[Webkit-unassigned] [Bug 156549] Calling SVGAnimatedPropertyTearOff::animationEnded() will crash if the SVG property is not animating
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 13 12:47:09 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=156549
--- Comment #1 from Said Abou-Hallawa <sabouhallawa at apple.com> ---
Before https://trac.webkit.org/changeset/197967, SVGAnimatedPropertyTearOff::animationEnded() could have been called multiple times if the SVGAnimatedPropertyTearOff::animationStarted() is called once. We were calling animVal() which ensures m_animVal is created correctly. We were using m_animVal as the animated property during the animation. Nothing after that sets m_animVal to nullptr.
After this change, this is not true. SVGAnimatedPropertyTearOff::animationStarted() sets m_animatedProperty = animVal(). m_animatedProperty is the property to animate and to work with during animation. But SVGAnimatedPropertyTearOff::animationEnded() sets m_animatedProperty = nullptr. So if SVGAnimatedPropertyTearOff::animationEnded() is called after that a crash will happen.
This crash has been seen before this change so it is not a regression. But this change exposed the bug significantly.
An speculative fix is: In SVGAnimatedTypeAnimator::executeAction() we need to check if (property->isAnimating()) before calling property->animationEnded() if the action is StopAnimationAction.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160413/38041b78/attachment.html>
More information about the webkit-unassigned
mailing list