RESOLVED FIXED 100491
Crash on loading SVG filter resource on HTML element 
https://bugs.webkit.org/show_bug.cgi?id=100491
Summary Crash on loading SVG filter resource on HTML element
Dirk Schulze
Reported 2012-10-26 03:33:27 PDT
Created attachment 170873 [details] SVG Filter example Did not investigate further. Just noticed that Chromium and nightly are constantly crashing. This is the backlog: ASSERTION FAILED: filter->renderer()->isSVGResourceContainer() /Users/dschulze/Downloads/git-webkit/Source/WebCore/rendering/RenderLayerFilterInfo.cpp(144) : void WebCore::RenderLayerFilterInfo::updateReferenceFilterClients(const WebCore::FilterOperations &) 1 0x107553da6 WebCore::RenderLayerFilterInfo::updateReferenceFilterClients(WebCore::FilterOperations const&) 2 0x10752be7e WebCore::RenderLayer::updateOrRemoveFilterEffect() 3 0x10752dc39 WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*) 4 0x1074a5360 WebCore::RenderBoxModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) 5 0x107484036 WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) 6 0x10740cf23 WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) 7 0x1075945e1 WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) 8 0x107593cea WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>) 9 0x10734d768 WebCore::NodeRendererFactory::createRenderer() 10 0x10734da2e WebCore::NodeRendererFactory::createRendererIfNeeded() 11 0x107335c45 WebCore::Node::createRendererIfNeeded() 12 0x106827d60 WebCore::Element::attach() 13 0x106a1e5ac WebCore::executeTask(WebCore::HTMLConstructionSiteTask&) 14 0x106a1e436 WebCore::HTMLConstructionSite::executeQueuedTasks() 15 0x106af8a59 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken*) 16 0x106af884a WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) 17 0x106a3c75a WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 18 0x106a3c1f0 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) 19 0x106a3d0bf WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) 20 0x1065e4a54 WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter*) 21 0x10669385c WebCore::DocumentWriter::end() 22 0x106671abf WebCore::DocumentLoader::finishedLoading() 23 0x107295d9d WebCore::MainResourceLoader::didFinishLoading(double) 24 0x1076d5005 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) 25 0x1076d1c1a -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] 26 0x7fff83b08f58 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 27 0x7fff83b08e9c -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] 28 0x7fff83b08d98 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] 29 0x7fff8482cf01 ___delegate_didFinishLoading_block_invoke_0 30 0x7fff8481f3ca ___withDelegateAsync_block_invoke_0 31 0x7fff848af56a __block_global_1
Attachments
SVG Filter example (353 bytes, text/html)
2012-10-26 03:33 PDT, Dirk Schulze 		no flags
Details
Reduced repro (194 bytes, text/html)
2012-10-26 06:47 PDT, Florin Malita 		no flags
Details
Patch (3.63 KB, patch)
2012-10-26 07:09 PDT, Florin Malita 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Florin Malita
Comment 1 2012-10-26 06:47:49 PDT
Created attachment 170913 [details] Reduced repro
Florin Malita
Comment 2 2012-10-26 06:51:42 PDT
Asserting seems the wrong thing to do there: users can reference arbitrary elements (see the second attachment) and we should just ignore non-filters.
Dirk Schulze
Comment 3 2012-10-26 06:52:54 PDT
Sure, but chromium crashes for me. So it is not just the assertion but a real bug.
Florin Malita
Comment 4 2012-10-26 07:09:14 PDT
Created attachment 170917 [details] Patch
Florin Malita
Comment 5 2012-10-26 07:11:08 PDT
(In reply to comment #3) > Sure, but chromium crashes for me. So it is not just the assertion but a real bug. Right, it crashes one line below when trying to treat some arbitrary element as a RenderSVGResourceContainer.
Dirk Schulze
Comment 6 2012-10-26 08:27:08 PDT
Comment on attachment 170917 [details] Patch Now I see my mistake, forgot the <svg> element ;) LGTM. r=me.
Florin Malita
Comment 7 2012-10-26 08:31:02 PDT
Thanks Dirk. (In reply to comment #6) > (From update of attachment 170917 [details]) > Now I see my mistake, forgot the <svg> element ;) Good thing you did - you found this bug :)
WebKit Review Bot
Comment 8 2012-10-26 08:57:22 PDT
Comment on attachment 170917 [details] Patch Clearing flags on attachment: 170917 Committed r132665: <http://trac.webkit.org/changeset/132665>
WebKit Review Bot
Comment 9 2012-10-26 08:57:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.