[Webkit-unassigned] [Bug 67487] New: Case of the missing shadow Tree
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 2 07:27:26 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67487
Summary: Case of the missing shadow Tree
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: Normal
Priority: P1
Component: PDF
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: eric at webkit.org
Created an attachment (id=106130)
--> (https://bugs.webkit.org/attachment.cgi?id=106130&action=review)
Repro
Repro:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:x="x">
<foreignObject id="foreignObject">
<x:div id="x"></x:div>
</foreignObject>
<use id="use" xlink:href="#foreignObject" />
<use xlink:href="#use"/>
<script>
document.documentElement.insertBefore(document.getElementById("x"));
</script>
</svg>
Not sure what happens exactly, but the foreignObject element ends up with a NULL shadow tree element, which triggers ASSERTS and a NULL ptr:
void SVGElementInstance::invalidateAllInstancesOfElement(SVGElement* element)
{
if (!element || !element->inDocument())
return;
if (element->isStyled() && static_cast<SVGStyledElement*>(element)->instanceUpdatesBlocked())
return;
const HashSet<SVGElementInstance*>& set = element->instancesForElement();
if (set.isEmpty())
return;
// Mark all use elements referencing 'element' for rebuilding
const HashSet<SVGElementInstance*>::const_iterator end = set.end();
for (HashSet<SVGElementInstance*>::const_iterator it = set.begin(); it != end; ++it) {
ASSERT((*it)->shadowTreeElement());
ASSERT((*it)->shadowTreeElement()->correspondingElement());
ASSERT((*it)->correspondingElement() == element);
(*it)->shadowTreeElement()->setCorrespondingElement(0);
if (SVGUseElement* element = (*it)->correspondingUseElement()) {
ASSERT(element->inDocument());
element->invalidateShadowTree();
}
}
// Be sure to rebuild use trees, if needed
element->document()->updateLayoutIgnorePendingStylesheets();
}
id: chrome.dll!WebCore::SVGElement::ensureRareSVGData ReadAV at NULL (b5516c4ed1ba6200134db33c80c5ed49)
description: Attempt to read from unallocated NULL pointer+0x27 in chrome.dll!WebCore::SVGElement::ensureRareSVGData
stack: chrome.dll!WebCore::SVGElement::ensureRareSVGData
chrome.dll!WebCore::SVGElement::setCorrespondingElement
chrome.dll!WebCore::SVGElementInstance::invalidateAllInstancesOfElement
chrome.dll!WebCore::SVGStyledElement::childrenChanged
chrome.dll!WebCore::ContainerNode::removeChild
chrome.dll!WebCore::ContainerNode::appendChild
chrome.dll!WebCore::ContainerNode::insertBefore
chrome.dll!WebCore::Node::insertBefore
chrome.dll!WebCore::V8Node::insertBeforeCallback
chrome.dll!v8::internal::HandleApiCallHelper<...>
chrome.dll!v8::internal::Builtin_HandleApiCall
chrome.dll!v8::internal::Invoke
chrome.dll!v8::internal::Execution::Call
...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list