106428 2013-01-09 01:48:16 -0800 Assertion faulire in SVGAnimatedPath. 2013-06-03 09:03:53 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 116980 1 rhodovan.u-szeged rhodovan.u-szeged d-r fmalita krit pdr schenney webkit.review.bot zherczeg zimmermann oldest_to_newest 803151 0 181877 rhodovan.u-szeged 2013-01-09 01:48:16 -0800 Created attachment 181877 Test During SVG fuzzing I got a crash in the debug WebKit with the attached test: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff4a3ed8e in WebCore::SVGAnimatedPathAnimator::startAnimValAnimation (th qis=0x98d400, animatedTypes=...) at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimatedPath.cpp:45 45 ASSERT(animatedTypes.size() == 1); Backtrace: (gdb) bt #0 0x00007ffff4a3ed8e in WebCore::SVGAnimatedPathAnimator::startAnimValAnimation (this=0x98d400, animatedTypes=...) at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimatedPath.cpp:45 #1 0x00007ffff4a52f07 in WebCore::SVGAnimateElement::resetAnimatedType (this=0x9906c0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimateElement.cpp:214 #2 0x00007ffff49fb0cf in WebCore::SVGSMILElement::progress (this=0x9906c0, elapsed=..., resultElement=0x9906c0, seekToTime=false) at /home/reni/WebKit-git/Source/WebCore/svg/animation/SVGSMILElement.cpp:1104 #3 0x00007ffff49f09a5 in WebCore::SMILTimeContainer::updateAnimations (this=0x965eb0, elapsed=..., seekToTime=false) at /home/reni/WebKit-git/Source/WebCore/svg/animation/SMILTimeContainer.cpp:296 #4 0x00007ffff49efea6 in WebCore::SMILTimeContainer::begin (this=0x965eb0) at /home/reni/WebKit-git/Source/WebCore/svg/animation/SMILTimeContainer.cpp:142 #5 0x00007ffff4a18b8b in WebCore::SVGDocumentExtensions::startAnimations (this=0x967eb0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGDocumentExtensions.cpp:104 #6 0x00007ffff3e1d4c7 in WebCore::Document::implicitClose (this=0x960840) at /home/reni/WebKit-git/Source/WebCore/dom/Document.cpp:2486 #7 0x00007ffff42e45fb in WebCore::FrameLoader::checkCallImplicitClose (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:833 #8 0x00007ffff42e4381 in WebCore::FrameLoader::checkCompleted (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:776 #9 0x00007ffff42e40e6 in WebCore::FrameLoader::finishedParsing (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:709 #10 0x00007ffff3e24b87 in WebCore::Document::finishedParsing (this=0x960840) at /home/reni/WebKit-git/Source/WebCore/dom/Document.cpp:4421 #11 0x00007ffff48148a9 in WebCore::XMLDocumentParser::end (this=0x71fde0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParser.cpp:217 #12 0x00007ffff48148e6 in WebCore::XMLDocumentParser::finish (this=0x71fde0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParser.cpp:229 #13 0x00007ffff42da3d6 in WebCore::DocumentWriter::end (this=0x74fa58) at /home/reni/WebKit-git/Source/WebCore/loader/DocumentWriter.cpp:244 #14 0x00007ffff42ca598 in WebCore::DocumentLoader::finishedLoading (this=0x74f9b0) at /home/reni/WebKit-git/Source/WebCore/loader/DocumentLoader.cpp:295 #15 0x00007ffff43055d6 in WebCore::MainResourceLoader::didFinishLoading (this=0x750b10, finishTime=0) at /home/reni/WebKit-git/Source/WebCore/loader/MainResourceLoader.cpp:558 803237 1 181897 rhodovan.u-szeged 2013-01-09 04:57:47 -0800 Created attachment 181897 Proposed patch 803551 2 pdr 2013-01-09 11:55:13 -0800 (In reply to comment #1) > Created an attachment (id=181897) [details] > Proposed patch This looks reasonable to me. I wonder why we even had that assertion in the first place, since we seem to iterate over the values right below the assertion. 857286 3 rhodovan.u-szeged 2013-03-18 10:40:50 -0700 Committed r146083: <http://trac.webkit.org/changeset/146083> 181877 2013-01-09 01:48:16 -0800 2013-01-09 01:48:16 -0800 Test animated_type_is_1.svg image/svg+xml 228 rhodovan.u-szeged PHN2ZyB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayIgeG1sbnM9Imh0 dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KCQk8ZyBpZD0idGVzdCI+CgkJCTxwYXRoIGQ9Ik0g MTAgMTAiPgoJCQkJPGFuaW1hdGUgYXR0cmlidXRlTmFtZT0iZCI+PC9hbmltYXRlPgoJCQk8L3Bh dGg+CgkJPC9nPgkJCQkKCgkJPHVzZSB4bGluazpocmVmPSIjdGVzdCI+PC91c2U+Cjwvc3ZnPgoK 181897 2013-01-09 04:57:47 -0800 2013-03-18 10:42:25 -0700 Proposed patch 0001-animated_path_assert.patch text/plain 4668 rhodovan.u-szeged RnJvbSBkOWUyYzRjMjA1MDljNjI5MjEwYmU3MDc1MDMyYmNlZGMxZWFlNDFlIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBSZW5hdGEgSG9kb3ZhbiA8cmVuaUB3ZWJraXQub3JnPgpEYXRl OiBXZWQsIDkgSmFuIDIwMTMgMTM6NTI6MTEgKzAxMDAKU3ViamVjdDogW1BBVENIXSBhbmltYXRl ZF9wYXRoX2Fzc2VydAoKLS0tCiBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICB8ICAgIDkgKysrKysrKysrCiAuLi4vYW5pbWF0ZWQtcGF0aC12aWEtdXNl LWRlYnVnLWNyYXNoLWV4cGVjdGVkLnR4dCB8ICAgIDEgKwogLi4uL2FuaW1hdGVkLXBhdGgtdmlh LXVzZS1kZWJ1Zy1jcmFzaC5zdmcgICAgICAgICAgfCAgIDE0ICsrKysrKysrKysrKysrCiBTb3Vy Y2UvV2ViQ29yZS9DaGFuZ2VMb2cgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgMTUgKysr KysrKysrKysrKysrCiBTb3VyY2UvV2ViQ29yZS9zdmcvU1ZHQW5pbWF0ZWRQYXRoLmNwcCAgICAg ICAgICAgICB8ICAgIDQgKystLQogNSBmaWxlcyBjaGFuZ2VkLCA0MSBpbnNlcnRpb25zKCspLCAy IGRlbGV0aW9ucygtKQogY3JlYXRlIG1vZGUgMTAwNjQ0IExheW91dFRlc3RzL3N2Zy9hbmltYXRp b25zL2FuaW1hdGVkLXBhdGgtdmlhLXVzZS1kZWJ1Zy1jcmFzaC1leHBlY3RlZC50eHQKIGNyZWF0 ZSBtb2RlIDEwMDY0NCBMYXlvdXRUZXN0cy9zdmcvYW5pbWF0aW9ucy9hbmltYXRlZC1wYXRoLXZp YS11c2UtZGVidWctY3Jhc2guc3ZnCgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9n IGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IGNhZmE3ODAuLjVjZWQwMmYgMTAwNjQ0Ci0t LSBhL0xheW91dFRlc3RzL0NoYW5nZUxvZworKysgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKQEAg LTEsMyArMSwxMiBAQAorMjAxMy0wMS0wOSAgUmVuYXRhIEhvZG92YW4gIDxyZW5pQHdlYmtpdC5v cmc+CisKKyAgICAgICAgQXNzZXJ0aW9uIGZhdWxpcmUgaW4gU1ZHQW5pbWF0ZWRQYXRoCisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMDY0MjgKKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIHN2Zy9hbmltYXRp b25zL2FuaW1hdGVkLXBhdGgtdmlhLXVzZS1kZWJ1Zy1jcmFzaC5zdmc6IEFkZGVkLgorCiAyMDEz LTAxLTA5ICBLdW5paGlrbyBTYWthbW90byAgPGtzYWthbW90b0BjaHJvbWl1bS5vcmc+CiAKICAg ICAgICAgSU5QVVRfTVVMVElQTEVfRklFTERTX1VJOiBTdGVwLXVwLy1kb3duIG9mIHdlZWsgZmll bGQgc2hvdWxkIHJlc3BlY3QgbWluL21heCBhdHRyaWJ1dGVzCmRpZmYgLS1naXQgYS9MYXlvdXRU ZXN0cy9zdmcvYW5pbWF0aW9ucy9hbmltYXRlZC1wYXRoLXZpYS11c2UtZGVidWctY3Jhc2gtZXhw ZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvc3ZnL2FuaW1hdGlvbnMvYW5pbWF0ZWQtcGF0aC12aWEt dXNlLWRlYnVnLWNyYXNoLWV4cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAw MDAwMDAwLi4yNDliOTkwCi0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvc3ZnL2FuaW1h dGlvbnMvYW5pbWF0ZWQtcGF0aC12aWEtdXNlLWRlYnVnLWNyYXNoLWV4cGVjdGVkLnR4dApAQCAt MCwwICsxIEBACitUaGlzIHRlc3QgcGFzc2VzIGlmIGl0IGRvZXMgbm90IGNyYXNoLiBTZWUgYnVn IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMDY0MjgKZGlmZiAtLWdp dCBhL0xheW91dFRlc3RzL3N2Zy9hbmltYXRpb25zL2FuaW1hdGVkLXBhdGgtdmlhLXVzZS1kZWJ1 Zy1jcmFzaC5zdmcgYi9MYXlvdXRUZXN0cy9zdmcvYW5pbWF0aW9ucy9hbmltYXRlZC1wYXRoLXZp YS11c2UtZGVidWctY3Jhc2guc3ZnCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAu LmJiZDE2N2UKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9zdmcvYW5pbWF0aW9ucy9h bmltYXRlZC1wYXRoLXZpYS11c2UtZGVidWctY3Jhc2guc3ZnCkBAIC0wLDAgKzEsMTQgQEAKKzxz dmcgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHhtbG5zPSJodHRw Oi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CisgICAgPHBhdGggaWQ9InRlc3QiIGQ9Ik0gMTAgMTAi PgorICAgICAgICA8YW5pbWF0ZSBhdHRyaWJ1dGVOYW1lPSJkIj48L2FuaW1hdGU+CisgICAgPC9w YXRoPgorCisgICAgPHVzZSB4bGluazpocmVmPSIjdGVzdCI+PC91c2U+CisgICAgPHRleHQgeD0i MTAiIHk9IjIwIj5UaGlzIHRlc3QgcGFzc2VzIGlmIGl0IGRvZXMgbm90IGNyYXNoLiBTZWUgYnVn IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMDY0Mjg8L3RleHQ+CisK KyAgICA8c2NyaXB0PgorICAgICAgICBpZiAod2luZG93LnRlc3RSdW5uZXIpCisgICAgICAgICAg ICB0ZXN0UnVubmVyLmR1bXBBc1RleHQoKTsKKyAgICA8L3NjcmlwdD4KKzwvc3ZnPgorCmRpZmYg LS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VM b2cKaW5kZXggMzExODg4My4uYzg2YWNiNCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hh bmdlTG9nCisrKyBiL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE4IEBACisy MDEzLTAxLTA5ICBSZW5hdGEgSG9kb3ZhbiAgPHJlbmlAd2Via2l0Lm9yZz4KKworICAgICAgICBB c3NlcnRpb24gZmF1bGlyZSBpbiBTVkdBbmltYXRlZFBhdGguCisgICAgICAgIGh0dHBzOi8vYnVn cy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMDY0MjgKKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUaGUgYXNzZXJ0cyBhcmUgdG9vIHJlc3RyaWN0 ZWQuIFRoZSBzaXplIG11c3QgYmUgZ3JlYXRlZCBvciBlcXVhbCB0byAxLgorCisgICAgICAgIFRl c3Q6IHN2Zy9hbmltYXRpb25zL2FuaW1hdGVkLXBhdGgtdmlhLXVzZS1kZWJ1Zy1jcmFzaC5zdmcK KworICAgICAgICAqIHN2Zy9TVkdBbmltYXRlZFBhdGguY3BwOgorICAgICAgICAoV2ViQ29yZTo6 U1ZHQW5pbWF0ZWRQYXRoQW5pbWF0b3I6OnN0YXJ0QW5pbVZhbEFuaW1hdGlvbik6CisgICAgICAg IChXZWJDb3JlOjpTVkdBbmltYXRlZFBhdGhBbmltYXRvcjo6cmVzZXRBbmltVmFsVG9CYXNlVmFs KToKKwogMjAxMy0wMS0wOSAgS3VuaWhpa28gU2FrYW1vdG8gIDxrc2FrYW1vdG9AY2hyb21pdW0u b3JnPgogCiAgICAgICAgIElOUFVUX01VTFRJUExFX0ZJRUxEU19VSTogU3RlcC11cC8tZG93biBv ZiB3ZWVrIGZpZWxkIHNob3VsZCByZXNwZWN0IG1pbi9tYXggYXR0cmlidXRlcwpkaWZmIC0tZ2l0 IGEvU291cmNlL1dlYkNvcmUvc3ZnL1NWR0FuaW1hdGVkUGF0aC5jcHAgYi9Tb3VyY2UvV2ViQ29y ZS9zdmcvU1ZHQW5pbWF0ZWRQYXRoLmNwcAppbmRleCAwMjliMTZhLi5iOGM4ZGExIDEwMDY0NAot LS0gYS9Tb3VyY2UvV2ViQ29yZS9zdmcvU1ZHQW5pbWF0ZWRQYXRoLmNwcAorKysgYi9Tb3VyY2Uv V2ViQ29yZS9zdmcvU1ZHQW5pbWF0ZWRQYXRoLmNwcApAQCAtNDIsNyArNDIsNyBAQCBQYXNzT3du UHRyPFNWR0FuaW1hdGVkVHlwZT4gU1ZHQW5pbWF0ZWRQYXRoQW5pbWF0b3I6OmNvbnN0cnVjdEZy b21TdHJpbmcoY29uc3QgUwogCiBQYXNzT3duUHRyPFNWR0FuaW1hdGVkVHlwZT4gU1ZHQW5pbWF0 ZWRQYXRoQW5pbWF0b3I6OnN0YXJ0QW5pbVZhbEFuaW1hdGlvbihjb25zdCBTVkdFbGVtZW50QW5p bWF0ZWRQcm9wZXJ0eUxpc3QmIGFuaW1hdGVkVHlwZXMpCiB7Ci0gICAgQVNTRVJUKGFuaW1hdGVk VHlwZXMuc2l6ZSgpID09IDEpOworICAgIEFTU0VSVChhbmltYXRlZFR5cGVzLnNpemUoKSA+PSAx KTsKICAgICBTVkdBbmltYXRlZFBhdGhTZWdMaXN0UHJvcGVydHlUZWFyT2ZmKiBwcm9wZXJ0eSA9 IGNhc3RBbmltYXRlZFByb3BlcnR5VG9BY3R1YWxUeXBlPFNWR0FuaW1hdGVkUGF0aFNlZ0xpc3RQ cm9wZXJ0eVRlYXJPZmY+KGFuaW1hdGVkVHlwZXNbMF0ucHJvcGVydGllc1swXS5nZXQoKSk7CiAg ICAgY29uc3QgU1ZHUGF0aFNlZ0xpc3QmIGJhc2VWYWx1ZSA9IHByb3BlcnR5LT5jdXJyZW50QmFz ZVZhbHVlKCk7CiAKQEAgLTcyLDcgKzcyLDcgQEAgdm9pZCBTVkdBbmltYXRlZFBhdGhBbmltYXRv cjo6c3RvcEFuaW1WYWxBbmltYXRpb24oY29uc3QgU1ZHRWxlbWVudEFuaW1hdGVkUHJvcGUKIAog dm9pZCBTVkdBbmltYXRlZFBhdGhBbmltYXRvcjo6cmVzZXRBbmltVmFsVG9CYXNlVmFsKGNvbnN0 IFNWR0VsZW1lbnRBbmltYXRlZFByb3BlcnR5TGlzdCYgYW5pbWF0ZWRUeXBlcywgU1ZHQW5pbWF0 ZWRUeXBlKiB0eXBlKQogewotICAgIEFTU0VSVChhbmltYXRlZFR5cGVzLnNpemUoKSA9PSAxKTsK KyAgICBBU1NFUlQoYW5pbWF0ZWRUeXBlcy5zaXplKCkgPj0gMSk7CiAgICAgQVNTRVJUKHR5cGUp OwogICAgIEFTU0VSVCh0eXBlLT50eXBlKCkgPT0gbV90eXBlKTsKICAgICBjb25zdCBTVkdQYXRo U2VnTGlzdCYgYmFzZVZhbHVlID0gY2FzdEFuaW1hdGVkUHJvcGVydHlUb0FjdHVhbFR5cGU8U1ZH QW5pbWF0ZWRQYXRoU2VnTGlzdFByb3BlcnR5VGVhck9mZj4oYW5pbWF0ZWRUeXBlc1swXS5wcm9w ZXJ0aWVzWzBdLmdldCgpKS0+Y3VycmVudEJhc2VWYWx1ZSgpOwotLSAKMS43LjIuNQoK