Bug 40857

Summary:

Altering the CSS class of an attached SVG element causes WebKit to crash

Product:

WebKit

Reporter:

Fady Samuel <fsamuel>

Component:

DOM

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, commit-queue

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Crash bug	none
Possible fix	none
Updated Patch	none
Updated Patch -- fixed junk in changelog	none
Updated Patch -- The previous one was the wrong file	darin: review-
Updated Patch with suggested change	none

Fady Samuel

Reported 2010-06-18 14:00:02 PDT

The attached html file causes WebKit-based browsers to crash (Safari/Chrome). It will crash after you click ok in the javascript alert box. I looked a bit into this: The javascript line: ellipse.className.baseVal = "cls1"; results in a call to StyledElement::classNames which then requests the classNames from the attribute map. At the time, the attribute map does not exist. An assert fails because it has not yet been created. It seems a simple fix is to create it if it hasn't been created. Looking at other code, it appears that the attribute map is created lazily when needed. According to Darin Adler, it’s not legal to call StyledElement::classNames without first checking hasClass. And if hasClass is true, then there will already be an attribute map. Calling mappedAttributes() or attributeMap() instead of calling attributes(false) is done for speed. I am currently investigating this further.

Attachments
Crash bug (1011 bytes, text/html) 2010-06-21 07:46 PDT, Fady Samuel	no flags	Details
Possible fix (7.82 KB, patch) 2010-06-23 12:37 PDT, Fady Samuel	no flags	Details Formatted Diff Diff
Updated Patch (5.54 KB, patch) 2010-07-05 08:31 PDT, Fady Samuel	no flags	Details Formatted Diff Diff
Updated Patch -- fixed junk in changelog (5.54 KB, patch) 2010-07-05 08:35 PDT, Fady Samuel	no flags	Details Formatted Diff Diff
Updated Patch -- The previous one was the wrong file (4.04 KB, patch) 2010-07-05 08:36 PDT, Fady Samuel	darin: review-	Details Formatted Diff Diff
Updated Patch with suggested change (4.01 KB, patch) 2010-07-05 10:20 PDT, Fady Samuel	no flags	Details Formatted Diff Diff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.

Fady Samuel

Comment 1 2010-06-21 07:46:04 PDT

Created attachment 59249 [details] Crash bug

Fady Samuel

Comment 2 2010-06-23 11:28:32 PDT

I spent about a day trying to figure out what the underlying cause of the problem is. It seems like Darin Adler's statement that hasClass being true means the attribute map will already be there is false. If that's the expected behavior then a simple fix is to make sure the attribute map is created when set the hasClass flag is set to true. I will post a patch shortly. Please let me know if you do not feel this fixes the underlying problem.

Fady Samuel

Comment 3 2010-06-23 12:37:36 PDT

Created attachment 59551 [details] Possible fix

Alexey Proskuryakov

Comment 4 2010-06-23 16:59:06 PDT

Thanks for tackling this! I'm not trying to do a full review, but I do have a few comments: +2010-06-23 <> Please add your name and e-mail address. +++ b/LayoutTests/platform/chromium-linux/svg/css/svg-ellipse-render-crash-expected.txt Since this is a test for a crasher, it needn't be a pixel one. You can turn it into a text test by adding a script: if (window.layoutTestController) layoutTestController.dumpAsText(); + if (!namedAttrMap) { + attributes(false); } Coding style errors: there should be no braces around single line code blocks, and code should be indented by 4 spaces.

Fady Samuel

Comment 5 2010-07-05 08:31:25 PDT

Created attachment 60540 [details] Updated Patch

Fady Samuel

Comment 6 2010-07-05 08:35:27 PDT

Created attachment 60541 [details] Updated Patch -- fixed junk in changelog

Fady Samuel

Comment 7 2010-07-05 08:36:55 PDT

Created attachment 60542 [details] Updated Patch -- The previous one was the wrong file

Darin Adler

Comment 8 2010-07-05 09:38:44 PDT

Comment on attachment 60542 [details] Updated Patch -- The previous one was the wrong file You did not put this patch up for review, which is done by setting the review flag to "?", but I assume you want it reviewed. > + if (!namedAttrMap) > + attributes(false); > + if (hasClass) > + mappedAttributes()->setClass(newClassString); > + else > + mappedAttributes()->clearClass(); The attributes function is not meant to be called just for its side effect. If you have determined it needs to be called, then you should use its result and call setClass and clearClass on that. There is no need to use the mappedAttributes function. Also, there is no need to change the clearClass code path. In that path, checking namedAttrMap for 0 seems the right way to go. It's only in the setClass path that we'd want to call attributes to force the map to be created. Something like this: if (hasClass) attributes()->setClass(newClassString); else { if (namedAttrMap) namedAttrMap->clearClass(); } That would work well, I think.

Fady Samuel

Comment 9 2010-07-05 10:20:38 PDT

Created attachment 60553 [details] Updated Patch with suggested change

WebKit Commit Bot

Comment 10 2010-07-05 19:03:40 PDT

Comment on attachment 60553 [details] Updated Patch with suggested change Clearing flags on attachment: 60553 Committed r62514: <http://trac.webkit.org/changeset/62514>

WebKit Commit Bot

Comment 11 2010-07-05 19:03:45 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.