[Webkit-unassigned] [Bug 19762] Crash in svg/webarchive/svg-cursor-subresources.svg
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 12 08:09:58 PST 2008
https://bugs.webkit.org/show_bug.cgi?id=19762
------- Comment #13 from zimmermann at kde.org 2008-11-12 08:09 PDT -------
I've made some progress, the new SVG cursor code correctly handles:
- cursor element gets removed -> all affected CSS decls referencing it will be
rebuild
- element referencing cursor gets removed -> all affected CSS decls will be
rebuild
I've run into a really serious issue, and finally found out why these crashes
appeared after 2008-06-25. It's related to changes in the SVGImage code. The
CSSCursorImageValue code loads the external cursor data, and stores it as
CachedImage. By unknown reasons, an SVGImage object (!) is constructed as well,
parsing the SVG file that contains the <cursor> element! So we end up with two
representations of the same document interfering.
So <svg><cursor id="foo" xlink:href="foo.png"/> </svg> is parsed _twice_.
I only noticed this, because of setting a breakpoint on SVGCursorElements
constructor. I've created a simple testcase, where hovering a <rect> causes a
SVG cursor to appear. Clicking on the rect should remove the associated
<cursor> element, it's actually deleted but recreated immediately because
updating the CSS decls causes the internal SVGImage (which should NEVER exist)
to be reparsed (which creates a new cursor element with the same id as the old
cursor).
Backtrace:
Breakpoint 2, WebCore::SVGCursorElement::SVGCursorElement (this=0x1bc14ed0,
tagName=@0x46488dc, doc=0x69cac00) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/svg/SVGCursorElement.cpp:40
40 , m_y(this, SVGNames::yAttr, LengthModeHeight)
(gdb) bt
#0 WebCore::SVGCursorElement::SVGCursorElement (this=0x1bc14ed0,
tagName=@0x46488dc, doc=0x69cac00) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/svg/SVGCursorElement.cpp:40
#1 0x0388fef5 in WebCore::cursorConstructor (doc=0x69cac00,
createdByParser=true) at
/Users/nikolaszimmermann/Coding/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/SVGElementFactory.cpp:144
#2 0x03892124 in WebCore::SVGElementFactory::createSVGElement
(qName=@0xbfffdc60, doc=0x69cac00, createdByParser=true) at
/Users/nikolaszimmermann/Coding/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/SVGElementFactory.cpp:437
#3 0x0348b107 in WebCore::Document::createElement (this=0x69cac00,
qName=@0xbfffdc60, createdByParser=true, ec=@0xbfffdc64) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/dom/Document.cpp:746
#4 0x03af5bd6 in WebCore::XMLTokenizer::startElementNs (this=0x1bc10470,
xmlLocalName=0x69cda85 "cursor", xmlPrefix=0x0, xmlURI=0x69cda47
"http://www.w3.org/2000/svg", nb_namespaces=0, libxmlNamespaces=0x0,
nb_attributes=2, nb_defaulted=0, libxmlAttributes=0x1bc15fd0) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/dom/XMLTokenizerLibxml2.cpp:728
#5 0x03af5f86 in WebCore::startElementNsHandler (closure=0x1bc10860,
localname=0x69cda85 "cursor", prefix=0x0, uri=0x69cda47
"http://www.w3.org/2000/svg", nb_namespaces=0, namespaces=0x0, nb_attributes=2,
nb_defaulted=0, libxmlAttributes=0x1bc15fd0) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/dom/XMLTokenizerLibxml2.cpp:980
#6 0x9010219a in xmlIOParseDTD ()
#7 0x900daf08 in xmlParseChunk ()
#8 0x03af3569 in WebCore::XMLTokenizer::doWrite (this=0x1bc10470,
parseString=@0xbfffdf5c) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/dom/XMLTokenizerLibxml2.cpp:629
#9 0x0396b01c in WebCore::XMLTokenizer::write (this=0x1bc10470, s=@0xbfffdfb4)
at /Users/nikolaszimmermann/Coding/WebKit/WebCore/dom/XMLTokenizer.cpp:119
#10 0x03531a69 in WebCore::FrameLoader::write (this=0x69bd824, str=0x68c5600
"<svg xmlns=\"http://www.w3.org/2000/svg\"
xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n <cursor id=\"mycursor\"
xlink:href=\"resources/green-checker.png\" />\n <rect style=\"cursor:
url(#mycursor)\" width=\"10"..., len=440, flush=false) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/loader/FrameLoader.cpp:1040
#11 0x038a07a6 in WebCore::SVGImage::dataChanged (this=0x1bc08370,
allDataReceived=true) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/svg/graphics/SVGImage.cpp:212
#12 0x035edd39 in WebCore::Image::setData (this=0x1bc08370, data=@0xbfffe1f0,
allDataReceived=true) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/platform/graphics/Image.cpp:79
#13 0x033758ff in WebCore::CachedImage::data (this=0x1bc0e670,
data=@0xbfffe26c, allDataReceived=true) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/loader/CachedImage.cpp:263
#14 0x039b8409 in WebCore::Loader::Host::didFinishLoading (this=0x6880230,
loader=0x69bf800) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/loader/loader.cpp:300
#15 0x03933283 in WebCore::SubresourceLoader::didFinishLoading (this=0x69bf800)
at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/loader/SubresourceLoader.cpp:194
#16 0x03856a98 in WebCore::ResourceLoader::didFinishLoading (this=0x69bf800) at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/loader/ResourceLoader.cpp:398
#17 0x038545a2 in -[WebCoreResourceHandleAsDelegate
connectionDidFinishLoading:] (self=0x1bc0d790, _cmd=0x91541564, con=0x1bc0d7b0)
at
/Users/nikolaszimmermann/Coding/WebKit/WebCore/platform/network/mac/ResourceHandleMac.mm:565
Very very weird situation. I bet this was not the case when I initially wrote
the code. I do remember there was no SVGImage involved in it. Needs furhter
investigations, just wanted to let others know what's going on.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list