Bug 74858

Summary: chrome.dll!WebCore::SVGTRefElement::updateReferencedText ReadAV@NULL (e85cb8e140071fa7790cad215b0109dc)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: eric, fmalita, rwlbuis, webkit.review.bot, zimmermann
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Patch
none
Reduced test.
none
Patch none

Berend-Jan Wever
Reported 2011-12-19 05:48:46 PST
Chromium: http://code.google.com/p/chromium/issues/detail?id=108057 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <text id="text"></text> <tref xlink:href="#text"/> <script> document.documentElement.replaceChild( document.createElement('anything'), // inserted element document.getElementById('text')); // removed element </script> </svg> stack: chrome.dll!WebCore::SVGTRefElement::updateReferencedText chrome.dll!WebCore::SubtreeModificationEventListener::handleEvent chrome.dll!WebCore::EventTarget::fireEventListeners chrome.dll!WebCore::EventTarget::fireEventListeners chrome.dll!WebCore::Node::handleLocalEvents chrome.dll!WebCore::EventDispatcher::dispatchEvent chrome.dll!WebCore::EventDispatchMediator::dispatchEvent chrome.dll!WebCore::EventDispatcher::dispatchEvent chrome.dll!WebCore::ScopedEventQueue::dispatchEvent chrome.dll!WebCore::ScopedEventQueue::enqueueEventDispatchMediator chrome.dll!WebCore::EventDispatcher::dispatchScopedEvent chrome.dll!WebCore::Node::dispatchScopedEvent chrome.dll!WebCore::Node::dispatchSubtreeModifiedEvent chrome.dll!WebCore::ContainerNode::replaceChild chrome.dll!WebCore::Node::replaceChild chrome.dll!WebCore::V8Node::replaceChildCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Attachments
Patch (10.13 KB, patch)
2012-01-09 15:02 PST, Florin Malita 		no flags
DetailsFormatted DiffDiff
Reduced test. (326 bytes, image/svg+xml)
2012-01-11 07:46 PST, Florin Malita 		no flags
Details
Patch (10.13 KB, patch)
2012-02-15 13:36 PST, Florin Malita 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Florin Malita
Comment 1 2012-01-09 14:59:08 PST
The DOMSubtreeModifiedEvent listener is still active on the target's parent after the target is removed. We need to catch the target removal event and deactivate any associated listeners. I have a first-pass at this following up. Additionally: * on target removal, mark the tref as resource-pending again, to reattach if the same id is added at a later time (I believe this is desirable) * move the DOMSubtreeModifiedEvent to the target element itself to keep things simple (I think we're only interested in catching updates to the target element, and the event appears to be dispatched to it too - hope I'm not missing something here)
Florin Malita
Comment 2 2012-01-09 15:02:43 PST
Created attachment 121727 [details] Patch
Florin Malita
Comment 3 2012-01-11 07:46:29 PST
Created attachment 122019 [details] Reduced test.
Florin Malita
Comment 4 2012-02-15 13:36:43 PST
Created attachment 127225 [details] Patch Updated after the recent shadow tree changes.
Nikolas Zimmermann
Comment 5 2012-02-15 15:19:08 PST
Comment on attachment 127225 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=127225&action=review Looks just great! r=me. > Source/WebCore/svg/SVGTRefElement.cpp:185 > + Node* container = shadowRootList()->oldestShadowRoot()->firstChild(); oldestShadowRoot, and shadowRootList are guaranteed non-null? If yes, there's nothing hold back a cq+.
Florin Malita
Comment 6 2012-02-16 07:30:11 PST
(In reply to comment #5) > > Source/WebCore/svg/SVGTRefElement.cpp:185 > > + Node* container = shadowRootList()->oldestShadowRoot()->firstChild(); > > oldestShadowRoot, and shadowRootList are guaranteed non-null? Yes, SVGTRefElement::create() calls createShadowSubtree() which initializes the shadow root plumbing. > If yes, there's nothing hold back a cq+. Thanks!
Nikolas Zimmermann
Comment 7 2012-02-17 07:36:26 PST
Comment on attachment 127225 [details] Patch r=me.
WebKit Review Bot
Comment 8 2012-02-17 08:50:30 PST
Comment on attachment 127225 [details] Patch Clearing flags on attachment: 127225 Committed r108082: <http://trac.webkit.org/changeset/108082>
WebKit Review Bot
Comment 9 2012-02-17 08:50:36 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.