Bug 32357

Summary: SVG test case crashes WebKit (invalid font URL)
Product: WebKit Reporter: sideshowbarker <mike>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: ap, commit-queue, cshu, jschuh, krit, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.5   
URL: http://dev.w3.org/SVG/profiles/1.2T/test/svgHarness/animate-elem-227-t.svg
Attachments:
Description Flags
Proposed patch
none
Minimized test case
none
Patch with layout tests and changelog
mitz: review+
Patch with layout tests none

sideshowbarker
Reported 2009-12-09 18:00:36 PST
Running r51881. Tried to open http://dev.w3.org/SVG/profiles/1.2T/test/svgHarness/animate-elem-227-t.svg but crashes.
Attachments
Proposed patch (737 bytes, patch)
2009-12-14 11:59 PST, Justin Schuh 		no flags
DetailsFormatted DiffDiff
Minimized test case (559 bytes, image/svg+xml)
2009-12-14 12:00 PST, Justin Schuh 		no flags
Details
Patch with layout tests and changelog (4.27 KB, patch)
2009-12-17 08:23 PST, Justin Schuh 		mitz: review+
DetailsFormatted DiffDiff
Patch with layout tests (4.01 KB, patch)
2009-12-17 12:53 PST, Justin Schuh 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2009-12-10 14:27:15 PST
SVGFontFaceUriElement::loadFont() tries to call setSVGFont on a null m_cachedFont. And m_cachedFont is null because we're trying to resolve "../images/SVGFreeSans.svg#ascii" in an about:blank document, and of course fail. It's definitely a bug loadFont() that it crashes when font URL is invalid. It may be a bug elsewhere that the document base URL is about:blank.
Justin Schuh
Comment 2 2009-12-14 11:59:21 PST
Created attachment 44810 [details] Proposed patch Checks for NULL m_cachedFont before calling setSVGFont().
Justin Schuh
Comment 3 2009-12-14 12:00:24 PST
Created attachment 44811 [details] Minimized test case
Justin Schuh
Comment 4 2009-12-14 12:02:24 PST
I ran into the same thing last week <http://crbug.com/29890>. Here's a short patch and a minimized test case.
Alexey Proskuryakov
Comment 5 2009-12-14 12:21:57 PST
Would you be willing to submit a patch for review, as described in <http://webkit.org/coding/contributing.html>?
Justin Schuh
Comment 6 2009-12-16 09:18:03 PST
(In reply to comment #5) > Would you be willing to submit a patch for review, as described in > <http://webkit.org/coding/contributing.html>? Yep. I had to set up a proper WebKit build environment, but I'll be submitting a patch today.
Justin Schuh
Comment 7 2009-12-17 08:23:12 PST
Created attachment 45072 [details] Patch with layout tests and changelog This patch just checks for a NULL m_cachedFont before continuing. It follows the submission guidelines and should be ready for review.
WebKit Review Bot
Comment 8 2009-12-17 08:25:42 PST
style-queue ran check-webkit-style on attachment 45072 [details] without any errors.
mitz
Comment 9 2009-12-17 08:35:48 PST
Comment on attachment 45072 [details] Patch with layout tests and changelog > + This test is to ensure that we do not crash when loading a SVG image without an invalid font-face-uri Did you mean “*with* an invalid”? I think this kind of test can be done entirely in SVG.
Justin Schuh
Comment 10 2009-12-17 09:03:02 PST
(In reply to comment #9) > Did you mean “*with* an invalid”? Yes I did. I'll fix that before resubmitting. > I think this kind of test can be done entirely in SVG. I don't know, but probably. This is my first crack at submitting a patch. So, I copied format and style from the text-font-invalid.html test, which looked similar to this case.
Justin Schuh
Comment 11 2009-12-17 12:53:52 PST
Created attachment 45104 [details] Patch with layout tests I fixed the typo and condensed SVG and HTML into a single file. There's still an expected output file, because that appears to be how other crash tests were done.
WebKit Review Bot
Comment 12 2009-12-17 12:56:51 PST
style-queue ran check-webkit-style on attachment 45104 [details] without any errors.
WebKit Commit Bot
Comment 13 2009-12-17 22:12:43 PST
Comment on attachment 45104 [details] Patch with layout tests Clearing flags on attachment: 45104 Committed r52300: <http://trac.webkit.org/changeset/52300>
WebKit Commit Bot
Comment 14 2009-12-17 22:12:48 PST
All reviewed patches have been landed. Closing bug.
mitz
Comment 15 2009-12-18 08:28:41 PST
*** Bug 32712 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.