RESOLVED FIXED 48829
chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7f21ca517ba29a4eafb7099c1b) 
https://bugs.webkit.org/show_bug.cgi?id=48829
Summary chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7...
Berend-Jan Wever
Reported 2010-11-02 04:56:52 PDT
Repro: <html><head><script> function go() { var oSvgTextElement = document.createElementNS("http://www.w3.org/2000/svg", "text"); var oSvgRectElement = document.createElementNS("http://www.w3.org/2000/svg","rect"); oSvgTextElement.y.animVal.g; oSvgTextElement.y.baseVal.initialize(oSvgRectElement.x.baseVal); oSvgTextElement.y.animVal.getItem(0); } </script></head><body onload="go();"></body></html> id: chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7f21ca517ba29a4eafb7099c1b) description: Attempt to read from unallocated NULL pointer in chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem application: Chromium 9.0.571.0 stack: chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem chrome.dll!WebCore::SVGLengthListInternal::getItemCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call chrome.dll!v8::Function::Call chrome.dll!WebCore::V8Proxy::callFunction chrome.dll!WebCore::V8LazyEventListener::callListenerFunction chrome.dll!WebCore::V8AbstractEventListener::invokeEventHandler chrome.dll!WebCore::V8AbstractEventListener::handleEvent chrome.dll!WebCore::EventTarget::fireEventListeners chrome.dll!WebCore::EventTarget::fireEventListeners chrome.dll!WebCore::DOMWindow::dispatchEvent chrome.dll!WebCore::DOMWindow::dispatchLoadEvent chrome.dll!WebCore::Document::implicitClose chrome.dll!WebCore::FrameLoader::checkCompleted chrome.dll!WebCore::FrameLoader::finishedParsing chrome.dll!WebCore::Document::finishedParsing chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest chrome.dll!ResourceDispatcher::OnRequestComplete chrome.dll!IPC::MessageWithTuple<...>::Dispatch<ResourceDispatcher,void chrome.dll!ResourceDispatcher::DispatchMessageW chrome.dll!ResourceDispatcher::OnMessageReceived chrome.dll!ChildThread::OnMessageReceived chrome.dll!RunnableMethod<...>,void chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run chrome.dll!RendererMain chrome.dll!ChromeMain chrome.exe!MainDllLoader::Launch ...
Attachments
Patch (21.88 KB, patch)
2010-11-03 06:58 PDT, Nikolas Zimmermann 		krit: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Nikolas Zimmermann
Comment 1 2010-11-02 14:16:36 PDT
Thanks for fuzzing this code, I'll investigate tomorrow.
Nikolas Zimmermann
Comment 2 2010-11-03 06:58:22 PDT
Created attachment 72818 [details] Patch
Dirk Schulze
Comment 3 2010-11-03 07:11:21 PDT
Comment on attachment 72818 [details] Patch LGTM. r=me
Nikolas Zimmermann
Comment 4 2010-11-03 07:13:19 PDT
Landed in r71236. Integrated SkyLined testcase.
Note You need to log in before you can comment on or make changes to this bug.