Bug 13963

Summary: Reproducible crash playing SVG space invaders in JS code
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: SVGAssignee: Nikolas Zimmermann <zimmermann>
Status: RESOLVED FIXED    
Severity: Normal Keywords: NeedsReduction
Priority: P1    
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.croczilla.com/svg/samples/invaders/invaders.svg
Attachments:
Description Flags
Initial patch
none
Final patch eric: review+

Eric Seidel (no email)
Reported 2007-06-01 02:06:24 PDT
Reproducible crash playing SVG space invaders in JS code http://www.croczilla.com/svg/samples/invaders/invaders.svg I'm not certain if this is on TOT or just the feature branch. If it's on TOT too it needs to be bumped to a P1. #0 0x04897fff in ?? #1 0x01627559 in WebCore::JSSVGPODTypeWrapperCreator<WebCore::SVGLength, WebCore::SVGAnimatedTemplate<WebCore::SVGLength> >::commitChange at JSSVGPODTypeWrapper.h:75 #2 0x01364445 in WebCore::JSSVGLength::putValueProperty at JSSVGLength.cpp:218 #3 0x0163dbde in KJS::lookupPut<WebCore::JSSVGLength> at lookup.h:252 #4 0x0163dc20 in KJS::lookupPut<WebCore::JSSVGLength, KJS::DOMObject> at lookup.h:268 #5 0x01364937 in WebCore::JSSVGLength::put at JSSVGLength.cpp:208 #6 0x0054aafa in KJS::AssignDotNode::evaluate at nodes.cpp:1498 #7 0x00544587 in KJS::ExprStatementNode::execute at nodes.cpp:1723 #8 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #9 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #10 0x0054448f in KJS::IfNode::execute at nodes.cpp:1742 #11 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #12 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #13 0x00549017 in KJS::ForInNode::execute at nodes.cpp:1999 #14 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #15 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #16 0x005358fd in KJS::DeclaredFunctionImp::execute at function.cpp:317 #17 0x005384c7 in KJS::FunctionImp::callAsFunction at function.cpp:104 #18 0x0053d7ca in KJS::JSObject::call at object.cpp:98 #19 0x00538a3f in KJS::PropertySlot::functionGetter at property_slot.cpp:37 #20 0x00571b29 in KJS::PropertySlot::getValue at property_slot.h:47 #21 0x00540227 in KJS::ResolveNode::evaluate at nodes.cpp:398 #22 0x00544587 in KJS::ExprStatementNode::execute at nodes.cpp:1723 #23 0x005425bc in KJS::SourceElementsNode::execute at nodes.cpp:2528 #24 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #25 0x0054326b in KJS::WithNode::execute at nodes.cpp:2090 #26 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #27 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #28 0x005358fd in KJS::DeclaredFunctionImp::execute at function.cpp:317 #29 0x005384c7 in KJS::FunctionImp::callAsFunction at function.cpp:104 #30 0x0053d7ca in KJS::JSObject::call at object.cpp:98 #31 0x005474b5 in KJS::FunctionCallResolveNode::evaluate at nodes.cpp:694 #32 0x00544587 in KJS::ExprStatementNode::execute at nodes.cpp:1723 #33 0x005425bc in KJS::SourceElementsNode::execute at nodes.cpp:2528 #34 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #35 0x0054448f in KJS::IfNode::execute at nodes.cpp:1742 #36 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #37 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #38 0x0054448f in KJS::IfNode::execute at nodes.cpp:1742 #39 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #40 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #41 0x0054326b in KJS::WithNode::execute at nodes.cpp:2090 #42 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #43 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #44 0x005358fd in KJS::DeclaredFunctionImp::execute at function.cpp:317 #45 0x005384c7 in KJS::FunctionImp::callAsFunction at function.cpp:104 #46 0x0053d7ca in KJS::JSObject::call at object.cpp:98 #47 0x0127ec57 in KJS::ScheduledAction::execute at kjs_window.cpp:1916 #48 0x01281cd9 in KJS::Window::timerFired at kjs_window.cpp:2039 #49 0x01281ea5 in KJS::DOMWindowTimer::fired at kjs_window.cpp:2639 #50 0x012173c2 in WebCore::TimerBase::fireTimers at Timer.cpp:336 #51 0x0121745f in WebCore::TimerBase::sharedTimerFired at Timer.cpp:353 #52 0x01216b16 in timerFired at SharedTimerMac.cpp:46 #53 0x9082c7e2 in CFRunLoopRunSpecific #54 0x9082bace in CFRunLoopRunInMode #55 0x92ddc8d8 in RunCurrentEventLoopInMode #56 0x92ddbf19 in ReceiveNextEventCommon #57 0x92ddbe39 in BlockUntilNextEventMatchingListInMode #58 0x93282465 in _DPSNextEvent #59 0x93282056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #60 0x00006f96 in ?? #61 0x9327bddb in -[NSApplication run] #62 0x9326fd2f in NSApplicationMain #63 0x0005f7de in ?? #64 0x0005f6f9 in ??
Attachments
Initial patch (16.38 KB, patch)
2007-06-14 12:07 PDT, Nikolas Zimmermann 		no flags
DetailsFormatted DiffDiff
Final patch (18.96 KB, patch)
2007-06-14 15:24 PDT, Nikolas Zimmermann 		eric: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2007-06-01 02:07:33 PDT
This is the line which crashes, btw: virtual void commitChange(KJS::ExecState* exec) { (m_creator->*m_setter)((PODType&)(*this)); // <-- CRASH HERE ASSERT(exec && exec->dynamicInterpreter());
Oliver Hunt
Comment 2 2007-06-01 02:11:27 PDT
Can make it crash by mashing keys :(
Oliver Hunt
Comment 3 2007-06-01 02:15:15 PDT
Looks like badness Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xc5d7bd67 0x017bdd23 in WebCore::JSSVGPODTypeWrapperCreator<WebCore::SVGLength, WebCore::SVGAnimatedTemplate<WebCore::SVGLength> >::commitChange (this=0x181e6e30, exec=0xbfffdc5c) at JSSVGPODTypeWrapper.h:75 75 (m_creator->*m_setter)((PODType&)(*this)); (gdb) p m_creator $1 = (SVGAnimatedLength *) 0x17583ad0 Current language: auto; currently c++ (gdb) p *m_creator $2 = { <WebCore::Shared<WebCore::SVGAnimatedTemplate<WebCore::SVGLength> >> = { <WTFNoncopyable::Noncopyable> = {<No data fields>}, members of WebCore::Shared<WebCore::SVGAnimatedTemplate<WebCore::SVGLength> >: m_refCount = -975824033, m_inDestructor = true }, members of WebCore::SVGAnimatedTemplate<WebCore::SVGLength>: _vptr$SVGAnimatedTemplate = 0xc5d7bd5b } (gdb)
Rob Buis
Comment 4 2007-06-11 17:28:37 PDT
Niko says this is caused by his code. ;)
Nikolas Zimmermann
Comment 5 2007-06-14 12:07:42 PDT
Created attachment 15026 [details] Initial patch Not asking for review yet - as it doesn't contain a ChangeLog yet, and still makes problems. Just for Eric to have a look.
Nikolas Zimmermann
Comment 6 2007-06-14 15:24:31 PDT
Created attachment 15034 [details] Final patch Finally a working patch :-) Thank Eric for the final hints to get it going. Long lives peer reviewing!
Eric Seidel (no email)
Comment 7 2007-06-14 17:05:12 PDT
Comment on attachment 15034 [details] Final patch looks good. r=me
Eric Seidel (no email)
Comment 8 2007-06-14 17:14:16 PDT
This needs to go on TOT as well. it's a p1 reproducible crasher.
Nikolas Zimmermann
Comment 9 2007-06-14 17:37:43 PDT
Landed in r23543.
Note You need to log in before you can comment on or make changes to this bug.