Bug 33841

Summary:

Crash on dispatching SVG mouse events

Product:

WebKit

Reporter:

Vitaly Repeshko <vitalyr>

Component:

SVG

Assignee:

Nikolas Zimmermann <zimmermann>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

dglazkov, zimmermann

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Reproducible test case	none
Initial patch	oliver: review+

Vitaly Repeshko

Reported 2010-01-19 07:22:23 PST

Created attachment 46907 [details] Reproducible test case Crash on dispatching SVG mouse events Steps to reproduce: 1. Open attached svg_crash.svg. 2. Move the mouse over the blinking black rectangle. See http://crbug.com/32269 (in particular comment 8). This first appeared as chromium-specific bug, but then it turned out to be reproducible in Safari.

Attachments
Reproducible test case (1.56 KB, image/svg+xml) 2010-01-19 07:22 PST, Vitaly Repeshko	no flags	Details
Initial patch (2.79 KB, patch) 2010-01-20 18:02 PST, Nikolas Zimmermann	oliver: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Vitaly Repeshko

Comment 1 2010-01-19 11:06:39 PST

I verified it crashes even after http://trac.webkit.org/changeset/53446

Nikolas Zimmermann

Comment 2 2010-01-19 20:16:54 PST

Thanks, the testcase is evil :-) We need to add: if (!m_targetElementInstance) return 0; to SVGUseElement::instanceForShadowTreeElement. Can you try wheter that fixes it, my tree is jammed atm :-)

Nikolas Zimmermann

Comment 3 2010-01-20 18:02:46 PST

Created attachment 47087 [details] Initial patch As discussed on IRC, there is no way to test using DRT at the moment - that particular code in EventHandler leading to crashes is not reachable when moving mouse using DRT. Adding the original testcase as manual-test.

Nikolas Zimmermann

Comment 4 2010-01-20 18:11:10 PST

Landed in r53589.

Note You need to log in before you can comment on or make changes to this bug.