[Webkit-unassigned] [Bug 106428] New: Assertion faulire in SVGAnimatedPath.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 9 01:46:22 PST 2013


https://bugs.webkit.org/show_bug.cgi?id=106428

           Summary: Assertion faulire in SVGAnimatedPath.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
                CC: zimmermann at kde.org, zherczeg at webkit.org,
                    pdr at google.com, fmalita at chromium.org


Created an attachment (id=181877)
 --> (https://bugs.webkit.org/attachment.cgi?id=181877&action=review)
Test

During SVG fuzzing I got a crash in the debug WebKit with the attached test:


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4a3ed8e in WebCore::SVGAnimatedPathAnimator::startAnimValAnimation (th qis=0x98d400, animatedTypes=...)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimatedPath.cpp:45
45        ASSERT(animatedTypes.size() == 1);

Backtrace:

(gdb) bt
#0  0x00007ffff4a3ed8e in WebCore::SVGAnimatedPathAnimator::startAnimValAnimation (this=0x98d400, animatedTypes=...)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimatedPath.cpp:45
#1  0x00007ffff4a52f07 in WebCore::SVGAnimateElement::resetAnimatedType (this=0x9906c0)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimateElement.cpp:214
#2  0x00007ffff49fb0cf in WebCore::SVGSMILElement::progress (this=0x9906c0, elapsed=..., resultElement=0x9906c0, seekToTime=false)
    at /home/reni/WebKit-git/Source/WebCore/svg/animation/SVGSMILElement.cpp:1104
#3  0x00007ffff49f09a5 in WebCore::SMILTimeContainer::updateAnimations (this=0x965eb0, elapsed=..., seekToTime=false)
    at /home/reni/WebKit-git/Source/WebCore/svg/animation/SMILTimeContainer.cpp:296
#4  0x00007ffff49efea6 in WebCore::SMILTimeContainer::begin (this=0x965eb0) at /home/reni/WebKit-git/Source/WebCore/svg/animation/SMILTimeContainer.cpp:142
#5  0x00007ffff4a18b8b in WebCore::SVGDocumentExtensions::startAnimations (this=0x967eb0)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGDocumentExtensions.cpp:104
#6  0x00007ffff3e1d4c7 in WebCore::Document::implicitClose (this=0x960840) at /home/reni/WebKit-git/Source/WebCore/dom/Document.cpp:2486
#7  0x00007ffff42e45fb in WebCore::FrameLoader::checkCallImplicitClose (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:833
#8  0x00007ffff42e4381 in WebCore::FrameLoader::checkCompleted (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:776
#9  0x00007ffff42e40e6 in WebCore::FrameLoader::finishedParsing (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:709
#10 0x00007ffff3e24b87 in WebCore::Document::finishedParsing (this=0x960840) at /home/reni/WebKit-git/Source/WebCore/dom/Document.cpp:4421
#11 0x00007ffff48148a9 in WebCore::XMLDocumentParser::end (this=0x71fde0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParser.cpp:217
#12 0x00007ffff48148e6 in WebCore::XMLDocumentParser::finish (this=0x71fde0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParser.cpp:229
#13 0x00007ffff42da3d6 in WebCore::DocumentWriter::end (this=0x74fa58) at /home/reni/WebKit-git/Source/WebCore/loader/DocumentWriter.cpp:244
#14 0x00007ffff42ca598 in WebCore::DocumentLoader::finishedLoading (this=0x74f9b0) at /home/reni/WebKit-git/Source/WebCore/loader/DocumentLoader.cpp:295
#15 0x00007ffff43055d6 in WebCore::MainResourceLoader::didFinishLoading (this=0x750b10, finishTime=0)
    at /home/reni/WebKit-git/Source/WebCore/loader/MainResourceLoader.cpp:558

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list