Crash when SVG uses a clip-path before it's defined

RubenKelevra commented 3 months ago

I'm using 09f76098b06804efb1f82f2244338ad4a97c9cfb of Ladybird under Linux x86_64 and found that it consistantly crash if trying to load one of the most notriously overloaded German websites https://t-online.de.

Sometimes it even crashes the whole browser. So I thought I add the crashlog here:

❯ Ladybird 
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
Ladybird PID file '/run/user/1000/Ladybird.pid' exists with PID 15921, but process cannot be found
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
5713.037 WebContent(16075): (js debug) "🦶 ivw" "configure" Object{ "st": "toi", "dn": "data-501446ac98.t-online.de", "mh": 5 }
5713.038 WebContent(16075): (js debug) "🦶 ivw" "pageview" Object{ "cp": "/00-t-online-de-startseite/" }
5713.046 WebContent(16075): (js debug) "📝" "initial paper variant" Object{ "mode": "NO_CONSENT" }
5713.047 WebContent(16075): (js debug) "📝" "initial consent" Object{ "mode": "NO_CONSENT", "tcfReady": undefined, "tcString": undefined }
5713.051 WebContent(16075): (js debug) "💰" "SDI" "Loading metaTag.js from same origin without Consent"
5713.075 WebContent(16075): HTMLScriptElement: Refusing to run classic script because it has the nomodule attribute.
VERIFICATION FAILED: m_ptr at /build/ladybird/src/ladybird/Userland/Libraries/LibJS/Heap/GCPtr.h:168
/usr/libexec/../lib/liblagom-ak.so.0(ak_verification_failed+0xbd) [0x7a94b14211dd]
/usr/libexec/../lib/liblagom-web.so.0 Web::SVG::SVGCircleElement::get_path(Gfx::Size<Web::CSSPixels>) 0x53d) [0x7a94b28fdc9d]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::SVGFormattingContext::layout_path_like_element(Web::Layout::SVGGraphicsBox const&) 0x629) [0x7a94b27fd169]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::SVGFormattingContext::layout_graphics_element(Web::Layout::SVGGraphicsBox const&) 0x27b) [0x7a94b27fcafb]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::SVGFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x1cb) [0x7a94b27fb3cb]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::SVGFormattingContext::layout_mask_or_clip(Web::Layout::SVGBox const&) 0x1a4) [0x7a94b27fbe14]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::SVGFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x1cb) [0x7a94b27fb3cb]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::FormattingContext::layout_inside(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0xde) [0x7a94b27bb60e]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::InlineFormattingContext::dimension_box_on_line(Web::Layout::Box const&, Web::Layout::LayoutMode) 0x1cf) [0x7a94b27dd84f]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::InlineLevelIterator::next_without_lookahead() 0x924) [0x7a94b27dfb34]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::InlineLevelIterator::next() 0x3a) [0x7a94b27dff7a]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::InlineFormattingContext::generate_line_boxes(Web::Layout::LayoutMode) 0x105) [0x7a94b27dc775]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::InlineFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x44) [0x7a94b27dd434]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_inline_children(Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x75) [0x7a94b27a7d15]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_box(Web::Layout::Box const&, Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::CSSPixels&, Web::Layout::AvailableSpace const&) 0xbbc) [0x7a94b27a8a4c]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_children(Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x99) [0x7a94b27a8f19]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x3d) [0x7a94b27a92dd]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::FormattingContext::layout_inside(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0xde) [0x7a94b27bb60e]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::GridFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x3b3) [0x7a94b27d9b73]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::FormattingContext::layout_inside(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0xde) [0x7a94b27bb60e]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::GridFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x3b3) [0x7a94b27d9b73]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_box(Web::Layout::Box const&, Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::CSSPixels&, Web::Layout::AvailableSpace const&) 0x33d) [0x7a94b27a81cd]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_children(Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x99) [0x7a94b27a8f19]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x3d) [0x7a94b27a92dd]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::FormattingContext::layout_inside(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0xde) [0x7a94b27bb60e]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::FlexFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x5d4) [0x7a94b27b8384]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_box(Web::Layout::Box const&, Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::CSSPixels&, Web::Layout::AvailableSpace const&) 0x33d) [0x7a94b27a81cd]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_children(Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x99) [0x7a94b27a8f19]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x3d) [0x7a94b27a92dd]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::FormattingContext::layout_inside(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0xde) [0x7a94b27bb60e]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::FlexFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x5d4) [0x7a94b27b8384]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_box(Web::Layout::Box const&, Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::CSSPixels&, Web::Layout::AvailableSpace const&) 0x33d) [0x7a94b27a81cd]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_children(Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x99) [0x7a94b27a8f19]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_box(Web::Layout::Box const&, Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::CSSPixels&, Web::Layout::AvailableSpace const&) 0x810) [0x7a94b27a86a0]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_children(Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x99) [0x7a94b27a8f19]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_box(Web::Layout::Box const&, Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::CSSPixels&, Web::Layout::AvailableSpace const&) 0x810) [0x7a94b27a86a0]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_children(Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x99) [0x7a94b27a8f19]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::run(Web::Layout::Box const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x3d) [0x7a94b27a92dd]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_box(Web::Layout::Box const&, Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::CSSPixels&, Web::Layout::AvailableSpace const&) 0x33d) [0x7a94b27a81cd]
/usr/libexec/../lib/liblagom-web.so.0 Web::Layout::BlockFormattingContext::layout_block_level_children(Web::Layout::BlockContainer const&, Web::Layout::LayoutMode, Web::Layout::AvailableSpace const&) 0x99) [0x7a94b27a8f19]
/usr/libexec/../lib/liblagom-web.so.0 Web::DOM::Document::update_layout() 0x27a) [0x7a94b248108a]
/usr/libexec/../lib/liblagom-web.so.0(+0x70987a) [0x7a94b25c987a]
/usr/libexec/../lib/liblagom-web.so.0(+0x9f02a8) [0x7a94b28b02a8]
/usr/libexec/../lib/liblagom-core.so.0 Core::Timer::timer_event(Core::TimerEvent&) 0xb9) [0x7a94b14fa3f9]
/usr/libexec/../lib/liblagom-core.so.0 Core::EventReceiver::dispatch_event(Core::Event&, Core::EventReceiver*) 0x4d) [0x7a94b14dfe8d]
/usr/libexec/WebContent(+0x2a3ac) [0x5b19ee47d3ac]
/usr/libexec/../lib/libQt6Core.so.6(+0x1b34f9) [0x7a94b41a74f9]
/usr/libexec/../lib/libQt6Core.so.6 QTimer::timerEvent(QTimerEvent*) 0xa4) [0x7a94b41af0f4]
/usr/libexec/../lib/libQt6Core.so.6 QObject::event(QEvent*) 0x249) [0x7a94b418fc79]
/usr/libexec/../lib/libQt6Core.so.6 QCoreApplication::notifyInternal2(QObject*, QEvent*) 0x14b) [0x7a94b414240b]
/usr/libexec/../lib/libQt6Core.so.6 QTimerInfoList::activateTimers() 0x730) [0x7a94b42d07e0]
/usr/libexec/../lib/libQt6Core.so.6(+0x3cc651) [0x7a94b43c0651]
/usr/libexec/../lib/libglib-2.0.so.0(+0x62447) [0x7a94b0160447]
/usr/libexec/../lib/libglib-2.0.so.0(+0xd7708) [0x7a94b01d5708]
/usr/libexec/../lib/libglib-2.0.so.0(g_main_context_iteration+0x32) [0x7a94b0162022]
/usr/libexec/../lib/libQt6Core.so.6 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) 0x8b) [0x7a94b43bebab]
/usr/libexec/WebContent(+0x29f32) [0x5b19ee47cf32]
/usr/libexec/../lib/liblagom-core.so.0 Core::EventLoop::spin_until(AK::Function<bool ()>) 0xc3) [0x7a94b14d8503]
/usr/libexec/../lib/liblagom-web.so.0 Web::Platform::EventLoopPluginSerenity::spin_until(JS::SafeFunction<bool ()>) 0x115) [0x7a94b28aeba5]
/usr/libexec/../lib/liblagom-web.so.0 Web::HTML::EventLoop::spin_until(JS::SafeFunction<bool ()>) 0xf0) [0x7a94b25c9d80]
/usr/libexec/../lib/liblagom-web.so.0 Web::HTML::HTMLParser::handle_text(Web::HTML::HTMLToken&) 0x3e4) [0x7a94b26d9514]
/usr/libexec/../lib/liblagom-web.so.0 Web::HTML::HTMLParser::run(Web::HTML::HTMLTokenizer::StopAtInsertionPoint) 0x15e) [0x7a94b26e37ce]
/usr/libexec/../lib/liblagom-web.so.0 Web::HTML::HTMLParser::run(URL::URL const&, Web::HTML::HTMLTokenizer::StopAtInsertionPoint) 0x2e0) [0x7a94b26e43c0]
/usr/libexec/../lib/liblagom-web.so.0(+0x9ef948) [0x7a94b28af948]
/usr/libexec/../lib/liblagom-core.so.0 Core::ThreadEventQueue::process() 0x3e2) [0x7a94b14f9dc2]
/usr/libexec/WebContent(+0x2ab42) [0x5b19ee47db42]
/usr/libexec/WebContent(+0x2db71) [0x5b19ee480b71]
/usr/libexec/../lib/libQt6Core.so.6 QCoreApplication::notifyInternal2(QObject*, QEvent*) 0x14b) [0x7a94b414240b]
/usr/libexec/../lib/libQt6Core.so.6 QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) 0x362) [0x7a94b41427f2]
/usr/libexec/../lib/libQt6Core.so.6(+0x3cc6c4) [0x7a94b43c06c4]
/usr/libexec/../lib/libglib-2.0.so.0(+0x62447) [0x7a94b0160447]
/usr/libexec/../lib/libglib-2.0.so.0(+0xd7708) [0x7a94b01d5708]
/usr/libexec/../lib/libglib-2.0.so.0(g_main_context_iteration+0x32) [0x7a94b0162022]
/usr/libexec/../lib/libQt6Core.so.6 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) 0x8b) [0x7a94b43bebab]
/usr/libexec/../lib/libQt6Core.so.6 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) 0x1a6) [0x7a94b414c956]
/usr/libexec/../lib/liblagom-core.so.0 Core::EventLoop::exec() 0x48) [0x7a94b14d8678]
/usr/libexec/WebContent(+0x3a2e0) [0x5b19ee48d2e0]
/usr/libexec/WebContent(main+0x9c) [0x5b19ee47c30c]
/usr/libexec/../lib/libc.so.6(+0x25f5e) [0x7a94b0f7ff5e]
/usr/libexec/../lib/libc.so.6(__libc_start_main+0x8a) [0x7a94b0f8001a]
/usr/libexec/WebContent(+0x294e5) [0x5b19ee47c4e5]
5713.238 Ladybird(16047): WebContent process crashed!
VERIFICATION FAILED: !is_error() at /build/ladybird/src/ladybird/AK/Error.h:180
/usr/bin/../lib/liblagom-ak.so.0(ak_verification_failed+0xbd) [0x74aa1264c1dd]
Ladybird(+0x6108d) [0x572c177ca08d]
/usr/bin/../lib/liblagom-webview.so.0 WebView::ViewImplementation::handle_web_content_process_crash() 0x57a) [0x74aa161ffd4a]
/usr/bin/../lib/liblagom-core.so.0 Core::ThreadEventQueue::process() 0x3e2) [0x74aa12724dc2]
Ladybird(+0x411f2) [0x572c177aa1f2]
Ladybird(+0x44221) [0x572c177ad221]
/usr/bin/../lib/libQt6Widgets.so.6 QApplicationPrivate::notify_helper(QObject*, QEvent*) 0x9c) [0x74aa15942b6c]
/usr/bin/../lib/libQt6Core.so.6 QCoreApplication::notifyInternal2(QObject*, QEvent*) 0x178) [0x74aa14a1e438]
/usr/bin/../lib/libQt6Core.so.6 QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) 0x362) [0x74aa14a1e7f2]
/usr/bin/../lib/libQt6Core.so.6(+0x3cc6c4) [0x74aa14c9c6c4]
/usr/bin/../lib/libglib-2.0.so.0(+0x62447) [0x74aa0ee85447]
/usr/bin/../lib/libglib-2.0.so.0(+0xd7708) [0x74aa0eefa708]
/usr/bin/../lib/libglib-2.0.so.0(g_main_context_iteration+0x32) [0x74aa0ee87022]
/usr/bin/../lib/libQt6Core.so.6 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) 0x8b) [0x74aa14c9abab]
/usr/bin/../lib/libQt6Core.so.6 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) 0x1a6) [0x74aa14a28956]
/usr/bin/../lib/libQt6Core.so.6 QCoreApplication::exec() 0x85) [0x74aa14a22a65]
/usr/bin/../lib/liblagom-core.so.0 Core::EventLoop::exec() 0x48) [0x74aa12703678]
/usr/bin/../lib/liblagom-webview.so.0 WebView::Application::exec() 0x12) [0x74aa161d7be2]
Ladybird(+0x66a83) [0x572c177cfa83]
Ladybird(main+0x9c) [0x572c1778723c]
/usr/bin/../lib/libc.so.6(+0x25f5e) [0x74aa121acf5e]
/usr/bin/../lib/libc.so.6(__libc_start_main+0x8a) [0x74aa121ad01a]
Ladybird(+0x1e415) [0x572c17787415]
fish: Job 1, 'Ladybird' terminated by signal SIGILL (Illegal instruction)

ADKaster commented 3 months ago

Looks like it's crashing trying to draw an SVG Circle element. Is there a way to isolate the specific SVG into a smaller test case?

skyrising commented 3 months ago

Looks like the only GCPtr dereferenced in SVGCircleElement::get_path is coming from layout_node(). Not sure how that can be null, since get_path is called via <layout_node>.dom_node().get_path(...).

RubenKelevra commented 3 months ago

Looks like it's crashing trying to draw an SVG Circle element. Is there a way to isolate the specific SVG into a smaller test case?

I've tried loading the svgs on the page one by one directly and it doesn't seem to be the issue.

I think something else is going on, unrelated to the SVG parsing itself.

RubenKelevra commented 2 months ago

I can confirm the bug for 69da6a0ce40, after the fix for telekom.de (#661) in #704.

Screenshot_20240720_203358

EdwinHoksberg commented 2 months ago

I was able to reduce the error to this piece of html:

<!doctype html>
<svg>
    <rect clip-path="url(#clip-path)"></rect>

    <defs>
        <clipPath id="clip-path">
            <circle cx="30" cy="30" r="30"></circle>
        </clipPath>
    </defs>
</svg>

Some observations:

The problem seems to lie in the clip-path connection of the <rect> and <circle>, when I remove either or those the crash does not happen anymore.
It does not crash if the clip-path urls do not match, e.g.: url(#a) -> id="b"
If you move the <defs> above the <rect> it does not crash.

RubenKelevra commented 5 days ago

I can confirm that 34261e54901 will still crash when visiting https://t-online.de

LadybirdBrowser / ladybird

Crash when SVG uses a clip-path before it's defined #503