[Webkit-unassigned] [Bug 197372] New: Assertion fires when animating the 'class' attribute of an SVG element

Mon Apr 29 09:38:02 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=197372

            Bug ID: 197372
           Summary: Assertion fires when animating the 'class' attribute
                    of an SVG element
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Created attachment 368462

  --> https://bugs.webkit.org/attachment.cgi?id=368462&action=review

test case

Open the attached test case in a debug build. The following assertion will fire:

0x0000000120fa93ee in ::WTFCrash() at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/Assertions.cpp:305
0x000000010bdeb929 in WebCore::SVGAnimatedPrimitiveProperty<WTF::String>::currentValue() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedPrimitiveProperty.h:103
0x000000010d9fe692 in WebCore::SVGElement::className() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGElement.h:149
0x000000010d9fe572 in WebCore::SVGElement::svgAttributeChanged(WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGElement.cpp:858
0x000000010db39d75 in WebCore::SVGGraphicsElement::svgAttributeChanged(WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGGraphicsElement.cpp:150
0x000000010db3aea2 in WebCore::SVGGeometryElement::svgAttributeChanged(WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGGeometryElement.cpp:116
0x000000010dbf9c38 in WebCore::SVGRectElement::svgAttributeChanged(WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGRectElement.cpp:87
0x000000010dce07bd in WebCore::SVGAttributeAnimator::applyAnimatedPropertyChange(WebCore::SVGElement*, WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAttributeAnimator.cpp:100
0x000000010dce09ab in WebCore::SVGAttributeAnimator::applyAnimatedPropertyChange(WebCore::SVGElement*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAttributeAnimator.cpp:117
0x000000010d97d6fb in WebCore::SVGAnimatedPropertyAnimator<WebCore::SVGAnimatedPrimitiveProperty<WTF::String>, WebCore::SVGAnimationStringFunction>::apply(WebCore::SVGElement*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedPropertyAnimator.h:80
0x000000010d968202 in WebCore::SVGAnimateElementBase::applyResultsToTarget() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGAnimateElementBase.cpp:176
0x000000010dcb678d in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/animation/SMILTimeContainer.cpp:321
0x000000010dcb6020 in WebCore::SMILTimeContainer::begin() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/animation/SMILTimeContainer.cpp:138
0x000000010d9f5fa1 in WebCore::SVGDocumentExtensions::startAnimations() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGDocumentExtensions.cpp:97
0x000000010c3a65ca in WebCore::Document::implicitClose() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Document.cpp:3007

This is a regression of removing the SVG tear off objects. But the attached text did not work correctly before removing them also.

The assertion fires because the animated primitive property do not share the animVal with all its instances.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190429/0234d69a/attachment.html>