New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 138552 link

Starred by 4 users

Issue metadata

Status: Verified
Closed: Jul 2012
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

Sign in to add a comment

Setting className.baseVal = "" on any SVG node causes crash

Reported by, Jul 23 2012

Issue description

Chrome Version       : 21.0.1180.49
OS Version: OS X 10.7.4

Other browsers tested:

Firefox 14.0.1: OK
Safari Version 6.0 (7536.19): OK
Chrome Version 22.0.1215.0 canary: FAIL

To reproduce the crash, load the following document:

<!DOCTYPE html>
  document.createElementNS("", "svg").className.baseVal = "";

Note: this occurs on any SVGElement, not just <svg>.

UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.49 Safari/537.1
123 bytes View Download
Additional note: this only occurs when setting a newly-created element's className.baseVal to "".  For example, the following works fine:

<!DOCTYPE html>
  var svg = document.createElementNS("", "svg");
  svg.className.baseVal = "test";
  svg.className.baseVal = "";
  svg.className.baseVal = "";
Repro'd on Canary/Snow Leopard.

Online test case:
Labels: -Area-Undefined Area-WebKit Mstone-21 WebKit-SVG

Comment 4 by, Jul 23 2012

Status: Available
Ouch! Looks like a nasty regression.

@schenney, @fmalita: either of you up for a simple regression fix?
Status: Assigned
Labels: WebKit-ID-92024
Fix about to go into WebKit.
Project Member

Comment 7 by, Jul 24 2012

Labels: -WebKit-ID-92024 WebKit-ID-92024-RESOLVED
Status: Fixed
Fixed WebKit r123377: <>.

Do we need to merge this into a release branch?

Comment 9 by, Jul 24 2012

Since the bug regressed in M21, yes it needs to be merged. Is it an issue in M20?
It does not appear to be an issue in Chrome / 20.0.1132.57 m / Win XP.
There was a change in the crashing code by Abhishek some time recently. I suspect that is why it does not repro in m20. Abhishek, can you give some info on what prompted the change that caused the crash, in case we need to take some other action for m20?
Labels: Merge-Requested
I've looked at the changes in this code area and I think the regression was due to the addition of support for SVG animVal bindings, which would have been about the right time frame. Nothing else jumps out of me. Abhishek's changes was just a roll-out.

So no need for an m20 merge. m21 requested.
We can always upload a testcase to clusterfuzz to see if it affects stable, beta branches and when exactly it regressed :)

Comment 14 by, Jul 24 2012

did this go to canary yet? looks like it just landed right?
It's not fixed in version 22.0.1216.0 canary, which is my latest. But maybe you Googlers have a more recent version. :)
It went into WebKit late yesterday and today's canary may not include the appropriate WebKit roll. You may need to wait another day for an updated canary.

Comment 17 by, Jul 30 2012

schenney can u check if this is fixed?
No crash in Version 22.0.1221.0 canary. The file I used was crashing in Version 22.0.1215.3 dev-m, so it's safe to say it really is fixed.

Comment 19 by, Jul 30 2012

Labels: -Merge-Requested Merge-Approved
Labels: Merge-Merged
Committed revision 124076 in branch 1180 for m21.

Tested the same in Win7,MAC 10.7.4 and Linux 10.4 with Chrome 21.0.1180.74. I din't faced any crash. it is working fine.
Status: Verified
As per comment #21 Marking as fixed.
Labels: -Merge-Approved
Project Member

Comment 24 by, Mar 10 2013

Labels: -Area-WebKit -Mstone-21 -WebKit-SVG Cr-Content Cr-Content-SVG M-21
Project Member

Comment 25 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 26 by, Apr 6 2013

Labels: -Cr-Content-SVG Cr-Blink-SVG

Sign in to add a comment