[Webkit-unassigned] [Bug 204766] New: Crash when animating an enum attribute for multiple instances of an SVG element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 2 13:48:09 PST 2019


https://bugs.webkit.org/show_bug.cgi?id=204766

            Bug ID: 204766
           Summary: Crash when animating an enum attribute for multiple
                    instances of an SVG element
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Created attachment 384655

  --> https://bugs.webkit.org/attachment.cgi?id=384655&action=review

test case (will crash)

Open the attached test case. WebKit will crash because of null reference with the following call stack:

#0      0x00000004ee682cf5 in WebCore::SVGLengthAdjustType WebCore::SVGAnimatedDecoratedProperty<WebCore::SVGDecoratedEnumeration, unsigned int>::currentValue<WebCore::SVGLengthAdjustType>() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedDecoratedProperty.h:114
#1      0x00000004ee67bb14 in WebCore::SVGTextContentElement::lengthAdjust() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGTextContentElement.h:89
#2      0x00000004ee67f534 in WebCore::SVGTextLayoutEngine::parentDefinesTextLength(WebCore::RenderObject*) const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:151
#3      0x00000004ee67f708 in WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath(WebCore::SVGInlineTextBox&, WebCore::RenderSVGInlineText&, WebCore::RenderStyle const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:411
#4      0x00000004ee67aec7 in WebCore::SVGTextLayoutEngine::layoutInlineTextBox(WebCore::SVGInlineTextBox&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:225
#5      0x00000004ee67a6df in WebCore::SVGRootInlineBox::layoutCharactersInTextBoxes(WebCore::InlineFlowBox*, WebCore::SVGTextLayoutEngine&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRootInlineBox.cpp:108
#6      0x00000004ee67a4c9 in WebCore::SVGRootInlineBox::computePerCharacterLayoutInformation() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRootInlineBox.cpp:91
#7      0x00000004ee1e830d in WebCore::ComplexLineLayout::createLineBoxesFromBidiRuns(unsigned int, WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/ComplexLineLayout.cpp:1238
#8      0x00000004ee1ea59b in WebCore::ComplexLineLayout::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/ComplexLineLayout.cpp:1424
#9      0x00000004ee1e8954 in WebCore::ComplexLineLayout::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/ComplexLineLayout.cpp:1332
#10     0x00000004ee1ee8ae in WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/ComplexLineLayout.cpp:1741
#11     0x00000004ee2b0872 in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/RenderBlockFlow.cpp:683
#12     0x00000004ee6498c2 in WebCore::RenderSVGText::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGText.cpp:408
#13     0x00000004ee6657dd in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:273
#14     0x00000004ee5fbd78 in WebCore::RenderSVGContainer::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGContainer.cpp:71
#15     0x00000004ee6657dd in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:273
#16     0x00000004ee5fbd78 in WebCore::RenderSVGContainer::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGContainer.cpp:71
#17     0x00000004ee6657dd in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:273
#18     0x00000004ee642770 in WebCore::RenderSVGRoot::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGRoot.cpp:160
#19     0x00000004edbbc60f in WebCore::FrameViewLayoutContext::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/page/FrameViewLayoutContext.cpp:247
#20     0x00000004edb5cd9c in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/page/FrameView.cpp:4321
#21     0x00000004edbe095c in WebCore::Page::layoutIfNeeded() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/page/Page.cpp:1318
#22     0x00000004edbe0a0a in WebCore::Page::updateRendering() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/page/Page.cpp:1334
#23     0x00000004e14329d1 in WebKit::WebPage::updateRendering() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/WebPage.cpp:3702
#24     0x00000004e10c0801 in WebKit::TiledCoreAnimationDrawingArea::flushLayers(WebKit::TiledCoreAnimationDrawingArea::FlushType) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:467
#25     0x00000004e10c4d77 in WebKit::TiledCoreAnimationDrawingArea::layerFlushRunLoopCallback() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:931
#26     0x00000004e10c7bd8 in WebKit::TiledCoreAnimationDrawingArea::TiledCoreAnimationDrawingArea(WebKit::WebPage&, WebKit::WebPageCreationParameters const&)::$_1::operator()() const at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:91

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191202/d166e8a1/attachment-0001.htm>


More information about the webkit-unassigned mailing list