=...) at ../../Source/WebCore/dom/Element.cpp:1207
#7  0x00007ffff371cc27 in WebCore::setAttributes (element=0x878310, token=0x7fffffffd2a0, parserContentPolicy=WebCore::AllowScriptingContent)
    at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:56
#8  0x00007ffff371fb8f in WebCore::HTMLConstructionSite::createElement (this=0x9f0e78, token=0x7fffffffd2a0, namespaceURI=...)
    at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:612
#9  0x00007ffff371f2ae in WebCore::HTMLConstructionSite::insertForeignElement (this=0x9f0e78, token=0x7fffffffd2a0, namespaceURI=...)
    at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:516
#10 0x00007ffff3756ac1 in WebCore::HTMLTreeBuilder::processTokenInForeignContent (this=0x9f0e60, token=0x7fffffffd2a0)
    at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2928
#11 0x00007ffff374a565 in WebCore::HTMLTreeBuilder::constructTree (this=0x9f0e60, token=0x7fffffffd2a0)
    at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:352
#12 0x00007ffff372590e in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x817b70, rawToken=...)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:352
#13 0x00007ffff3725595 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x817b70, mode=WebCore::HTMLDocumentParser::AllowYield)
---Type <return> to continue, or q <return> to quit---
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:309
#14 0x00007ffff3724d9b in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x817b70, mode=WebCore::HTMLDocumentParser::AllowYield)
    at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:189
#15 0x00007ffff3725e55 in WebCore::HTMLDocumentParser::append (this=0x817b70, inputSource=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:428
#16 0x00007ffff341d569 in WebCore::DecodedDataDocumentParser::flush (this=0x817b70, writer=...) at ../../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#17 0x00007ffff387857d in WebCore::DocumentWriter::end (this=0x791110) at ../../Source/WebCore/loader/DocumentWriter.cpp:245
#18 0x00007ffff3865963 in WebCore::DocumentLoader::finishedLoading (this=0x791070, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:440
#19 0x00007ffff38656cc in WebCore::DocumentLoader::notifyFinished (this=0x791070, resource=0x91c8a0) at ../../Source/WebCore/loader/DocumentLoader.cpp:374
#20 0x00007ffff39066b8 in WebCore::CachedResource::checkNotify (this=0x91c8a0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:332
#21 0x00007ffff3906796 in WebCore::CachedResource::finishLoading (this=0x91c8a0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:348
#22 0x00007ffff3903494 in WebCore::CachedRawResource::finishLoading (this=0x91c8a0, data=0x7acbe0)
    at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:97
#23 0x00007ffff38bf7a6 in WebCore::SubresourceLoader::didFinishLoading (this=0x91cde0, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:310
#24 0x00007ffff38bbc6d in WebCore::ResourceLoader::didFinishLoading (this=0x91cde0, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:508
#25 0x00007ffff4150c11 in WebCore::readCallback (asyncResult=0x9091d0, data=0x8407d0)
    at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1340
#26 0x00007fffec3ab2ea in async_ready_callback_wrapper (source_object=0x9975b0, res=0x9091d0, user_data=0x8407d0) at ginputstream.c:519
#27 0x00007fffec3caceb in g_task_return_now (task=0x9091d0) at gtask.c:1108
#28 0x00007fffec3cad09 in complete_in_idle_cb (task=0x9091d0) at gtask.c:1117
#29 0x00007fffeb6212e6 in g_main_dispatch (context=0x67af50) at gmain.c:3065
#30 g_main_context_dispatch (context=context@entry=0x67af50) at gmain.c:3641
#31 0x00007fffeb621638 in g_main_context_iterate (context=0x67af50, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712
#32 0x00007fffeb621a3a in g_main_loop_run (loop=0x6c7790) at gmain.c:3906
#33 0x00007ffff2f6dae4 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#34 0x00007ffff2eb73d2 in WebKit::WebProcessMainGtk (argc=2, argv=0x7fffffffdaa8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:75
---Type <return> to continue, or q <return> to quit---
#35 0x000000000040085d in main (argc=2, argv=0x7fffffffdaa8) at ../../Source/WebKit2/gtk/MainGtk.cpp:31
Comment 1 Martin Hodovan 2014-05-09 02:16:23 PDT 
Created attachment 231137 [details]
Proposed patch

Blink merge: http://src.chromium.org/viewvc/blink?view=revision&revision=173564
Based on the patch made by Christophe Dumez <ch.dumez@samsung.com>.
Comment 2 WebKit Commit Bot 2014-05-09 03:58:43 PDT 
Comment on attachment 231137 [details]
Proposed patch

Clearing flags on attachment: 231137

Committed r168524: <http://trac.webkit.org/changeset/168524>
Comment 3 WebKit Commit Bot 2014-05-09 03:58:49 PDT 
All reviewed patches have been landed.  Closing bug.