5336 2005-10-11 02:52:32 -0700 SVG with animation crashes WebKit+SVG 2005-10-16 02:00:45 -0700 1 1 1 Unclassified WebKit SVG 420+ Mac OS X 10.4 RESOLVED FIXED http://www.dotuscomus.com/kde/gearobolo_colorshift.svgz P4 Normal --- 1 eric eric oldest_to_newest 21794 0 eric 2005-10-11 02:52:32 -0700 SVG with animation crashes WebKit+SVG I have not had a chance to either reduce, or diagnose. It seemed to be crashing in animation code, but looked like it might be smashing memory. Possibly relating to the svgz changes I have in my tree. (w/o the svgz changes attached to http://bugzilla.opendarwin.org/show_bug.cgi?id=5246 it's not possible to view this SVG w/o first downloading and decompressing it. 21991 1 eric 2005-10-13 14:30:24 -0700 This seems to be smashing the stack, or somehow confusing gdb. Viewing this svg in DrawTest, with libgmalloc leads to this backtrace: #0 0x0191b87c in typeinfo for KDOM::KDOMPart () #1 0x0137fe90 in KSVG::TimeScheduler::slotTimerNotify (this=0xe7c64000) at /Volumes/Stuff/ Projects/WKOpen2/WebCore/../SVGSupport/ksvg2/misc/KSVGTimeScheduler.cpp:494 #2 0x013800a0 in KSVG::TimeScheduler::connectIntervalTimer (this=0xbfffdfd0, element=0x108d634) at /Volumes/Stuff/Projects/WKOpen2/WebCore/../SVGSupport/ksvg2/misc/KSVGTimeScheduler.cpp: 422 #3 0x0126f0d8 in KWQSlot::call (this=0xe7c64fec, job=0xbfffe078, data=0x50100646 <Address 0x50100646 out of bounds>, size=-519811140) at /Volumes/Stuff/Projects/WKOpen2/WebCore/ kwq/KWQSlot.mm:278 #4 0x0126e984 in KWQSignal::connect (this=0x41e00000, slot=@0x0) at /Volumes/Stuff/Projects/ WKOpen2/WebCore/kwq/KWQSignal.mm:59 #5 0x0108d690 in +[KWQSingleShotTimerTarget targetWithQObject:member:] (self=0x40300000, _cmd=0x0, object=0x40300000, member=0x0) at /Volumes/Stuff/Projects/WKOpen2/WebCore/kwq/ KWQTimer.mm:74 #6 0x0108d6d4 in +[KWQSingleShotTimerTarget targetWithQObject:member:] (self=0xff, _cmd=0xbfffe220, object=0x2, member=0x4 <Address 0x4 out of bounds>) at /Volumes/Stuff/ Projects/WKOpen2/WebCore/kwq/KWQTimer.mm:75 #7 0x928dd57c in __NSFireTimer () #8 0x90770ae0 in __CFRunLoopDoTimer () #9 0x9075d458 in __CFRunLoopRun () #10 0x9075ca0c in CFRunLoopRunSpecific () #11 0x93182260 in RunCurrentEventLoopInMode () #12 0x9318186c in ReceiveNextEventCommon () #13 0x93181760 in BlockUntilNextEventMatchingListInMode () #14 0x93680904 in _DPSNextEvent () #15 0x936805c8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #16 0x9367cb0c in -[NSApplication run] () #17 0x9376d618 in NSApplicationMain () #18 0x000eafa4 in main (argc=1, argv=0xbffff85c) at /Volumes/Stuff/Projects/WKOpen2/ WebKitTools/DrawTest/main.m:28 Which is total nonsense. 21992 2 4351 eric 2005-10-13 14:47:18 -0700 Created attachment 4351 Reduced test case. This test is more reduced than before, but still could be smaller. 22076 3 4357 julien.palmas 2005-10-14 05:06:11 -0700 Created attachment 4357 More reduced test case This very simple SVG example causes the crash. This example would not make sense though. More information is needed to create a proper SVG. 22077 4 julien.palmas 2005-10-14 05:07:43 -0700 Needs to change the keyword to HasReduction 22084 5 4359 julien.palmas 2005-10-14 08:15:43 -0700 Created attachment 4359 Proposed patch Checks isSVGElement() and prints an error message if not the case. 22091 6 4359 eric 2005-10-14 08:41:38 -0700 Comment on attachment 4359 Proposed patch This is a wonderful isolation of the problem. We now know *what* is going wrong, but not yet *why*. This fix notices a symtom of the problem (that somehow we have an animation setup pointing at a KDOM element instead of a KSVG2 element) but does not answer the question why? and is "too late" a place to fix. We need to find out why this gets set up this way in the first place, and make this check earlier. "tit.key()" is typed SVGElementImpl, according to the map... so the fact that something other than an SVGElementImpl got in there is the bug, not that when pulling it out we didn't check correctly. This is a good start, but not the right fix yet. 22094 7 4361 julien.palmas 2005-10-14 10:44:15 -0700 Created attachment 4361 new patch a static_cast in SVGAnimationElementImpl::targetElement() was converting KDOM::XMLElementImpl to SVGElementImpl for not yet implemented elements. 22099 8 4361 eric 2005-10-14 13:11:33 -0700 Comment on attachment 4361 new patch This shoudl use the svg_dynamic_cast function instead. 4351 2005-10-13 14:47:18 -0700 2005-10-13 14:47:18 -0700 Reduced test case. animate_filter_crash.svg image/svg+xml 886 eric PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iaXNvLTg4NTktMSIgc3RhbmRhbG9uZT0ibm8i Pz4NCjwhRE9DVFlQRSBzdmcgUFVCTElDICItLy9XM0MvL0RURCBTVkcgMS4wLy9FTiIgImh0dHA6 Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLVNWRy0yMDAxMDkwNC9EVEQvc3ZnMTAuZHRkIj4NCjxz dmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDov L3d3dy53My5vcmcvMTk5OS94bGluayIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSI+DQoJPGRl ZnM+DQoJCTxmaWx0ZXIgaWQ9ImYxIiBmaWx0ZXJVbml0cz0ib2JqZWN0Qm91bmRpbmdCb3giIHg9 IjAlIiB5PSIwJSIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSI+DQoJCQk8ZmVEaWZmdXNlTGln aHRpbmcgbGlnaHRpbmctY29sb3I9InJnYigyNTUsMjU1LDI1NSkiIGRpZmZ1c2VDb25zdGFudD0i MSI+DQoJCQkJPGFuaW1hdGUgYXR0cmlidXRlTmFtZT0ibGlnaHRpbmctY29sb3IiIGJlZ2luPSIw IiBkdXI9IjEyMHMiIGNhbGNNb2RlPSJsaW5lYXIiIHZhbHVlcz0icmdiKDEwMCwxMDAsMTAwKTty Z2IoNjUsMTE5LDgzKTtyZ2IoNzksNTMsMTY2KTtyZ2IoMjA0LDEwOCw1OSk7cmdiKDEwMCwxMDAs MTAwKSIga2V5VGltZXM9IjA7MC4yNTswLjUwOzAuNzU7MSIgcmVwZWF0Q291bnQ9ImluZGVmaW5p dGUiLz4NCgkJCQk8ZmVTcG90TGlnaHQgeD0iODAwIiB5PSI0NTAiIHo9IjI1MCIgcG9pbnRzQXRY PSI1MTIiIHBvaW50c0F0WT0iMzY0IiBwb2ludHNBdFo9Ii00MDAiIHNwZWN1bGFyRXhwb25lbnQ9 IjE1IiBsaW1pdGluZ0NvbmVBbmdsZT0iMjAwIi8+DQoJCQk8L2ZlRGlmZnVzZUxpZ2h0aW5nPg0K CQk8L2ZpbHRlcj4NCgk8L2RlZnM+DQo8L3N2Zz4NCg== 4357 2005-10-14 05:06:11 -0700 2005-10-14 05:06:11 -0700 More reduced test case 5336_reduced.svg image/svg+xml 153 julien.palmas PHN2ZyB3aWR0aD0iMTAwJSIgaGVpZ2h0PSIxMDAlIj4KICAgICAgICA8ZmVEaWZmdXNlTGlnaHRp bmc+DQogICAgICAgICAgICA8YW5pbWF0ZSBhdHRyaWJ1dGVOYW1lPSJsaWdodGluZy1jb2xvciIg Lz4NCiAgICAgICAgPC9mZURpZmZ1c2VMaWdodGluZz4KPC9zdmc+ 4359 2005-10-14 08:15:43 -0700 2005-10-14 10:44:15 -0700 Proposed patch patch_5336 text/plain 2422 julien.palmas SW5kZXg6IG1pc2MvS1NWR1RpbWVTY2hlZHVsZXIuY3BwCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZpbGU6IC9j dnMvcm9vdC9TVkdTdXBwb3J0L2tzdmcyL21pc2MvS1NWR1RpbWVTY2hlZHVsZXIuY3BwLHYKcmV0 cmlldmluZyByZXZpc2lvbiAxLjgKZGlmZiAtdSAtcCAtcjEuOCBLU1ZHVGltZVNjaGVkdWxlci5j cHAKLS0tIG1pc2MvS1NWR1RpbWVTY2hlZHVsZXIuY3BwCTUgT2N0IDIwMDUgMDU6MzU6MTMgLTAw MDAJMS44CisrKyBtaXNjL0tTVkdUaW1lU2NoZWR1bGVyLmNwcAkxNCBPY3QgMjAwNSAxNToxNzo0 NyAtMDAwMApAQCAtMzAwLDggKzMwMCwxMCBAQCB2b2lkIFNWR1RpbWVyOjpub3RpZnlBbGwoKQog ICAgICAgICAgICAgU1ZHRWxlbWVudEltcGwgKmtleSA9IHRpdC5rZXkoKTsKICAgICAgICAgICAg IFNWR1RyYW5zZm9ybWFibGVJbXBsICp0cmFuc2Zvcm0gPSBkeW5hbWljX2Nhc3Q8U1ZHVHJhbnNm b3JtYWJsZUltcGwgKj4oa2V5KTsKIAotICAgICAgICAgICAgaWYoa2V5ICYmIGtleS0+aXNTdHls ZWQoKSAmJiB0cmFuc2Zvcm0pCi0gICAgICAgICAgICB7CisgICAgICAgICAgICBpZihrZXkgJiYg IWtleS0+aXNTVkdFbGVtZW50KCkpCisgICAgICAgICAgICAgICAgZnByaW50ZihzdGRlcnIsICJX QVJOSU5HOiBVc2luZyA8YW5pbWF0ZVRyYW5zZm9ybT4gZm9yIGEgbm90IHlldCBpbXBsZW1lbnRl ZCBlbGVtZW50XG4iKTsKKyAgICAgICAgICAgIAorICAgICAgICAgICAgaWYoa2V5ICYmIGtleS0+ aXNTVkdFbGVtZW50KCkgJiYga2V5LT5pc1N0eWxlZCgpICYmIHRyYW5zZm9ybSkgewogICAgICAg ICAgICAgICAgIHRyYW5zZm9ybS0+dHJhbnNmb3JtKCktPnNldEFuaW1WYWwodGFyZ2V0VHJhbnNm b3Jtcyk7CiAKICAgICAgICAgICAgICAgICAvLyBTd2l0Y2ggdG8gbmV3bHkgY3JlYXRlZCBiYXNl VmFsLi4uCkBAIC0zMzQsNyArMzM2LDExIEBAIHZvaWQgU1ZHVGltZXI6Om5vdGlmeUFsbCgpCiAg ICAgZm9yKHRpdCA9IHRhcmdldE1hcC5iZWdpbigpOyB0aXQgIT0gdGVuZDsgKyt0aXQpCiAgICAg ewogICAgICAgICBTVkdFbGVtZW50SW1wbCAqa2V5ID0gdGl0LmtleSgpOwotICAgICAgICBpZihr ZXkgJiYga2V5LT5pc1N0eWxlZCgpKQorICAgICAgICAKKyAgICAgICAgaWYoa2V5ICYmICFrZXkt PmlzU1ZHRWxlbWVudCgpKQorICAgICAgICAgICAgZnByaW50ZihzdGRlcnIsICJXQVJOSU5HOiBV c2luZyBhbmltYXRpb24gZm9yIGEgbm90IHlldCBpbXBsZW1lbnRlZCBlbGVtZW50XG4iKTsKKyAg ICAgICAgCisgICAgICAgIGlmKGtleSAmJiBrZXktPmlzU1ZHRWxlbWVudCgpICYmIGtleS0+aXNT dHlsZWQoKSkKICAgICAgICAgICAgIHN0YXRpY19jYXN0PFNWR1N0eWxlZEVsZW1lbnRJbXBsICo+ KGtleSktPnNldENoYW5nZWQodHJ1ZSk7CiAgICAgfQogfQpJbmRleDogc3ZnL1NWR0FuaW1hdGlv bkVsZW1lbnRJbXBsLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3ZzL3Jvb3QvU1ZHU3VwcG9y dC9rc3ZnMi9zdmcvU1ZHQW5pbWF0aW9uRWxlbWVudEltcGwuY3BwLHYKcmV0cmlldmluZyByZXZp c2lvbiAxLjgKZGlmZiAtdSAtcCAtcjEuOCBTVkdBbmltYXRpb25FbGVtZW50SW1wbC5jcHAKLS0t IHN2Zy9TVkdBbmltYXRpb25FbGVtZW50SW1wbC5jcHAJNSBPY3QgMjAwNSAwNTozNToxNyAtMDAw MAkxLjgKKysrIHN2Zy9TVkdBbmltYXRpb25FbGVtZW50SW1wbC5jcHAJMTQgT2N0IDIwMDUgMTU6 MTc6NDggLTAwMDAKQEAgLTUwMSw3ICs1MDEsMTEgQEAgS0RPTTo6RE9NU3RyaW5nSW1wbCAqU1ZH QW5pbWF0aW9uRWxlbWVudAogICAgIAogICAgIFNWR0VsZW1lbnRJbXBsICp0YXJnZXQgPSB0YXJn ZXRFbGVtZW50KCk7CiAgICAgU1ZHU3R5bGVkRWxlbWVudEltcGwgKnN0eWxlZCA9IE5VTEw7Ci0g ICAgaWYgKHRhcmdldCAmJiB0YXJnZXQtPmlzU3R5bGVkKCkpCisgICAgCisgICAgaWYodGFyZ2V0 ICYmICF0YXJnZXQtPmlzU1ZHRWxlbWVudCgpKQorICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIldB Uk5JTkc6IFVzaW5nIGFuaW1hdGlvbiBmb3IgYSBub3QgeWV0IGltcGxlbWVudGVkIGVsZW1lbnRc biIpOworICAgIAorICAgIGlmICh0YXJnZXQgJiYgdGFyZ2V0LT5pc1NWR0VsZW1lbnQoKSAmJiB0 YXJnZXQtPmlzU3R5bGVkKCkpCiAgICAgICAgIHN0eWxlZCA9IHN0YXRpY19jYXN0PFNWR1N0eWxl ZEVsZW1lbnRJbXBsICo+KHRhcmdldCk7CiAgICAgS0RPTTo6Q0RGSW50ZXJmYWNlICppbnRlcmZh Y2UgPSAoc3R5bGVkID8gc3R5bGVkLT5vd25lckRvY3VtZW50KCktPmltcGxlbWVudGF0aW9uKCkt PmNkZkludGVyZmFjZSgpIDogMCk7CiAgICAgCg== 4361 2005-10-14 10:44:15 -0700 2005-10-14 13:11:33 -0700 new patch patch_5336_2 text/plain 815 julien.palmas PyAuRFNfU3RvcmUKSW5kZXg6IFNWR0FuaW1hdGlvbkVsZW1lbnRJbXBsLmNwcAo9PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 ClJDUyBmaWxlOiAvY3ZzL3Jvb3QvU1ZHU3VwcG9ydC9rc3ZnMi9zdmcvU1ZHQW5pbWF0aW9uRWxl bWVudEltcGwuY3BwLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjgKZGlmZiAtdSAtcCAtcjEuOCBT VkdBbmltYXRpb25FbGVtZW50SW1wbC5jcHAKLS0tIFNWR0FuaW1hdGlvbkVsZW1lbnRJbXBsLmNw cAk1IE9jdCAyMDA1IDA1OjM1OjE3IC0wMDAwCTEuOAorKysgU1ZHQW5pbWF0aW9uRWxlbWVudElt cGwuY3BwCTE0IE9jdCAyMDA1IDE3OjQzOjU2IC0wMDAwCkBAIC0xMDQsNyArMTA0LDkgQEAgU1ZH RWxlbWVudEltcGwgKlNWR0FuaW1hdGlvbkVsZW1lbnRJbXBsOgogICAgICAgICAgICAgICAgICAg ICBicmVhazsKICAgICAgICAgICAgIH0KICAgICAgICAgICAgIAotICAgICAgICAgICAgbV90YXJn ZXRFbGVtZW50ID0gc3RhdGljX2Nhc3Q8U1ZHRWxlbWVudEltcGwgKj4odGFyZ2V0KTsKKyAgICAg ICAgICAgIC8vIEVsZW1lbnRzIHRoYXQgYXJlIG5vdCB5ZXQgaW1wbGVtZW50ZWQgYXJlIGluc3Rh bmNlcyBvZiBLRE9NOjpYTUxFbGVtZW50SW1wbAorICAgICAgICAgICAgaWYgKHRhcmdldC0+aXNT VkdFbGVtZW50KCkpCisgICAgICAgICAgICAgICAgbV90YXJnZXRFbGVtZW50ID0gc3RhdGljX2Nh c3Q8U1ZHRWxlbWVudEltcGwgKj4odGFyZ2V0KTsKICAgICAgICAgfQogICAgIH0KICAgICAgICAg ICAgICAgICAgICAgICAgIAo=