[Webkit-unassigned] [Bug 156549] New: Calling SVGAnimatedPropertyTearOff::animationEnded() will crash if the SVG property is not animating

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 13 12:36:00 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=156549

            Bug ID: 156549
           Summary: Calling SVGAnimatedPropertyTearOff::animationEnded()
                    will crash if the SVG property is not animating
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

There is no repro steps or a test case for this crash but there is this call stack: 

0   WebCore                           0x0000000186b76e9c void WebCore::SVGAnimatedTypeAnimator::executeAction<WebCore::SVGAnimatedPropertyTearOff<WebCore::SVGLength> >(WebCore::SVGAnimatedTypeAnimator::AnimationAction, WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&, unsigned int, WebCore::SVGAnimatedPropertyTearOff<WebCore::SVGLength>::ContentType*) + 132 (SVGAnimatedPropertyTearOff.h:93)
1   WebCore                           0x0000000186b76e5c void WebCore::SVGAnimatedTypeAnimator::executeAction<WebCore::SVGAnimatedPropertyTearOff<WebCore::SVGLength> >(WebCore::SVGAnimatedTypeAnimator::AnimationAction, WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&, unsigned int, WebCore::SVGAnimatedPropertyTearOff<WebCore::SVGLength>::ContentType*) + 68 (SVGAnimatedTypeAnimator.h:192)
2   WebCore                           0x0000000186b8096c WebCore::SVGAnimateElementBase::clearAnimatedType(WebCore::SVGElement*) + 728 (SVGAnimateElementBase.cpp:326)
3   WebCore                           0x0000000186c00068 WebCore::SVGSMILElement::setTargetElement(WebCore::SVGElement*) + 120 (SVGSMILElement.cpp:599)
4   WebCore                           0x0000000186b85b9c WebCore::SVGAnimationElement::setTargetElement(WebCore::SVGElement*) + 28 (SVGAnimationElement.cpp:685)
5   WebCore                           0x0000000186b810f4 WebCore::SVGAnimateElementBase::setTargetElement(WebCore::SVGElement*) + 20 (SVGAnimateElementBase.cpp:420)
6   WebCore                           0x0000000186b8ff08 WebCore::SVGDocumentExtensions::clearTargetDependencies(WebCore::SVGElement&) + 216 (SVGElement.h:155)
7   WebCore                           0x0000000186b92814 WebCore::SVGElement::removedFrom(WebCore::ContainerNode&) + 92 (SVGElement.cpp:395)
8   WebCore                           0x0000000186145e8c void WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode>(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) + 208 (ContainerNodeAlgorithms.h:233)
9   WebCore                           0x0000000185f314f8 WebCore::ContainerNode::removeDetachedChildren() + 132 (ContainerNodeAlgorithms.h:103)
10  WebCore                           0x0000000186221874 WebCore::Document::removedLastRef() + 336 (Document.cpp:680)
11  JavaScriptCore                    0x0000000185b3abc8 0x00000001856ac000 + 4778952
12  JavaScriptCore                    0x00000001859eb230 JSC::IncrementalSweeper::sweepNextBlock() + 104 (IncrementalSweeper.cpp:91)
13  JavaScriptCore                    0x00000001856c1dd4 JSC::IncrementalSweeper::doSweep(double) + 40 (IncrementalSweeper.cpp:69)
14  JavaScriptCore                    0x00000001856bd550 JSC::HeapTimer::timerDidFire(__CFRunLoopTimer*, void*) + 220 (HeapTimer.cpp:100)
15  CoreFoundation                    0x0000000181fe5834 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28 (CFRunLoop.c:1628)
16  CoreFoundation                    0x0000000181fe54d8 __CFRunLoopDoTimer + 884 (CFRunLoop.c:2167)
17  CoreFoundation                    0x0000000181fe2bec __CFRunLoopRun + 1520 (CFRunLoop.c:2306)
18  CoreFoundation                    0x0000000181f0ce80 CFRunLoopRunSpecific + 384 (CFRunLoop.c:2814)
19  Foundation                        0x000000018291ccfc -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 308 (NSRunLoop.m:366)
20  Foundation                        0x0000000182972030 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:388)
21  libxpc.dylib                      0x0000000181cd0c64 _xpc_objc_main + 660 (main.m:181)
22  libxpc.dylib                      0x0000000181cd29dc xpc_main + 200 (init.c:1439)
23  com.apple.WebKit.WebContent       0x00000001000e3924 main + 56 (XPCServiceMain.mm:89)
24  libdyld.dylib                     0x0000000181aaa8b8 start + 4 (start_glue.s:78)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160413/f829845a/attachment.html>

More information about the webkit-unassigned mailing list