100491 – Crash on loading SVG filter resource on HTML element

Bug 100491 - Crash on loading SVG filter resource on HTML element

Summary: Crash on loading SVG filter resource on HTML element

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Florin Malita

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-10-26 03:33 PDT by Dirk Schulze
Modified:	2012-10-26 08:57 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
SVG Filter example (353 bytes, text/html) 2012-10-26 03:33 PDT, Dirk Schulze	no flags	Details
Reduced repro (194 bytes, text/html) 2012-10-26 06:47 PDT, Florin Malita	no flags	Details
Patch (3.63 KB, patch) 2012-10-26 07:09 PDT, Florin Malita	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Schulze 2012-10-26 03:33:27 PDT

Created attachment 170873 [details]
SVG Filter example

Did not investigate further. Just noticed that Chromium and nightly are constantly crashing. This is the backlog:

ASSERTION FAILED: filter->renderer()->isSVGResourceContainer()
/Users/dschulze/Downloads/git-webkit/Source/WebCore/rendering/RenderLayerFilterInfo.cpp(144) : void WebCore::RenderLayerFilterInfo::updateReferenceFilterClients(const WebCore::FilterOperations &)
1   0x107553da6 WebCore::RenderLayerFilterInfo::updateReferenceFilterClients(WebCore::FilterOperations const&)
2   0x10752be7e WebCore::RenderLayer::updateOrRemoveFilterEffect()
3   0x10752dc39 WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*)
4   0x1074a5360 WebCore::RenderBoxModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*)
5   0x107484036 WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*)
6   0x10740cf23 WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*)
7   0x1075945e1 WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>)
8   0x107593cea WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>)
9   0x10734d768 WebCore::NodeRendererFactory::createRenderer()
10  0x10734da2e WebCore::NodeRendererFactory::createRendererIfNeeded()
11  0x107335c45 WebCore::Node::createRendererIfNeeded()
12  0x106827d60 WebCore::Element::attach()
13  0x106a1e5ac WebCore::executeTask(WebCore::HTMLConstructionSiteTask&)
14  0x106a1e436 WebCore::HTMLConstructionSite::executeQueuedTasks()
15  0x106af8a59 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken*)
16  0x106af884a WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&)
17  0x106a3c75a WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
18  0x106a3c1f0 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
19  0x106a3d0bf WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&)
20  0x1065e4a54 WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter*)
21  0x10669385c WebCore::DocumentWriter::end()
22  0x106671abf WebCore::DocumentLoader::finishedLoading()
23  0x107295d9d WebCore::MainResourceLoader::didFinishLoading(double)
24  0x1076d5005 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double)
25  0x1076d1c1a -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:]
26  0x7fff83b08f58 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0
27  0x7fff83b08e9c -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]
28  0x7fff83b08d98 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:]
29  0x7fff8482cf01 ___delegate_didFinishLoading_block_invoke_0
30  0x7fff8481f3ca ___withDelegateAsync_block_invoke_0
31  0x7fff848af56a __block_global_1

Comment 1 Florin Malita 2012-10-26 06:47:49 PDT

Created attachment 170913 [details]
Reduced repro

Comment 2 Florin Malita 2012-10-26 06:51:42 PDT

Asserting seems the wrong thing to do there: users can reference arbitrary elements (see the second attachment) and we should just ignore non-filters.

Comment 3 Dirk Schulze 2012-10-26 06:52:54 PDT

Sure, but chromium crashes for me. So it is not just the assertion but a real bug.

Comment 4 Florin Malita 2012-10-26 07:09:14 PDT

Created attachment 170917 [details]
Patch

Comment 5 Florin Malita 2012-10-26 07:11:08 PDT

(In reply to comment #3)
> Sure, but chromium crashes for me. So it is not just the assertion but a real bug.

Right, it crashes one line below when trying to treat some arbitrary element as a RenderSVGResourceContainer.

Comment 6 Dirk Schulze 2012-10-26 08:27:08 PDT

Comment on attachment 170917 [details]
Patch

Now I see my mistake, forgot the <svg> element ;)

LGTM. r=me.

Comment 7 Florin Malita 2012-10-26 08:31:02 PDT

Thanks Dirk.

(In reply to comment #6)
> (From update of attachment 170917 [details])
> Now I see my mistake, forgot the <svg> element ;)

Good thing you did - you found this bug :)

Comment 8 WebKit Review Bot 2012-10-26 08:57:22 PDT

Comment on attachment 170917 [details]
Patch

Clearing flags on attachment: 170917

Committed r132665: <http://trac.webkit.org/changeset/132665>

Comment 9 WebKit Review Bot 2012-10-26 08:57:26 PDT

All reviewed patches have been landed.  Closing bug.