Bug 78700

Summary: SVG TRef/Use NULL ptr
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: SVGAssignee: Nikolas Zimmermann <zimmermann>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, cc-bugs, cgarcia, eric, fmalita, gustavo, jamesr, japhet, levin+threading, macpherson, menard, ojan, rakuco, rwlbuis, webkit.review.bot, zimmermann, zoltan
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Patch morrita: review+, morrita: commit-queue-

Berend-Jan Wever
Reported 2012-02-15 05:23:42 PST
http://code.google.com/p/chromium/issues/detail?id=114358 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <g id="g"> <animate id="animate"> </animate> <tref xlink:href="#animate"> </tref> </g> <use xlink:href="#g"> </use> </svg> src\third_party\webkit\source\webcore\svg\svgtrefelement.cpp void SVGTRefElement::buildPendingResource() { <<<snip>>> m_eventListener = SubtreeModificationEventListener::create(this, id); ASSERT(target->parentNode()); target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false); } src\third_party\webkit\source\webcore\dom\node.cpp bool Node::addEventListener(const AtomicString& eventType, PassRefPtr<EventListener> listener, bool useCapture) { <<<snip>>> for (HashSet<SVGElementInstance*>::const_iterator it = instances.begin(); it != end; ++it) { ASSERT((*it)->shadowTreeElement()); ASSERT((*it)->correspondingElement() == this); RefPtr<EventListener> listenerForCurrentShadowTreeElement = listenerForShadowTree; bool result = tryAddEventListener((*it)->shadowTreeElement(), eventType, listenerForCurrentShadowTreeElement.release(), useCapture); <<<snip>>> (*it) points to an SVGUseElement which doesn't have a shadowTreeElement, causing the NULL ptr.
Attachments
Patch (1.73 KB, patch)
2012-03-01 06:11 PST, Nikolas Zimmermann 		morrita: review+
morrita: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Nikolas Zimmermann
Comment 1 2012-02-15 05:31:36 PST
(In reply to comment #0) > <<<snip>>> > m_eventListener = SubtreeModificationEventListener::create(this, id); > ASSERT(target->parentNode()); > target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false); > (*it) points to an SVGUseElement which doesn't have a shadowTreeElement, causing the NULL ptr. Oh dear, apparently <tref> doesn't even check if the target is valid, just attaching its event listener. This is a bad idea. CC'ing Rob, who wrote the current <tref> implementation. Reminds me of a similar <use> bug which is in the process of being fixed: white-list allowed targets, instead of black-listing disallowed ones.
Florin Malita
Comment 2 2012-02-15 13:33:53 PST
FWIW my patch for http://www.﷒0﷓ also fixes this particular crash (as the event listeners are moved onto the target instead of its parent). Sounds like we still need to add target validation though.
Nikolas Zimmermann
Comment 3 2012-02-15 15:22:16 PST
(In reply to comment #2) > FWIW my patch for http://www.﷒0﷓ also fixes this particular crash (as the event listeners are moved onto the target instead of its parent). Sounds like we still need to add target validation though. Just looked at this again, Rob did it just correct according to SVG 1.1 2nd edition: "xlink:href of <tref>: An IRI reference to an element whose character data content shall be used as character data for this ‘tref’ element." There's no white or black-listing desired, any element should work. So probably this is just a dup of your bug.
Nikolas Zimmermann
Comment 4 2012-03-01 06:11:30 PST
Created attachment 129693 [details] Patch
WebKit Review Bot
Comment 5 2012-03-01 06:14:14 PST
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
WebKit Review Bot
Comment 6 2012-03-01 06:15:27 PST
Attachment 129693 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'ChangeLog', u'LayoutTests/ChangeLog', u'La..." exit_code: 1 WARNING: File exempt from style guide. Skipping: "Source/WebKit2/UIProcess/API/gtk/WebKitDefines.h" Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:71: Use 0 instead of NULL. [readability/null] [5] Total errors found: 1 in 176 files If any of these errors are false positives, please file a bug against check-webkit-style.
Nikolas Zimmermann
Comment 7 2012-03-01 06:26:27 PST
(In reply to comment #6) > If any of these errors are false positives, please file a bug against check-webkit-style. Not mine. Bug was already filed.
Hajime Morrita
Comment 8 2012-03-15 01:26:36 PDT
Comment on attachment 129693 [details] Patch Adding test doesn't hurt. Could you update the ChangeLog to put diff to the head?
Nikolas Zimmermann
Comment 9 2012-05-16 00:43:35 PDT
Committed r117229: <http://trac.webkit.org/changeset/117229>
Note You need to log in before you can comment on or make changes to this bug.