Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 26719 Invalid read in WebCore::SVGTransformListInternal::appendItemCallback() in LayoutTests/svg/custom/js-update-transform-addition.svg
Starred by 1 user Project Member Reported by dank@chromium.org, Nov 4, 2009 Back to list
Status: Fixed
Owner: vitalyr@chromium.org
Closed: Nov 2009
Cc: dglazkov@chromium.org
Components:
OS: Linux
Pri: 1
Type: Bug
M-4

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
Valgrind complains

Invalid read of size 8
   at WebCore::SVGTransformListInternal::appendItemCallback(v8::Arguments
const&) (V8SVGTransformList.cpp:197)
   by v8::internal::Builtin_HandleApiCall(v8::internal::Arguments)
(builtins.cc:383)
 Address 0x0 is not stack'd, malloc'd or (recently) free'd

Found via chromium linux layout valgrind bot,
http://build.chromium.org/buildbot/waterfall/builders/Webkit%20Linux%20(valgrind%20layout)/builds/3137/steps/valgrind%20test:%20layout/logs/stdio

Easiest way to reproduce:
  sh tools/valgrind/regrind.sh

Fastest way to reproduce:
  sh tools/valgrind/valgrind_webkit_tests.sh
LayoutTests/svg/custom/js-update-transform-addition.svg

I would have reported this directly to webkit.org, but it's
nontrivial enough that I'd like to reproduce it locally with
just webkit, and I'm not set up to build from webkit.org yet.

 
Labels: -Mstone-4 Mstone-X
Status: Assigned
Vitaly, can you look at this?
Comment 2 by huanr@chromium.org, Nov 11, 2009
Labels: Valgrind-non-leak
Comment 3 by huanr@chromium.org, Nov 11, 2009
Labels: -Mstone-X Mstone-4
Comment 4 by vitalyr@chromium.org, Nov 11, 2009
Status: Started
Running this under valgrind I see that it tries to call a virtual function on NULL 
context in generated appendItemCallback (V8SVGTransformList.cpp):

    SVGElement* context = V8Proxy::svgContext(imp);  // (*)
    V8Proxy::setSVGContext(wrapper.get(), context);
    context->svgAttributeChanged(imp->associatedAttributeName());  // crash

If I insert fprintf(stderr, "context: %p\n", context) after line (*) then I see 
different results depending on whether I run this under valgrind or not. Simply 
running it gives what looks like a valid pointer the virtual call succeeds, but 
running it under valgrind outputs NULL and the call fails.
Comment 6 by vitalyr@chromium.org, Nov 13, 2009
The fix landed upstream in http://trac.webkit.org/changeset/50958.
Comment 7 by vitalyr@chromium.org, Nov 14, 2009
The fix for the fix landed in http://trac.webkit.org/changeset/50972.
Comment 8 by dglazkov@chromium.org, Nov 16, 2009
Status: Fixed
Comment 9 by lafo...@chromium.org, Mar 18, 2011
Labels: -Valgrind bulkmove Stability-Valgrind
Valgrind complains

Invalid read of size 8
   at WebCore::SVGTransformListInternal::appendItemCallback(v8::Arguments
const&) (V8SVGTransformList.cpp:197)
   by v8::internal::Builtin_HandleApiCall(v8::internal::Arguments)
(builtins.cc:383)
 Address 0x0 is not stack'd, malloc'd or (recently) free'd

Found via chromium linux layout valgrind bot,
http://build.chromium.org/buildbot/waterfall/builders/Webkit%20Linux%20(valgrind%20layout)/builds/3137/steps/valgrind%20test:%20layout/logs/stdio

Easiest way to reproduce:
  sh tools/valgrind/regrind.sh

Fastest way to reproduce:
  sh tools/valgrind/valgrind_webkit_tests.sh
LayoutTests/svg/custom/js-update-transform-addition.svg

I would have reported this directly to webkit.org, but it's
nontrivial enough that I'd like to reproduce it locally with
just webkit, and I'm not set up to build from webkit.org yet.
Project Member Comment 10 by bugdroid1@chromium.org, Oct 13, 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 11 by bugdroid1@chromium.org, Mar 10, 2013
Labels: -Area-WebKit -Mstone-4 -Stability-Valgrind Cr-Content M-4 Performance-Valgrind
Project Member Comment 12 by bugdroid1@chromium.org, Mar 13, 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 13 by bugdroid1@chromium.org, Apr 1, 2013
Labels: -Performance-Valgrind Stability-Valgrind
Project Member Comment 14 by bugdroid1@chromium.org, Apr 6, 2013
Labels: -Cr-Content Cr-Blink
Sign in to add a comment