8026 – A particular animated SVG crashes in filter code

Bug 8026 - A particular animated SVG crashes in filter code

Summary: A particular animated SVG crashes in filter code

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	420+
Hardware:	Mac OS X 10.4

Importance:	P1 Normal
Assignee:	Darin Adler

URL:	http://www.bjoernsworld.de/temp/event...
Keywords:

Depends on:
Blocks:

Reported:	2006-03-28 02:13 PST by Maciej Stachowiak
Modified:	2006-03-29 15:44 PST (History)
CC List:	2 users (show)

See Also:

Attachments
testcase for brokeness (678 bytes, image/svg+xml) 2006-03-28 03:09 PST, Oliver Hunt	no flags	Details
patch with detailed change log and a layout test (10.67 KB, patch) 2006-03-29 08:31 PST, Darin Adler	eric: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maciej Stachowiak 2006-03-28 02:13:42 PST

The following SVG will likely be linked from a future w3c specification document:

http://www.bjoernsworld.de/temp/eventflow2.svg

It would be nice if WebKit didn't crash on it.

It dies from an uncaught ObjC exception apparently:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef

Thread 0 Crashed:
0   com.apple.WebCore        	0x017a93da ReportBlockedObjCException(NSException*) + 76 (BlockExceptions.mm:35)
1   com.apple.WebCore        	0x017ce3cc WebCore::KCanvasFEMergeQuartz::getCIFilter(WebCore::KCanvasFilterQuartz*) const + 202 (KCanvasFilterQuartz.mm:642)
2   com.apple.WebCore        	0x017ccb1a WebCore::KCanvasFilterQuartz::getCIFilterStack(CIImage*) + 170 (KCanvasFilterQuartz.mm:145)
3   com.apple.WebCore        	0x017ccc63 WebCore::KCanvasFilterQuartz::applyFilter(WebCore::FloatRect const&) + 211 (KCanvasFilterQuartz.mm:115)
4   com.apple.WebCore        	0x017d077f WebCore::KCanvasContainerQuartz::paint(WebCore::RenderObject::PaintInfo&, int, int) + 2957 (KCanvasResourcesQuartz.mm:157)
5   com.apple.WebCore        	0x018edd5a WebCore::RenderBox::paint(WebCore::RenderObject::PaintInfo&, int, int) + 92 (RenderBox.cpp:266)
6   com.apple.WebCore        	0x017d0713 WebCore::KCanvasContainerQuartz::paint(WebCore::RenderObject::PaintInfo&, int, int) + 2849 (KCanvasResourcesQuartz.mm:154)
7   com.apple.WebCore        	0x018edd5a WebCore::RenderBox::paint(WebCore::RenderObject::PaintInfo&, int, int) + 92 (RenderBox.cpp:266)
8   com.apple.WebCore        	0x017d0713 WebCore::KCanvasContainerQuartz::paint(WebCore::RenderObject::PaintInfo&, int, int) + 2849 (KCanvasResourcesQuartz.mm:154)
9   com.apple.WebCore        	0x018f529e WebCore::RenderCanvas::paint(WebCore::RenderObject::PaintInfo&, int, int) + 220 (RenderCanvas.cpp:161)
10  com.apple.WebCore        	0x019146f4 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, bool, bool, WebCore::RenderObject*) + 1284 (RenderLayer.cpp:1145)
11  com.apple.WebCore        	0x01914891 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, bool, WebCore::RenderObject*) + 67 (RenderLayer.cpp:1052)
12  com.apple.WebCore        	0x0183ecee WebCore::Frame::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) + 484 (Frame.cpp:2727)
13  com.apple.WebCore        	0x01872f19 -[WebCoreFrameBridge drawRect:] + 183 (WebCoreFrameBridge.mm:924)
14  com.apple.WebKit         	0x0035c279 -[WebHTMLView drawRect:] + 879 (WebHTMLView.m:2497)
15  com.apple.AppKit         	0x933f1957 -[NSView _drawRect:clip:] + 3228
16  com.apple.AppKit         	0x933efe39 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1273
17  com.apple.WebKit         	0x00353cbb -[WebHTMLView(WebPrivate) _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 351 (WebHTMLView.m:747)
18  com.apple.AppKit         	0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
19  com.apple.AppKit         	0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
20  com.apple.AppKit         	0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
21  com.apple.AppKit         	0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
22  com.apple.AppKit         	0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
23  com.apple.AppKit         	0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
24  com.apple.AppKit         	0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239
25  com.apple.AppKit         	0x933ef120 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 290
26  com.apple.AppKit         	0x933ee90c -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 523
27  com.apple.AppKit         	0x933ee23c -[NSView displayIfNeeded] + 439
28  com.apple.AppKit         	0x933edfde -[NSWindow displayIfNeeded] + 168
29  com.apple.Safari         	0x0001bd9c 0x1000 + 109980
30  com.apple.AppKit         	0x9343e28c _handleWindowNeedsDisplay + 206
31  com.apple.CoreFoundation 	0x90823419 __CFRunLoopDoObservers + 342
32  com.apple.CoreFoundation 	0x908224bb CFRunLoopRunSpecific + 827
33  com.apple.CoreFoundation 	0x90822179 CFRunLoopRunInMode + 61
34  com.apple.HIToolbox      	0x92ed28e0 RunCurrentEventLoopInMode + 285
35  com.apple.HIToolbox      	0x92ed1fe7 ReceiveNextEventCommon + 385
36  com.apple.HIToolbox      	0x92ed1e3e BlockUntilNextEventMatchingListInMode + 81
37  com.apple.AppKit         	0x93372ad1 _DPSNextEvent + 576
38  com.apple.AppKit         	0x933726be -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
39  com.apple.Safari         	0x00006a3a 0x1000 + 23098
40  com.apple.AppKit         	0x9336c443 -[NSApplication run] + 512
41  com.apple.AppKit         	0x93360397 NSApplicationMain + 573
42  com.apple.Safari         	0x0005ef22 0x1000 + 384802
43  com.apple.Safari         	0x0005ee3d 0x1000 + 384573

Comment 1 Maciej Stachowiak 2006-03-28 02:14:18 PST

Even though it's "just SVG", this is likely to be a high profile example of crashiness if we don't fix, so bumping to P1.

Comment 2 Oliver Hunt 2006-03-28 03:09:00 PST

Created attachment 7354 [details]
testcase for brokeness

Comment 3 Oliver Hunt 2006-03-28 03:14:04 PST

My brief look into this makes me think that feMerge is not assigning the default image for a node in feMerge.

This results in an image source name, name, of type DeprecatedString, DeprecatedName::getNSString() seems to produce something borken when the string is length 0 (gdb can't look at it certainly).

Leading from this [m_imagesByName valueForKey:name.getNSString()] fails with an index out of bounds exception.

Comment 4 Oliver Hunt 2006-03-28 03:15:12 PST

Maciej didn't appear to actually bump to P1, i am attempting to do so

Comment 5 Maciej Stachowiak 2006-03-28 14:54:46 PST

I bet the problem is that DeprecatedString is a null string instead of an empty string.

Comment 6 Darin Adler 2006-03-29 08:05:34 PST

(In reply to comment #5)
> I bet the problem is that DeprecatedString is a null string instead of an empty
> string.

Turns out it's an empty string. But -[NSDictionary valueForKey:] has a bug where it will fail for the empty string. I filed a bug about this.

Fix is to check for the empty string before calling valueForKey:.

Comment 7 Darin Adler 2006-03-29 08:06:53 PST

(In reply to comment #3)
> DeprecatedName::getNSString() seems to produce something borken when the string
> is length 0 (gdb can't look at it certainly).

No, that part is working fine.

> Leading from this [m_imagesByName valueForKey:name.getNSString()] fails with an
> index out of bounds exception.

This is the immediate cause of the crash. It's a bug in NSDictionary's valueForKey:, which should not raise an exception in this case.

Comment 8 Darin Adler 2006-03-29 08:10:53 PST

Using valueForKey: here is a mistake anyway. This should just be calling objectForKey:, which works fine with empty strings.

Comment 9 Darin Adler 2006-03-29 08:31:21 PST

Created attachment 7374 [details]
patch with detailed change log and a layout test