[Webkit-unassigned] [Bug 143994] New: Crash in SVGAnimateElementBase::calculateAnimatedValue() happens when reinserting an SVG animating element within the same animation limits

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 21 09:10:20 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=143994

            Bug ID: 143994
           Summary: Crash in
                    SVGAnimateElementBase::calculateAnimatedValue()
                    happens when reinserting an SVG animating element
                    within the same animation limits
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Created attachment 251234
  --> https://bugs.webkit.org/attachment.cgi?id=251234&action=review
Test case (will crash)

Open the attached file.

Result: WebKit crashes with the following call stack:

WebCore::SVGAnimateElementBase::calculateAnimatedValue
WebCore::SVGAnimationElement::updateAnimation
WebCore::SVGSMILElement::progress
WebCore::SMILTimeContainer::updateAnimations
WebCore::SMILTimeContainer::timerFired

Notes: The crash happens when removing an animating SVG element and inserting it back while animating within the same animation limits. The reason for the crash is when removing an animating element from the SVG document, we call SVGAnimateElementBase::resetAnimatedPropertyType() which sets SVGAnimateElementBase::m_fromType and SVGAnimateElementBase::m_toType to nullptr. When the element is inserted back to the SVG document, SVGAnimationElement::updateAnimation() is called to get the new animated value. Before doing that we check if the animation limits have changed or not. But since in this case, the limits are not changed, we do not call SVGAnimateElementBase::calculateFromAndToValues() which is supposed to call SVGAnimatedTypeAnimator::calculateFromAndToValues(). And this later function is supposed to set valid values to SVGAnimateElementBase::m_fromType and SVGAnimateElementBase::m_toType. But since this does not happen, we end up calling SSVGAnimateElementBase::calculateAnimated

ASSERT(m_fromType);
ASSERT(m_fromType->type() == m_animatedPropertyType);
ASSERT(m_toType);

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150421/2586f6a2/attachment.html>

More information about the webkit-unassigned mailing list