[Webkit-unassigned] [Bug 282704] New: RELEASE_ASSERT(a.globalPosition() != b.globalPosition()) is failing for animations with no timeline

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 6 11:29:01 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=282704

            Bug ID: 282704
           Summary: RELEASE_ASSERT(a.globalPosition() !=
                    b.globalPosition()) is failing for animations with no
                    timeline
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Animations
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ja_lopezlozoya at apple.com
                CC: graouts at apple.com

This bug is due to animations being created with a null timeline never gets the global position updated, then when comparing them we hit a release assert.

Testcase:
=======
<p>This test passes if it doesn't crash.</p>
<script>
if (testRunner)
    testRunner.dumpAsText();

function eventhandler() {
    varx = new Animation(new KeyframeEffect(document.documentElement, null, 1), null);
    varx.pause();
    htmlvar.crossOrigin = "crossorigin";
}

function loading() {
    document.getAnimations();
}
</script>
<body onload=loading()>
<img id="htmlvar" onerror="eventhandler()" src="x"></img>


Stack Trace
=========

frame #0: WebCore`WebCore::compareAnimationsByCompositeOrder(WebCore::WebAnimation const&, WebCore::WebAnimation const&)+0xd6b
frame #1: WebCore`void std::__1::__stable_sort<std::__1::_ClassicAlgPolicy, WebCore::Document::matchingAnimations(WTF::Function<bool (WebCore::Element&)> const&)::$_1&, WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*>(WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*, WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*, WebCore::Document::matchingAnimations(WTF::Function<bool (WebCore::Element&)> const&)::$_1&, std::__1::iterator_traits<WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*>::difference_type, std::__1::iterator_traits<WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*>::value_type*, long)+0x102
frame #2: WebCore`WebCore::Document::matchingAnimations(WTF::Function<bool (WebCore::Element&)> const&)+0x8f0
frame #3: WebCore`WebCore::Document::getAnimations()+0xcf
frame #4: WebCore`WebCore::jsDocumentPrototypeFunction_getAnimations(JSC::JSGlobalObject*, JSC::CallFrame*)+0x221
frame #5: `0x1f51e4037+
frame #6: JavaScriptCore`jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__651_callHelper__dispatch+0x2
frame #7: JavaScriptCore`jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__665_callHelper__dispatch+0x2
frame #8: JavaScriptCore`llint_call_javascript+0x5
frame #9: JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0xce8
frame #10: JavaScriptCore`JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x101
frame #11: WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xc9f
frame #12: WebCore`WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x589
frame #13: WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x196
frame #14: WebCore`WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x4f2
frame #15: WebCore`WebCore::LocalDOMWindow::dispatchLoadEvent()+0x5d6
frame #16: WebCore`WebCore::Document::dispatchWindowLoadEvent()+0x138
frame #17: WebCore`WebCore::Document::implicitClose()+0x86c
frame #18: WebCore`WebCore::FrameLoader::checkCallImplicitClose()+0x1ee
frame #19: WebCore`WebCore::FrameLoader::checkCompleted()+0x562
frame #20: WebCore`WebCore::FrameLoader::checkCompletenessNow()+0x2c2
frame #21: WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal()+0x3db
frame #22: WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*)+0x78
frame #23: CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x13
frame #24: CoreFoundation`__CFRunLoopDoTimer+0x320
frame #25: CoreFoundation`__CFRunLoopDoTimers+0x11c
frame #26: CoreFoundation`__CFRunLoopRun+0x8d4
frame #27: CoreFoundation`CFRunLoopRunSpecific+0x217
frame #28: Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7
frame #29: Foundation`-[NSRunLoop(NSRunLoop) run]+0x4b
frame #30: libxpc.dylib`_xpc_objc_main+0x271
frame #31: libxpc.dylib`_xpc_main+0xda
frame #32: libxpc.dylib`xpc_main+0x37
frame #33: WebKit`WebKit::XPCServiceMain(int, char const**)+0xa9
frame #34: dyld`start+0x70c

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241106/cfbbff1c/attachment-0001.htm>

More information about the webkit-unassigned mailing list