[Webkit-unassigned] [Bug 146690] Crash when appending an SVG <use> element dynamically which has animated SVG <path> element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 7 13:02:30 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=146690

--- Comment #2 from Said Abou-Hallawa <sabouhallawa at apple.com> ---
I was wring about the above call stack. It is just an assertion call stack. But if we comment all the assertion in SVGAnimatedListPropertyTearOff::animValDidChange() and VGAnimatedPathSegListPropertyTearOff::animValDidChange() we get the following crashing call stack which we should hit in a release build:

#0    0x00000001072a2360 in WebCore::SVGListProperty<WebCore::SVGPathSegList>::values() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGListProperty.h:434
#1    0x00000001072a43bd in WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGPathSegList>::synchronizeWrappersIfNeeded() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h:134
#2    0x00000001072a4715 in WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGPathSegList>::animValDidChange() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h:153
#3    0x00000001072a40c6 in WebCore::SVGAnimatedPathSegListPropertyTearOff::animValDidChange() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedPathSegListPropertyTearOff.h:101
#4    0x00000001072a3e87 in void WebCore::SVGAnimatedTypeAnimator::executeAction<WebCore::SVGAnimatedPathSegListPropertyTearOff>(WebCore::SVGAnimatedTypeAnimator::AnimationAction, WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&, unsigned int, WebCore::SVGAnimatedPathSegListPropertyTearOff::ContentType*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGAnimatedTypeAnimator.h:214
#5    0x00000001072a16c7 in void WebCore::SVGAnimatedTypeAnimator::animValDidChangeForType<WebCore::SVGAnimatedPathSegListPropertyTearOff>(WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGAnimatedTypeAnimator.h:100
#6    0x00000001072a0288 in WebCore::SVGAnimatedPathAnimator::animValDidChange(WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGAnimatedPath.cpp:85
#7    0x00000001072b828c in WebCore::SVGAnimateElementBase::resetAnimatedType() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGAnimateElementBase.cpp:215
#8    0x000000010739fb9f in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/animation/SVGSMILElement.cpp:1098
#9    0x00000001071352cb in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/animation/SMILTimeContainer.cpp:288
#10    0x000000010713430b in WebCore::SMILTimeContainer::timerFired() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/animation/SMILTimeContainer.cpp:217
#11    0x0000000107138378 in decltype(*(std::__1::forward<WebCore::SMILTimeContainer*&>(fp0)).*fp(std::__1::forward<>(fp1))) std::__1::__invoke<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*&, void>(void (WebCore::SMILTimeContainer::*&&&)(), WebCore::SMILTimeContainer*&&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/__functional_base:382
#12    0x00000001071382f2 in std::__1::__bind_return<void (WebCore::SMILTimeContainer::*)(), std::__1::tuple<WebCore::SMILTimeContainer*>, std::__1::tuple<>, _is_valid_bind_return<void (WebCore::SMILTimeContainer::*)(), std::__1::tuple<WebCore::SMILTimeContainer*>, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void (WebCore::SMILTimeContainer::*)(), std::__1::tuple<WebCore::SMILTimeContainer*>, 0ul, std::__1::tuple<> >(void (WebCore::SMILTimeContainer::*&)(), std::__1::tuple<WebCore::SMILTimeContainer*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/functional:2060
#13    0x00000001071382ca in std::__1::__bind_return<void (WebCore::SMILTimeContainer::*)(), std::__1::tuple<WebCore::SMILTimeContainer*>, std::__1::tuple<>, _is_valid_bind_return<void (WebCore::SMILTimeContainer::*)(), std::__1::tuple<WebCore::SMILTimeContainer*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>::operator()<>() [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/functional:2123
#14    0x00000001071382ab in decltype(std::__1::forward<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&>(fp)(std::__1::forward<>(fp0))) std::__1::__invoke<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&>(std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&&&) [inlined] at /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/__functional_base:415
#15    0x00000001071382a0 in void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&>(std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&&&) at /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/__functional_base:440
#16    0x000000010713824c in std::__1::__function::__func<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>, std::__1::allocator<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*> >, void ()>::operator()() at /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/functional:1407
#17    0x000000010542e24a in std::__1::function<void ()>::operator()() const at /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/bin/../include/c++/v1/functional:1793
#18    0x000000010542e16c in WebCore::Timer::fired() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/Timer.h:133
#19    0x0000000107470aba in WebCore::ThreadTimers::sharedTimerFiredInternal() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/ThreadTimers.cpp:132
#20    0x0000000107470779 in WebCore::ThreadTimers::sharedTimerFired() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/ThreadTimers.cpp:107
#21    0x000000010711f8e2 in WebCore::timerFired(__CFRunLoopTimer*, void*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/platform/cf/SharedTimerCF.cpp:82

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150707/32635e94/attachment-0001.html>

More information about the webkit-unassigned mailing list