<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Crash when appending an SVG <use> element dynamically which has animated SVG <path> element"
href="https://bugs.webkit.org/show_bug.cgi?id=146690">146690</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Crash when appending an SVG <use> element dynamically which has animated SVG <path> element
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>528+ (Nightly build)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>SVG
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>sabouhallawa@apple.com
</td>
</tr>
<tr>
<th>CC</th>
<td>zimmermann@kde.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=256314" name="attach_256314" title="crash test case">attachment 256314</a> <a href="attachment.cgi?id=256314&action=edit" title="crash test case">[details]</a></span>
crash test case
1. Open the attached test case.
2. Click the "Add" button"
Result: WebKit crashes with the follow call stack:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 com.apple.JavaScriptCore 0x0000000114523aa7 WTFCrash + 39
1 com.apple.WebCore 0x0000000117b56ad6 WebCore::SVGAnimatedPathSegListPropertyTearOff::animValDidChange() + 70 (SVGAnimatedPathSegListPropertyTearOff.h:90)
2 com.apple.WebCore 0x0000000117b568d7 void WebCore::SVGAnimatedTypeAnimator::executeAction<WebCore::SVGAnimatedPathSegListPropertyTearOff>(WebCore::SVGAnimatedTypeAnimator::AnimationAction, WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&, unsigned int, WebCore::SVGAnimatedPathSegListPropertyTearOff::ContentType*) + 599 (SVGAnimatedTypeAnimator.h:194)
3 com.apple.WebCore 0x0000000117b54117 void WebCore::SVGAnimatedTypeAnimator::animValDidChangeForType<WebCore::SVGAnimatedPathSegListPropertyTearOff>(WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&) + 135 (SVGAnimatedTypeAnimator.h:101)
4 com.apple.WebCore 0x0000000117b52cd8 WebCore::SVGAnimatedPathAnimator::animValDidChange(WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul> const&) + 40 (SVGAnimatedPath.cpp:86)
5 com.apple.WebCore 0x0000000117b6afbc WebCore::SVGAnimateElementBase::resetAnimatedType() + 1516 (SVGAnimateElementBase.cpp:217)
6 com.apple.WebCore 0x0000000117c528cf WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) + 1135 (SVGSMILElement.cpp:1100)
7 com.apple.WebCore 0x00000001179e7b5b WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) + 779 (SMILTimeContainer.cpp:288)
8 com.apple.WebCore 0x00000001179e6b9b WebCore::SMILTimeContainer::timerFired() + 187 (SMILTimeContainer.cpp:218)
9 com.apple.WebCore 0x00000001179eac08 void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&>(std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>&&&) + 248 (__functional_base:441)
10 com.apple.WebCore 0x00000001179eaadc std::__1::__function::__func<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*>, std::__1::allocator<std::__1::__bind<void (WebCore::SMILTimeContainer::*&)(), WebCore::SMILTimeContainer*> >, void ()>::operator()() + 44 (functional:1407)
11 com.apple.WebCore 0x0000000115ce0ada std::__1::function<void ()>::operator()() const + 26 (functional:1793)
12 com.apple.WebCore 0x0000000115ce09fc WebCore::Timer::fired() + 28 (Timer.h:134)
13 com.apple.WebCore 0x0000000117d237ea WebCore::ThreadTimers::sharedTimerFiredInternal() + 394 (ThreadTimers.cpp:135)
14 com.apple.WebCore 0x0000000117d234a9 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:108)
15 com.apple.WebCore 0x00000001179d2172 WebCore::timerFired(__CFRunLoopTimer*, void*) + 34 (SharedTimerCF.cpp:82)
16 com.apple.CoreFoundation 0x00007fff8737e7c4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
17 com.apple.CoreFoundation 0x00007fff8737e453 __CFRunLoopDoTimer + 1075
18 com.apple.CoreFoundation 0x00007fff873f9d9a __CFRunLoopDoTimers + 298
19 com.apple.CoreFoundation 0x00007fff87339a71 __CFRunLoopRun + 1841
20 com.apple.CoreFoundation 0x00007fff873390d8 CFRunLoopRunSpecific + 296
21 com.apple.HIToolbox 0x00007fff8bb60ce9 RunCurrentEventLoopInMode + 235
22 com.apple.HIToolbox 0x00007fff8bb60a7f ReceiveNextEventCommon + 432
23 com.apple.HIToolbox 0x00007fff8bb608bf _BlockUntilNextEventMatchingListInModeWithFilter + 71
24 com.apple.AppKit 0x00007fff90c66732 _DPSNextEvent + 927
25 com.apple.AppKit 0x00007fff91033f74 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 324
26 com.apple.AppKit 0x00007fff90c5c6c2 -[NSApplication run] + 682
27 com.apple.AppKit 0x00007fff90bdec4f NSApplicationMain + 1176
28 libxpc.dylib 0x00007fff872b619c _xpc_objc_main + 793
29 libxpc.dylib 0x00007fff872b78eb xpc_main + 494
30 com.apple.WebKit.WebContent.Development 0x000000010a224197 main + 39
31 libdyld.dylib 0x00007fff907835ad start + 1</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>