[Webkit-unassigned] [Bug 147290] New: Crash happens when calling removeEventListener for an SVG element which has an instance inside a <defs> element of shadow tree

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 24 21:45:56 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=147290

            Bug ID: 147290
           Summary: Crash happens when calling removeEventListener for an
                    SVG element which has an instance inside a <defs>
                    element of shadow tree
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Created attachment 257510
  --> https://bugs.webkit.org/attachment.cgi?id=257510&action=review
test case (will crash)

1. Open the attached test case.

Result: WebKit crashes with the following call stack.

0   com.apple.JavaScriptCore          0x0000000113384a17 WTFCrash + 39
1   com.apple.WebCore                 0x0000000116ab1e7a WebCore::SVGElement::removeEventListener(WTF::AtomicString const&, WebCore::EventListener*, bool) + 554 (SVGElement.cpp:620)
2   com.apple.WebCore                 0x0000000115d5c316 WebCore::jsNodePrototypeFunctionRemoveEventListener(JSC::ExecState*) + 678 (JSNode.cpp:872)
3   ???                               0x00004539c5601028 0 + 76114426859560
4   com.apple.JavaScriptCore          0x000000011311304e llint_entry + 25874
5   com.apple.JavaScriptCore          0x000000011310c8f9 vmEntryToJavaScript + 361
6   com.apple.JavaScriptCore          0x0000000112f6936c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 252
7   com.apple.JavaScriptCore          0x0000000112f4d7d8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1464
8   com.apple.JavaScriptCore          0x000000011299c84e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190
9   com.apple.JavaScriptCore          0x000000011299c8b3 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 83

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150725/9ee631c0/attachment-0001.html>

More information about the webkit-unassigned mailing list