[Webkit-unassigned] [Bug 146690] New: Crash when appending an SVG <use> element dynamically which has animated SVG <path> element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 7 12:52:05 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=146690

            Bug ID: 146690
           Summary: Crash when appending an SVG <use> element dynamically
                    which has animated SVG <path> element
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Created attachment 256314
  --> https://bugs.webkit.org/attachment.cgi?id=256314&action=review
crash test case

1. Open the attached test case.
2. Click the "Add" button"

Result: WebKit crashes with the follow call stack:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore          0x0000000114523aa7 WTFCrash + 39
1   com.apple.WebCore                 0x0000000117b56ad6 WebCore::SVGAnimatedPathSegListPropertyTearOff::animValDidChange() + 70 (SVGAnimatedPathSegListPropertyTearOff.h:90)
2   com.apple.WebCore                 0x0000000117b568d7 void WebCore::SVGAnimatedTypeAnimator::executeAction<WebCore::SVGAnimatedPathSegListPropertyTearOff>(WebCore::SVGAnimatedTypeAnimator::AnimationAction, WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&, unsigned int, WebCore::SVGAnimatedPathSegListPropertyTearOff::ContentType*) + 599 (SVGAnimatedTypeAnimator.h:194)
3   com.apple.WebCore                 0x0000000117b54117 void WebCore::SVGAnimatedTypeAnimator::animValDidChangeForType<WebCore::SVGAnimatedPathSegListPropertyTearOff>(WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&) + 135 (SVGAnimatedTypeAnimator.h:101)
4   com.apple.WebCore                 0x0000000117b52cd8 WebCore::SVGAnimatedPathAnimator::animValDidChange(WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&) + 40 (SVGAnimatedPath.cpp:86)
5   com.apple.WebCore                 0x0000000117b6afbc WebCore::SVGAnimateElementBase::resetAnimatedType() + 1516 (SVGAnimateElementBase.cpp:217)
6   com.apple.WebCore                 0x0000000117c528cf WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) + 1135 (SVGSMILElement.cpp:1100)
7   com.apple.WebCore                 0x00000001179e7b5b WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) + 779 (SMILTimeContainer.cpp:288)
8   com.apple.WebCore                 0x00000001179e6b9b WebCore::SMILTimeContainer::timerFired() + 187 (SMILTimeContainer.cpp:218)
9   com.apple.WebCore                 0x00000001179eac08 void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&>(std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&&&) + 248 (__functional_base:441)
10  com.apple.WebCore                 0x00000001179eaadc std::__1::__function::__func<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>, std::__1::allocator<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*> >, void ()>::operator()() + 44 (functional:1407)
11  com.apple.WebCore                 0x0000000115ce0ada std::__1::function<void ()>::operator()() const + 26 (functional:1793)
12  com.apple.WebCore                 0x0000000115ce09fc WebCore::Timer::fired() + 28 (Timer.h:134)
13  com.apple.WebCore                 0x0000000117d237ea WebCore::ThreadTimers::sharedTimerFiredInternal() + 394 (ThreadTimers.cpp:135)
14  com.apple.WebCore                 0x0000000117d234a9 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:108)
15  com.apple.WebCore                 0x00000001179d2172 WebCore::timerFired(__CFRunLoopTimer*, void*) + 34 (SharedTimerCF.cpp:82)
16  com.apple.CoreFoundation          0x00007fff8737e7c4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
17  com.apple.CoreFoundation          0x00007fff8737e453 __CFRunLoopDoTimer + 1075
18  com.apple.CoreFoundation          0x00007fff873f9d9a __CFRunLoopDoTimers + 298
19  com.apple.CoreFoundation          0x00007fff87339a71 __CFRunLoopRun + 1841
20  com.apple.CoreFoundation          0x00007fff873390d8 CFRunLoopRunSpecific + 296
21  com.apple.HIToolbox               0x00007fff8bb60ce9 RunCurrentEventLoopInMode + 235
22  com.apple.HIToolbox               0x00007fff8bb60a7f ReceiveNextEventCommon + 432
23  com.apple.HIToolbox               0x00007fff8bb608bf _BlockUntilNextEventMatchingListInModeWithFilter + 71
24  com.apple.AppKit                  0x00007fff90c66732 _DPSNextEvent + 927
25  com.apple.AppKit                  0x00007fff91033f74 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 324
26  com.apple.AppKit                  0x00007fff90c5c6c2 -[NSApplication run] + 682
27  com.apple.AppKit                  0x00007fff90bdec4f NSApplicationMain + 1176
28  libxpc.dylib                      0x00007fff872b619c _xpc_objc_main + 793
29  libxpc.dylib                      0x00007fff872b78eb xpc_main + 494
30  com.apple.WebKit.WebContent.Development    0x000000010a224197 main + 39
31  libdyld.dylib                     0x00007fff907835ad start + 1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150707/f17d16f8/attachment.html>

More information about the webkit-unassigned mailing list