[Webkit-unassigned] [Bug 107292] New: Assertion failure during the expansion of an invalid subresource

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 18 09:04:15 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=107292

           Summary: Assertion failure during the expansion of an invalid
                    subresource
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
                CC: zimmermann at kde.org, zherczeg at webkit.org,
                    pdr at google.com, fmalita at chromium.org


During SVG fuzzing I've got an assertion failure in SVGUseElement::expandUseElementsInShadowTree().
If we were referring to a <use> element what were referring to a subresource of an external file and that part is invalid then we run into an assertion failure during the expansion of the shadowtree.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4afc89c in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x98ab70)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:732
732            ASSERT(!use->cachedDocumentIsStillLoading());
(gdb) bt
#0  0x00007ffff4afc89c in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x98ab70)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:732
#1  0x00007ffff4afcd91 in WebCore::SVGUseElement::expandUseElementsInShadowTree (this=0x98fac0, element=0x99b050)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:776
#2  0x00007ffff4afb9d0 in WebCore::SVGUseElement::buildShadowAndInstanceTree (this=0x98fac0, target=0x98c4e0)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:500
#3  0x00007ffff4afb5ac in WebCore::SVGUseElement::buildPendingResource (this=0x98fac0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:440
#4  0x00007ffff4afddb0 in WebCore::SVGUseElement::finishParsingChildren (this=0x98fac0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGUseElement.cpp:986
#5  0x00007ffff485579b in WebCore::XMLDocumentParser::endElementNs (this=0x72aaf0)
    at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:849
#6  0x00007ffff4856747 in endElementNsHandler (closure=0x72b2f0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:1098
...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list