37826 2010-04-19 15:07:43 -0700 [Qt] Crash in qsvghandler 2010-11-19 07:10:48 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) PC OS X 10.5 RESOLVED WORKSFORME Qt, QtTriaged P2 Normal --- 1 kenneth webkit-unassigned benjamin hausmann oldest_to_newest 214276 0 kenneth 2010-04-19 15:07:43 -0700 ASSERT: "!m_nodes.isEmpty()" in file /home/kenneth/repo/Qt/qt/src/svg/qsvghandler.cpp, line 3644 Aborted How to reproduce: run-launcher --qt http://touch.sproutcore.com/hedwig -> show web inspector -> elements -> click on /static/sproutcore/en/jsconf/javascript-packed.js Enable resource tracking -> kaboommm 214416 1 hausmann 2010-04-19 18:34:12 -0700 Hm? This qsvghandler.cpp is from Qt. This doesn't look like a WebKit bug... 214450 2 kenneth 2010-04-19 19:29:15 -0700 (In reply to comment #1) > Hm? This qsvghandler.cpp is from Qt. This doesn't look like a WebKit bug... True, but it is a QtWebKit crasher, and this is a way to reproduce it. And on the other hand why is Qt WebKit using qsvg? Maybe that is a bug? 214650 3 hausmann 2010-04-20 07:22:25 -0700 (In reply to comment #2) > (In reply to comment #1) > > Hm? This qsvghandler.cpp is from Qt. This doesn't look like a WebKit bug... > > True, but it is a QtWebKit crasher, and this is a way to reproduce it. And on > the other hand why is Qt WebKit using qsvg? Maybe that is a bug? Can you post a backtrace? 214676 4 kenneth 2010-04-20 08:23:07 -0700 #0 0x00007ffff388b4b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff388ef50 in *__GI_abort () at abort.c:92 #2 0x00007ffff48b888d in qt_message_output (msgType=QtFatalMsg, buf=0xd29c98 "ASSERT: \"!m_nodes.isEmpty()\" in file /home/kenneth/repo/Qt/qt/src/svg/qsvghandler.cpp, line 3644") at /home/kenneth/repo/Qt/qt/src/corelib/global/qglobal.cpp:2253 #3 0x00007ffff48b8a8f in qt_message (msgType=QtFatalMsg, msg=0x7ffff4a870c8 "ASSERT: \"%s\" in file %s, line %d", ap=0x7fffffffc740) at /home/kenneth/repo/Qt/qt/src/corelib/global/qglobal.cpp:2299 #4 0x00007ffff48b92fc in qFatal (msg=0x7ffff4a870c8 "ASSERT: \"%s\" in file %s, line %d") at /home/kenneth/repo/Qt/qt/src/corelib/global/qglobal.cpp:2482 #5 0x00007ffff48b841f in qt_assert (assertion=0x7fffe05c5724 "!m_nodes.isEmpty()", file=0x7fffe05c56d0 "/home/kenneth/repo/Qt/qt/src/svg/qsvghandler.cpp", line=3644) at /home/kenneth/repo/Qt/qt/src/corelib/global/qglobal.cpp:2016 #6 0x00007fffe0596e07 in QSvgHandler::startElement (this=0x7fffffffcb60, localName=..., attributes=...) at /home/kenneth/repo/Qt/qt/src/svg/qsvghandler.cpp:3644 #7 0x00007fffe05961dc in QSvgHandler::parse (this=0x7fffffffcb60) at /home/kenneth/repo/Qt/qt/src/svg/qsvghandler.cpp:3528 #8 0x00007fffe059608b in QSvgHandler::init (this=0x7fffffffcb60) at /home/kenneth/repo/Qt/qt/src/svg/qsvghandler.cpp:3508 #9 0x00007fffe0595ab2 in QSvgHandler (this=0x7fffffffcb60, data=...) at /home/kenneth/repo/Qt/qt/src/svg/qsvghandler.cpp:3491 #10 0x00007fffe05b3810 in QSvgTinyDocument::load (contents=...) at /home/kenneth/repo/Qt/qt/src/svg/qsvgtinydocument.cpp:208 #11 0x00007fffe05b7bd8 in loadDocument<QByteArray> (q=0xbfb408, d=0x20861d0, in=...) at /home/kenneth/repo/Qt/qt/src/svg/qsvgrenderer.cpp:317 #12 0x00007fffe05b71e3 in QSvgRenderer::load (this=0xbfb408, contents=...) at /home/kenneth/repo/Qt/qt/src/svg/qsvgrenderer.cpp:353 #13 0x00007fffdb3019f7 in QSvgIOHandlerPrivate::load (this=0xbfb400, device=0xc150e0) at /home/kenneth/repo/Qt/qt/src/plugins/imageformats/svg/qsvgiohandler.cpp:88 #14 0x00007fffdb302700 in QSvgIOHandler::option (this=0xd4fdb0, option=QImageIOHandler::Size) at /home/kenneth/repo/Qt/qt/src/plugins/imageformats/svg/qsvgiohandler.cpp:194 #15 0x00007ffff5108abd in QImageReader::size (this=0x11560c0) at /home/kenneth/repo/Qt/qt/src/gui/image/qimagereader.cpp:855 #16 0x00007ffff7360b40 in WebCore::ImageDecoderQt::internalDecodeSize() () from /home/kenneth/repo/Qt/WebKitBuild/Release/bin/../lib/libQtWebKit.so.4 #17 0x00007ffff7360c29 in WebCore::ImageDecoderQt::isSizeAvailable() () from /home/kenneth/repo/Qt/WebKitBuild/Release/bin/../lib/libQtWebKit.so.4 #18 0x00007ffff720b4d1 in WebCore::BitmapImage::isSizeAvailable() () from /home/kenneth/repo/Qt/WebKitBuild/Release/bin/../lib/libQtWebKit.so.4 #19 0x00007ffff715301b in WebCore::CachedImage::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) () from /home/kenneth/repo/Qt/WebKitBuild/Release/bin/../lib/libQtWebKit.so.4 #20 0x00007ffff718d8fd in WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) () from /home/kenneth/repo/Qt/WebKitBuild/Release/bin/../lib/libQtWebKit.so.4 #21 0x00007ffff71a0e3a in WebCore::SubresourceLoader::didFinishLoading() () from /home/kenneth/repo/Qt/WebKitBuild/Release/bin/../lib/libQtWebKit.so.4 #22 0x00007ffff736ae3b in WebCore::QNetworkReplyHandler::finish() () from /home/kenneth/repo/Qt/WebKitBuild/Release/bin/../lib/libQtWebKit.so.4 #23 0x00007ffff736b3e4 in WebCore::QNetworkReplyHandler::qt_metacall(QMetaObject::Call, int, void**) () from /home/kenneth/repo/Qt/WebKitBuild/Release/bin/../lib/libQtWebKit.so.4 #24 0x00007ffff4a0093d in QMetaObject::metacall (object=0x1f4ee80, cl=QMetaObject::InvokeMetaMethod, idx=5, argv=0x7fffffffd1a0) at /home/kenneth/repo/Qt/qt/src/corelib/kernel/qmetaobject.cpp:237 #25 0x00007ffff4a17d64 in QMetaObject::activate (sender=0x1ff9db0, m=0x7ffff6424920, local_signal_index=1, argv=0x0) at /home/kenneth/repo/Qt/qt/src/corelib/kernel/qobject.cpp:3295 #26 0x00007ffff61a2cb1 in QNetworkReply::finished (this=0x1ff9db0) at .moc/debug-shared/moc_qnetworkreply.cpp:152 #27 0x00007ffff612ba8d in QNetworkReplyImplPrivate::finished (this=0x10edd60) at /home/kenneth/repo/Qt/qt/src/network/access/qnetworkreplyimpl.cpp:627 #28 0x00007ffff610cb5a in QNetworkAccessBackend::finished (this=0xdd2d50) at /home/kenneth/repo/Qt/qt/src/network/access/qnetworkaccessbackend.cpp:309 #29 0x00007ffff611699c in QNetworkAccessHttpBackend::finished (this=0xdd2d50) at /home/kenneth/repo/Qt/qt/src/network/access/qnetworkaccesshttpbackend.cpp:338 #30 0x00007ffff61198e0 in QNetworkAccessHttpBackend::replyFinished (this=0xdd2d50) at /home/kenneth/repo/Qt/qt/src/network/access/qnetworkaccesshttpbackend.cpp:767 #31 0x00007ffff61193f0 in QNetworkAccessHttpBackend::downstreamReadyWrite (this=0xdd2d50) at /home/kenneth/repo/Qt/qt/src/network/access/qnetworkaccesshttpbackend.cpp:703 #32 0x00007ffff612a695 in QNetworkReplyImplPrivate::handleNotifications (this=0x10edd60) at /home/kenneth/repo/Qt/qt/src/network/access/qnetworkreplyimpl.cpp:363 #33 0x00007ffff612c8cc in QNetworkReplyImpl::event (this=0x1ff9db0, e=0xc60040) at /home/kenneth/repo/Qt/qt/src/network/access/qnetworkreplyimpl.cpp:828 214774 5 hausmann 2010-04-20 11:05:30 -0700 Thanks, so it's the image handlers that grab the SVG before WebKit can. I guess the WebKit portion of this bug that remains is to not allow SVG to be handled as image but always pass it back to WebCore. Otherwise this is a pure Qt bug. 217068 6 hausmann 2010-04-26 06:54:15 -0700 Removing this from the blocker list until it's clearer what we really need to fix inside of WebKit for the release. Kenneth, please update. 220307 7 benjamin 2010-05-03 14:55:07 -0700 *** Bug 38490 has been marked as a duplicate of this bug. *** 220308 8 benjamin 2010-05-03 14:58:27 -0700 Raising the priority, this bug just crashed piratebay twice for me, probably due to an ad :) I agree with Simon, it would be better to handle SVG with WebCore. We should probably also fix the bug in QtSVG. 220866 9 benjamin 2010-05-04 16:33:14 -0700 The SVG handler is used here to load something that is not a SVG image. The test for what can be read is quite simple: bool QSvgIOHandler::canRead(QIODevice *device) { QByteArray buf = device->peek(8); return buf.startsWith("\x1f\x8b") || buf.contains("<?xml") || buf.contains("<svg"); } Maybe we should skip those image plugin for security reason?: https://bugs.webkit.org/show_bug.cgi?id=38554 311439 10 benjamin 2010-11-19 07:10:48 -0800 This has been fixed in the svg image plugin.