Bug 12379 - ASSERTION FAILED: extensions->genericContext<SVGAnimatedLength>(obj.get()) == imp (during layout tests)
Summary: ASSERTION FAILED: extensions->genericContext<SVGAnimatedLength>(obj.get()) ==...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Blocker
Assignee: Nikolas Zimmermann
URL: http://build.webkit.org/post-commit-l...
Keywords: LayoutTestFailure, Regression
Depends on:
Blocks:
 
Reported: 2007-01-23 04:44 PST by Mark Rowe (bdash)
Modified: 2007-01-23 14:31 PST (History)
1 user (show)

See Also:

Attachments
Initial patch (2.67 KB, patch)
2007-01-23 12:41 PST, Nikolas Zimmermann 		mjs: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2007-01-23 04:44:38 PST 
ASSERTION FAILED: extensions->genericContext<SVGAnimatedLength>(obj.get()) == imp
(/Users/buildbot/Desktop/BuildData/WebKit-BuildSlave/post-commit-leaks-powerpc-mac-os-x/build/WebKitBuild/Debug/DerivedSources/WebCore/JSSVGLinearGradientElement.cpp:104 KJS::JSValue* WebCore::JSSVGLinearGradientElement::getValueProperty(KJS::ExecState*, int) const)
Segmentation fault

Appears to happen on or just before svg/custom/js-update-gradient.svg.  It does not reproduce 100% of the time.  I've not managed to reproduce it when trying to retrieve a backtrace.
Comment 1 David Kilzer (:ddkilzer) 2007-01-23 04:50:20 PST 
(In reply to comment #0)
> Appears to happen on or just before svg/custom/js-update-gradient.svg.  It does
> not reproduce 100% of the time.  I've not managed to reproduce it when trying
> to retrieve a backtrace.

Log into the buildbot server and pick up the stack trace from ~/Library/Logs/CrashReporter/DumpRenderTree.crash.log for the time it happened.
Comment 2 Mark Rowe (bdash) 2007-01-23 04:56:07 PST 
I don't have easy access to the build slave in question (that I know of), or I'd do just that :-)
Comment 3 Nikolas Zimmermann 2007-01-23 05:16:56 PST 
[14:14] bdash: WildFox: so why does it only sometimes happen?
[14:14] WildFox: bdash: well, ie. if you access mygradient.x1 from JS following happens
[14:15] WildFox: the "x1" is a SVGAnimatedLength object
[14:15] WildFox: we store the "context" ("mygradient") with the "x1" pointer in a hashmap
[14:15] WildFox: so if you call mygradient.x1.baseVal.value it will update the right context
[14:15] WildFox: (SVG DOM oddness)
[14:15] WildFox: the problem is that cache is never cleared
[14:15] WildFox: for single-docs, no problem
[14:16] WildFox: if you open a new document, which also access mygradient.x1 you may have bad luck that the _same_ pointer is used
[14:16] WildFox: same x1 pointer
[14:16] bdash: WildFox: ah, right
[14:16] WildFox: it's really "bad luck" if that happens
[14:16] bdash: but it's what is happening ;)
[14:16] WildFox: bdash: we just need to find "the right place" to clear the caches

We need to find a place to clear the caches ASAP! Anyone got an idea?
Comment 4 Maciej Stachowiak 2007-01-23 09:51:46 PST 
Shouldn't each document have its own separate cache?
Comment 5 Nikolas Zimmermann 2007-01-23 12:41:53 PST 
Created attachment 12634 [details]
Initial patch

Okay, it turned out there is no need for any place to "clear the cache". It would even be wrong to do that - as discussed with Maciej. I just forgot to remove the context objects from the SVGDocumentExtension cache once their corresponding JS objects get destructed. Ran layout tests 10 times now - couldn't reproduce anymore - hopefully it's fixed.
Comment 6 Maciej Stachowiak 2007-01-23 14:22:27 PST 
Comment on attachment 12634 [details]
Initial patch

r=me
Comment 7 Nikolas Zimmermann 2007-01-23 14:31:44 PST 
Landed in r19058.