Bug 48829 - chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7f21ca517ba29a4eafb7099c1b)
Summary: chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nikolas Zimmermann
URL: http://code.google.com/p/chromium/iss...
Keywords:
Depends on:
Blocks:
 
Reported: 2010-11-02 04:56 PDT by Berend-Jan Wever
Modified: 2010-11-03 07:13 PDT (History)
3 users (show)

See Also:

Attachments
Patch (21.88 KB, patch)
2010-11-03 06:58 PDT, Nikolas Zimmermann 		krit: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-11-02 04:56:52 PDT 
Repro:
<html><head><script>
  function go() {
    var oSvgTextElement = document.createElementNS("http://www.w3.org/2000/svg", "text");
    var oSvgRectElement = document.createElementNS("http://www.w3.org/2000/svg","rect");
    oSvgTextElement.y.animVal.g;
    oSvgTextElement.y.baseVal.initialize(oSvgRectElement.x.baseVal);
    oSvgTextElement.y.animVal.getItem(0);
  }
</script></head><body onload="go();"></body></html>

id:             chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem ReadAV@NULL (578c0f7f21ca517ba29a4eafb7099c1b)
description:    Attempt to read from unallocated NULL pointer in chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem
application:    Chromium 9.0.571.0
stack:          chrome.dll!WebCore::SVGListPropertyTearOff<...>::getItem
                chrome.dll!WebCore::SVGLengthListInternal::getItemCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                chrome.dll!v8::Function::Call
                chrome.dll!WebCore::V8Proxy::callFunction
                chrome.dll!WebCore::V8LazyEventListener::callListenerFunction
                chrome.dll!WebCore::V8AbstractEventListener::invokeEventHandler
                chrome.dll!WebCore::V8AbstractEventListener::handleEvent
                chrome.dll!WebCore::EventTarget::fireEventListeners
                chrome.dll!WebCore::EventTarget::fireEventListeners
                chrome.dll!WebCore::DOMWindow::dispatchEvent
                chrome.dll!WebCore::DOMWindow::dispatchLoadEvent
                chrome.dll!WebCore::Document::implicitClose
                chrome.dll!WebCore::FrameLoader::checkCompleted
                chrome.dll!WebCore::FrameLoader::finishedParsing
                chrome.dll!WebCore::Document::finishedParsing
                chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing
                chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource
                chrome.dll!WebCore::FrameLoader::finishedLoading
                chrome.dll!WebCore::MainResourceLoader::didFinishLoading
                chrome.dll!WebCore::ResourceLoader::didFinishLoading
                chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading
                chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest
                chrome.dll!ResourceDispatcher::OnRequestComplete
                chrome.dll!IPC::MessageWithTuple<...>::Dispatch<ResourceDispatcher,void 
                chrome.dll!ResourceDispatcher::DispatchMessageW
                chrome.dll!ResourceDispatcher::OnMessageReceived
                chrome.dll!ChildThread::OnMessageReceived
                chrome.dll!RunnableMethod<...>,void 
                chrome.dll!MessageLoop::RunTask
                chrome.dll!MessageLoop::DoWork
                chrome.dll!base::MessagePumpDefault::Run
                chrome.dll!MessageLoop::RunInternal
                chrome.dll!MessageLoop::Run
                chrome.dll!RendererMain
                chrome.dll!ChromeMain
                chrome.exe!MainDllLoader::Launch
                ...
Comment 1 Nikolas Zimmermann 2010-11-02 14:16:36 PDT 
Thanks for fuzzing this code, I'll investigate tomorrow.
Comment 2 Nikolas Zimmermann 2010-11-03 06:58:22 PDT 
Created attachment 72818 [details]
Patch
Comment 3 Dirk Schulze 2010-11-03 07:11:21 PDT 
Comment on attachment 72818 [details]
Patch

LGTM. r=me
Comment 4 Nikolas Zimmermann 2010-11-03 07:13:19 PDT 
Landed in r71236. Integrated SkyLined testcase.