<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Crash in SVGAnimateElementBase::calculateAnimatedValue() happens when reinserting an SVG animating element within the same animation limits"
href="https://bugs.webkit.org/show_bug.cgi?id=143994">143994</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Crash in SVGAnimateElementBase::calculateAnimatedValue() happens when reinserting an SVG animating element within the same animation limits
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>528+ (Nightly build)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>SVG
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>sabouhallawa@apple.com
</td>
</tr>
<tr>
<th>CC</th>
<td>zimmermann@kde.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=251234" name="attach_251234" title="Test case (will crash)">attachment 251234</a> <a href="attachment.cgi?id=251234&action=edit" title="Test case (will crash)">[details]</a></span>
Test case (will crash)
Open the attached file.
Result: WebKit crashes with the following call stack:
WebCore::SVGAnimateElementBase::calculateAnimatedValue
WebCore::SVGAnimationElement::updateAnimation
WebCore::SVGSMILElement::progress
WebCore::SMILTimeContainer::updateAnimations
WebCore::SMILTimeContainer::timerFired
Notes: The crash happens when removing an animating SVG element and inserting it back while animating within the same animation limits. The reason for the crash is when removing an animating element from the SVG document, we call SVGAnimateElementBase::resetAnimatedPropertyType() which sets SVGAnimateElementBase::m_fromType and SVGAnimateElementBase::m_toType to nullptr. When the element is inserted back to the SVG document, SVGAnimationElement::updateAnimation() is called to get the new animated value. Before doing that we check if the animation limits have changed or not. But since in this case, the limits are not changed, we do not call SVGAnimateElementBase::calculateFromAndToValues() which is supposed to call SVGAnimatedTypeAnimator::calculateFromAndToValues(). And this later function is supposed to set valid values to SVGAnimateElementBase::m_fromType and SVGAnimateElementBase::m_toType. But since this does not happen, we end up calling SSVGAnimateElementBase::calculateAnimated
ASSERT(m_fromType);
ASSERT(m_fromType->type() == m_animatedPropertyType);
ASSERT(m_toType);</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>