My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 138552: Setting className.baseVal = "" on any SVG node causes crash
4 people starred this issue and may be notified of changes. Back to list
 
Reported by jason.da...@gmail.com, Jul 23, 2012
Chrome Version       : 21.0.1180.49
OS Version: OS X 10.7.4

Other browsers tested:

Firefox 14.0.1: OK
Safari Version 6.0 (7536.19): OK
Chrome Version 22.0.1215.0 canary: FAIL

To reproduce the crash, load the following document:

<!DOCTYPE html>
<script>
  document.createElementNS("http://www.w3.org/2000/svg", "svg").className.baseVal = "";
</script>

Note: this occurs on any SVGElement, not just <svg>.

UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.49 Safari/537.1
crash.html
123 bytes   View   Download
Jul 23, 2012
#1 jason.da...@gmail.com
Additional note: this only occurs when setting a newly-created element's className.baseVal to "".  For example, the following works fine:

<!DOCTYPE html>
<script>
  var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
  svg.className.baseVal = "test";
  svg.className.baseVal = "";
  svg.className.baseVal = "";
</script>
Jul 23, 2012
#2 paulir...@chromium.org
Repro'd on Canary/Snow Leopard.

Online test case: http://paulirish.com/temp/svgbaseval.html
Cc: pdr@chromium.org jschuh@chromium.org
Jul 23, 2012
#3 dhar...@chromium.org
(No comment was entered for this change.)
Cc: ka...@chromium.org
Labels: -Area-Undefined Area-WebKit Mstone-21 WebKit-SVG
Jul 23, 2012
#4 pdr@chromium.org
Ouch! Looks like a nasty regression.

@schenney, @fmalita: either of you up for a simple regression fix?
Status: Available
Cc: fmalita@chromium.org schen...@chromium.org
Jul 23, 2012
#5 schen...@chromium.org
(No comment was entered for this change.)
Status: Assigned
Owner: schen...@chromium.org
Cc: -schen...@chromium.org
Jul 23, 2012
#6 schen...@chromium.org
Fix about to go into WebKit.
Labels: WebKit-ID-92024
Jul 23, 2012
#7 bugdro...@chromium.org
https://bugs.webkit.org/show_bug.cgi?id=92024
Labels: -WebKit-ID-92024 WebKit-ID-92024-RESOLVED
Jul 24, 2012
#8 schen...@chromium.org
Fixed WebKit r123377: <http://trac.webkit.org/changeset/123377>.

Do we need to merge this into a release branch?
Status: Fixed
Jul 24, 2012
#9 dhar...@google.com
Since the bug regressed in M21, yes it needs to be merged. Is it an issue in M20?
Jul 24, 2012
#10 jason.da...@gmail.com
It does not appear to be an issue in Chrome / 20.0.1132.57 m / Win XP.
Jul 24, 2012
#11 schen...@chromium.org
There was a change in the crashing code by Abhishek some time recently. I suspect that is why it does not repro in m20. Abhishek, can you give some info on what prompted the change that caused the crash, in case we need to take some other action for m20?
Cc: infe...@chromium.org
Jul 24, 2012
#12 schen...@chromium.org
I've looked at the changes in this code area and I think the regression was due to the addition of support for SVG animVal bindings, which would have been about the right time frame. Nothing else jumps out of me. Abhishek's changes was just a roll-out.

So no need for an m20 merge. m21 requested.
Labels: Merge-Requested
Jul 24, 2012
#13 infe...@chromium.org
We can always upload a testcase to clusterfuzz to see if it affects stable, beta branches and when exactly it regressed :)
Jul 24, 2012
#14 kar...@google.com
did this go to canary yet? looks like it just landed right?
Jul 24, 2012
#15 jason.da...@gmail.com
It's not fixed in version 22.0.1216.0 canary, which is my latest. But maybe you Googlers have a more recent version. :)
Jul 24, 2012
#16 schen...@chromium.org
It went into WebKit late yesterday and today's canary may not include the appropriate WebKit roll. You may need to wait another day for an updated canary.
Jul 30, 2012
#17 kar...@google.com
schenney can u check if this is fixed?
Jul 30, 2012
#18 schen...@chromium.org
No crash in Version 22.0.1221.0 canary. The file I used was crashing in Version 22.0.1215.3 dev-m, so it's safe to say it really is fixed.
Jul 30, 2012
#19 kar...@google.com
(No comment was entered for this change.)
Labels: -Merge-Requested Merge-Approved
Jul 30, 2012
#20 schen...@chromium.org
Committed revision 124076 in branch 1180 for m21.

Labels: Merge-Merged
Aug 7, 2012
#21 rponn...@chromium.org
Tested the same in Win7,MAC 10.7.4 and Linux 10.4 with Chrome 21.0.1180.74. I din't faced any crash. it is working fine.
Aug 7, 2012
#22 ligim...@chromium.org
As per comment #21 Marking as fixed.
Status: Verified
Sep 20, 2012
#23 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -Merge-Approved
Mar 10, 2013
#24 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit -Mstone-21 -WebKit-SVG Cr-Content Cr-Content-SVG M-21
Apr 5, 2013
#25 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Apr 5, 2013
#26 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content-SVG Cr-Blink-SVG
Sign in to add a comment

Powered by Google Project Hosting