13963 – Reproducible crash playing SVG space invaders in JS code

RESOLVED FIXED 13963

Reproducible crash playing SVG space invaders in JS code

https://bugs.webkit.org/show_bug.cgi?id=13963

Summary Reproducible crash playing SVG space invaders in JS code

Eric Seidel (no email)

Reported 2007-06-01 02:06:24 PDT

Reproducible crash playing SVG space invaders in JS code http://www.croczilla.com/svg/samples/invaders/invaders.svg I'm not certain if this is on TOT or just the feature branch. If it's on TOT too it needs to be bumped to a P1. #0 0x04897fff in ?? #1 0x01627559 in WebCore::JSSVGPODTypeWrapperCreator<WebCore::SVGLength, WebCore::SVGAnimatedTemplate<WebCore::SVGLength> >::commitChange at JSSVGPODTypeWrapper.h:75 #2 0x01364445 in WebCore::JSSVGLength::putValueProperty at JSSVGLength.cpp:218 #3 0x0163dbde in KJS::lookupPut<WebCore::JSSVGLength> at lookup.h:252 #4 0x0163dc20 in KJS::lookupPut<WebCore::JSSVGLength, KJS::DOMObject> at lookup.h:268 #5 0x01364937 in WebCore::JSSVGLength::put at JSSVGLength.cpp:208 #6 0x0054aafa in KJS::AssignDotNode::evaluate at nodes.cpp:1498 #7 0x00544587 in KJS::ExprStatementNode::execute at nodes.cpp:1723 #8 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #9 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #10 0x0054448f in KJS::IfNode::execute at nodes.cpp:1742 #11 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #12 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #13 0x00549017 in KJS::ForInNode::execute at nodes.cpp:1999 #14 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #15 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #16 0x005358fd in KJS::DeclaredFunctionImp::execute at function.cpp:317 #17 0x005384c7 in KJS::FunctionImp::callAsFunction at function.cpp:104 #18 0x0053d7ca in KJS::JSObject::call at object.cpp:98 #19 0x00538a3f in KJS::PropertySlot::functionGetter at property_slot.cpp:37 #20 0x00571b29 in KJS::PropertySlot::getValue at property_slot.h:47 #21 0x00540227 in KJS::ResolveNode::evaluate at nodes.cpp:398 #22 0x00544587 in KJS::ExprStatementNode::execute at nodes.cpp:1723 #23 0x005425bc in KJS::SourceElementsNode::execute at nodes.cpp:2528 #24 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #25 0x0054326b in KJS::WithNode::execute at nodes.cpp:2090 #26 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #27 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #28 0x005358fd in KJS::DeclaredFunctionImp::execute at function.cpp:317 #29 0x005384c7 in KJS::FunctionImp::callAsFunction at function.cpp:104 #30 0x0053d7ca in KJS::JSObject::call at object.cpp:98 #31 0x005474b5 in KJS::FunctionCallResolveNode::evaluate at nodes.cpp:694 #32 0x00544587 in KJS::ExprStatementNode::execute at nodes.cpp:1723 #33 0x005425bc in KJS::SourceElementsNode::execute at nodes.cpp:2528 #34 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #35 0x0054448f in KJS::IfNode::execute at nodes.cpp:1742 #36 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #37 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #38 0x0054448f in KJS::IfNode::execute at nodes.cpp:1742 #39 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #40 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #41 0x0054326b in KJS::WithNode::execute at nodes.cpp:2090 #42 0x005424b1 in KJS::SourceElementsNode::execute at nodes.cpp:2522 #43 0x00540e02 in KJS::BlockNode::execute at nodes.cpp:1699 #44 0x005358fd in KJS::DeclaredFunctionImp::execute at function.cpp:317 #45 0x005384c7 in KJS::FunctionImp::callAsFunction at function.cpp:104 #46 0x0053d7ca in KJS::JSObject::call at object.cpp:98 #47 0x0127ec57 in KJS::ScheduledAction::execute at kjs_window.cpp:1916 #48 0x01281cd9 in KJS::Window::timerFired at kjs_window.cpp:2039 #49 0x01281ea5 in KJS::DOMWindowTimer::fired at kjs_window.cpp:2639 #50 0x012173c2 in WebCore::TimerBase::fireTimers at Timer.cpp:336 #51 0x0121745f in WebCore::TimerBase::sharedTimerFired at Timer.cpp:353 #52 0x01216b16 in timerFired at SharedTimerMac.cpp:46 #53 0x9082c7e2 in CFRunLoopRunSpecific #54 0x9082bace in CFRunLoopRunInMode #55 0x92ddc8d8 in RunCurrentEventLoopInMode #56 0x92ddbf19 in ReceiveNextEventCommon #57 0x92ddbe39 in BlockUntilNextEventMatchingListInMode #58 0x93282465 in _DPSNextEvent #59 0x93282056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #60 0x00006f96 in ?? #61 0x9327bddb in -[NSApplication run] #62 0x9326fd2f in NSApplicationMain #63 0x0005f7de in ?? #64 0x0005f6f9 in ??

Attachments
Initial patch (16.38 KB, patch) 2007-06-14 12:07 PDT, Nikolas Zimmermann	no flags	Details Formatted Diff Diff
Final patch (18.96 KB, patch) 2007-06-14 15:24 PDT, Nikolas Zimmermann	eric: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Eric Seidel (no email)

Comment 1 2007-06-01 02:07:33 PDT

This is the line which crashes, btw: virtual void commitChange(KJS::ExecState* exec) { (m_creator->*m_setter)((PODType&)(*this)); // <-- CRASH HERE ASSERT(exec && exec->dynamicInterpreter());

Oliver Hunt

Comment 2 2007-06-01 02:11:27 PDT

Can make it crash by mashing keys :(

Oliver Hunt

Comment 3 2007-06-01 02:15:15 PDT

Looks like badness Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xc5d7bd67 0x017bdd23 in WebCore::JSSVGPODTypeWrapperCreator<WebCore::SVGLength, WebCore::SVGAnimatedTemplate<WebCore::SVGLength> >::commitChange (this=0x181e6e30, exec=0xbfffdc5c) at JSSVGPODTypeWrapper.h:75 75 (m_creator->*m_setter)((PODType&)(*this)); (gdb) p m_creator $1 = (SVGAnimatedLength *) 0x17583ad0 Current language: auto; currently c++ (gdb) p *m_creator $2 = { <WebCore::Shared<WebCore::SVGAnimatedTemplate<WebCore::SVGLength> >> = { <WTFNoncopyable::Noncopyable> = {<No data fields>}, members of WebCore::Shared<WebCore::SVGAnimatedTemplate<WebCore::SVGLength> >: m_refCount = -975824033, m_inDestructor = true }, members of WebCore::SVGAnimatedTemplate<WebCore::SVGLength>: _vptr$SVGAnimatedTemplate = 0xc5d7bd5b } (gdb)

Rob Buis

Comment 4 2007-06-11 17:28:37 PDT

Niko says this is caused by his code. ;)

Nikolas Zimmermann

Comment 5 2007-06-14 12:07:42 PDT

Created attachment 15026 [details] Initial patch Not asking for review yet - as it doesn't contain a ChangeLog yet, and still makes problems. Just for Eric to have a look.

Nikolas Zimmermann

Comment 6 2007-06-14 15:24:31 PDT

Created attachment 15034 [details] Final patch Finally a working patch :-) Thank Eric for the final hints to get it going. Long lives peer reviewing!

Eric Seidel (no email)

Comment 7 2007-06-14 17:05:12 PDT

Comment on attachment 15034 [details] Final patch looks good. r=me

Eric Seidel (no email)

Comment 8 2007-06-14 17:14:16 PDT

This needs to go on TOT as well. it's a p1 reproducible crasher.

Nikolas Zimmermann

Comment 9 2007-06-14 17:37:43 PDT

Landed in r23543.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 523.x (Safari 3)

Hardware Mac

OS OS X 10.4

Product WebKit

Component SVG

Assignee

Nikolas Zimmermann

Reported

2007-06-01 02:06 PDT

Modified

2007-06-14 17:37 PDT History

CC List

0 users

URL

http://www.croczilla.com/svg/samples/invaders/invaders.svg

Keywords NeedsReduction

Depends on

Blocks