Bug 69284 - Null dereference in SVGDocumentExtensions::removePendingResource when updating <use>'s href
Summary: Null dereference in SVGDocumentExtensions::removePendingResource when updatin...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2011-10-03 13:04 PDT by Tim Horton
Modified: 2012-01-21 02:00 PST (History)
5 users (show)

See Also:

Attachments
reduced repro (225 bytes, image/svg+xml)
2011-10-03 13:04 PDT, Tim Horton 		no flags Details
backtrace (8.14 KB, text/plain)
2011-10-03 13:06 PDT, Tim Horton 		no flags Details
Patch (11.71 KB, patch)
2012-01-20 14:03 PST, Florin Malita 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Horton 2011-10-03 13:04:11 PDT 
Created attachment 109513 [details]
reduced repro

<rdar://problem/10213035>

Most likely candidate for regression is http://trac.webkit.org/changeset/85413 but I'm not 100% on that.

Hits the assert in StringImpl::existingHash if in debug mode.
Comment 1 Tim Horton 2011-10-03 13:06:32 PDT 
Created attachment 109514 [details]
backtrace

Err, actually I'm not seeing that assert get hit. Attaching backtrace.
Comment 2 Florin Malita 2011-11-17 12:10:02 PST 
Here's what appears to be going on:

* because the href target doesn't have a valid fragment (no '#'), SVGUseElement::buildPendingResource() doesn't set m_resourceId (nor does it mark the element as having pending resources)
* the filter attribute OTOH does have a valid (missing) target, and it marks the element as having a pending resources on attach
* then SVGUseElement::svgAttributeChanged() only checks whether there are pending resources (appears to assume that the only pending resource can be its href target), and proceeds to attempting to remove the uninitialized m_resourceId from the pending resources list

This simple guard takes care of the crash:

--- a/Source/WebCore/svg/SVGUseElement.cpp
+++ b/Source/WebCore/svg/SVGUseElement.cpp
@@ -198,7 +198,7 @@ void SVGUseElement::svgAttributeChanged(const QualifiedName& attrName)
         return;
 
     if (SVGURIReference::isKnownAttribute(attrName)) {
-        if (hasPendingResources()) {
+        if (hasPendingResources() && !m_resourceId.isEmpty()) {
             OwnPtr<SVGDocumentExtensions::SVGPendingElements> clients(document()->accessSVGExtensions()->re
             ASSERT(!clients->isEmpty());


But there seems to be a more fundamental problem: unless I'm missing something, SVGUseElement assumes that it has only one possible pending resource (xlink:href) - which is not the case. 

Can someone more familiar with the area weigh in? Also, do you think it's worth submitting the immediate fix (plus a todo note maybe) at this point?
Comment 3 Florin Malita 2012-01-20 14:03:44 PST 
Created attachment 123373 [details]
Patch
Comment 4 Nikolas Zimmermann 2012-01-21 00:44:24 PST 
Comment on attachment 123373 [details]
Patch

Hairy patch, but looks good. r=me!
Comment 5 WebKit Review Bot 2012-01-21 02:00:51 PST 
Comment on attachment 123373 [details]
Patch

Clearing flags on attachment: 123373

Committed r105573: <http://trac.webkit.org/changeset/105573>
Comment 6 WebKit Review Bot 2012-01-21 02:00:55 PST 
All reviewed patches have been landed.  Closing bug.