Bug 67487 - Case of the missing shadow Tree
Summary: Case of the missing shadow Tree
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Stephen Chenney
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-02 07:27 PDT by Berend-Jan Wever
Modified: 2012-05-21 13:44 PDT (History)
6 users (show)

See Also:

Attachments
Repro (379 bytes, image/svg+xml)
2011-09-02 07:27 PDT, Berend-Jan Wever 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2011-09-02 07:27:26 PDT 
Created attachment 106130 [details]
Repro

Repro:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:x="x">
  <foreignObject id="foreignObject">
    <x:div id="x"></x:div>
  </foreignObject>
  <use id="use" xlink:href="#foreignObject" />
  <use xlink:href="#use"/>
  <script>
    document.documentElement.insertBefore(document.getElementById("x"));
  </script>
</svg>

Not sure what happens exactly, but the foreignObject element ends up with a NULL shadow tree element, which triggers ASSERTS and a NULL ptr:

void SVGElementInstance::invalidateAllInstancesOfElement(SVGElement* element)
{
    if (!element || !element->inDocument())
        return;

    if (element->isStyled() && static_cast<SVGStyledElement*>(element)->instanceUpdatesBlocked())
        return;

    const HashSet<SVGElementInstance*>& set = element->instancesForElement();
    if (set.isEmpty())
        return;

    // Mark all use elements referencing 'element' for rebuilding
    const HashSet<SVGElementInstance*>::const_iterator end = set.end();
    for (HashSet<SVGElementInstance*>::const_iterator it = set.begin(); it != end; ++it) {
        ASSERT((*it)->shadowTreeElement());
        ASSERT((*it)->shadowTreeElement()->correspondingElement());
        ASSERT((*it)->correspondingElement() == element);
        (*it)->shadowTreeElement()->setCorrespondingElement(0);
        if (SVGUseElement* element = (*it)->correspondingUseElement()) {
            ASSERT(element->inDocument());
            element->invalidateShadowTree();
        }
    }

    // Be sure to rebuild use trees, if needed
    element->document()->updateLayoutIgnorePendingStylesheets();
}

id:             chrome.dll!WebCore::SVGElement::ensureRareSVGData ReadAV@NULL (b5516c4ed1ba6200134db33c80c5ed49)
description:    Attempt to read from unallocated NULL pointer+0x27 in chrome.dll!WebCore::SVGElement::ensureRareSVGData
stack:          chrome.dll!WebCore::SVGElement::ensureRareSVGData
                chrome.dll!WebCore::SVGElement::setCorrespondingElement
                chrome.dll!WebCore::SVGElementInstance::invalidateAllInstancesOfElement
                chrome.dll!WebCore::SVGStyledElement::childrenChanged
                chrome.dll!WebCore::ContainerNode::removeChild
                chrome.dll!WebCore::ContainerNode::appendChild
                chrome.dll!WebCore::ContainerNode::insertBefore
                chrome.dll!WebCore::Node::insertBefore
                chrome.dll!WebCore::V8Node::insertBeforeCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...
Comment 1 Berend-Jan Wever 2011-09-02 07:29:10 PDT 
Chromium: https://code.google.com/p/chromium/issues/detail?id=95201
Comment 2 Stephen Chenney 2012-05-21 13:44:34 PDT 
This was fixed at some point and does not crash Chromium ToT. It does crash Chrome 19, but that does not have the fix in it, to my knowledge.

I believe the relevant changes are:

Initial patch: <http://trac.webkit.org/changeset/109299>
And follow up: <http://trac.webkit.org/changeset/109333>

These disallow foreign object inside a <use> element, as the spec demands.