97291 2012-09-20 22:18:57 -0700 Assertion failed on dynamically inserted <animation> element 2012-10-01 01:01:22 -0700 1 1 1 Unclassified WebKit SVG 420+ Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 morrita webkit-unassigned fmalita inferno pdr schenney simon.fraser webkit.review.bot zimmermann oldest_to_newest 725153 0 165045 morrita 2012-09-20 22:18:57 -0700 Created attachment 165045 A reproduction. This upstreams http://code.google.com/p/chromium/issues/detail?id=150966 725154 1 165046 morrita 2012-09-20 22:26:46 -0700 Created attachment 165046 A repro 725156 2 morrita 2012-09-20 22:27:39 -0700 Callstack: SHOULD NEVER BE REACHED Source/WebCore/svg/SVGElement.cpp(572) : virtual WebCore::SVGAttributeToPropertyMap& WebCore::SVGElement::localAttributeToPropertyMap() 1 0x1fdcb7d .... Program received signal SIGSEGV, Segmentation fault. 0x0000000001fdcb87 in WebCore::SVGElement::localAttributeToPropertyMap (this=0x7fffec5c6e80) at Source/WebCore/svg/SVGElement.cpp:572 572 ASSERT_NOT_REACHED(); (gdb) bt 20 #0 0x0000000001fdcb87 in WebCore::SVGElement::localAttributeToPropertyMap (this=0x7fffec5c6e80) at Source/WebCore/svg/SVGElement.cpp:572 #1 0x0000000001fdbbf5 in WebCore::SVGElement::animatedPropertyTypeForAttribute (this=0x7fffec5c6e80, attributeName=..., propertyTypes=...) at Source/WebCore/svg/SVGElement.cpp:338 #2 0x0000000001fb38e2 in WebCore::SVGAnimateElement::determineAnimatedPropertyType (this=0x7fffec07c580, targetElement=0x7fffec5c6e80) at Source/WebCore/svg/SVGAnimateElement.cpp:68 #3 0x0000000001fb568f in WebCore::SVGAnimateElement::targetElementWillChange (this=0x7fffec07c580, currentTarget=0x0, newTarget=0x7fffec5c6e80) at Source/WebCore/svg/SVGAnimateElement.cpp:408 #4 0x000000000207468b in WebCore::SVGSMILElement::targetElement (this=0x7fffec07c580) at Source/WebCore/svg/animation/SVGSMILElement.cpp:566 #5 0x000000000206e013 in WebCore::SMILTimeContainer::updateAnimations (this=0x7ffff7ec70c0, elapsed=..., seekToTime=false) at Source/WebCore/svg/animation/SMILTimeContainer.cpp:229 #6 0x000000000206d8f6 in WebCore::SMILTimeContainer::begin (this=0x7ffff7ec70c0) at Source/WebCore/svg/animation/SMILTimeContainer.cpp:100 #7 0x0000000001fc6ee2 in WebCore::SVGDocumentExtensions::startAnimations (this=0x7ffff7e68500) at Source/WebCore/svg/SVGDocumentExtensions.cpp:105 #8 0x0000000000875128 in WebCore::Document::implicitClose (this=0x7ffff7f04000) at Source/WebCore/dom/Document.cpp:2609 #9 0x0000000001697a9d in WebCore::FrameLoader::checkCallImplicitClose (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:807 #10 0x000000000169780d in WebCore::FrameLoader::checkCompleted (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:750 #11 0x000000000169755d in WebCore::FrameLoader::finishedParsing (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:683 #12 0x000000000087de9e in WebCore::Document::finishedParsing (this=0x7ffff7f04000) at Source/WebCore/dom/Document.cpp:4899 #13 0x00000000017f84e5 in WebCore::XMLDocumentParser::end (this=0x7ffff7e9d900) at Source/WebCore/xml/parser/XMLDocumentParser.cpp:212 #14 0x00000000017f851e in WebCore::XMLDocumentParser::finish (this=0x7ffff7e9d900) at Source/WebCore/xml/parser/XMLDocumentParser.cpp:224 #15 0x000000000168adcf in WebCore::DocumentWriter::end (this=0x7ffff7f030c0) at Source/WebCore/loader/DocumentWriter.cpp:244 #16 0x00000000016797e7 in WebCore::DocumentLoader::finishedLoading (this=0x7ffff7f03000) at Source/WebCore/loader/DocumentLoader.cpp:300 #17 0x00000000016b5851 in WebCore::MainResourceLoader::didFinishLoading (this=0x7fffec568200, finishTime=0) at Source/WebCore/loader/MainResourceLoader.cpp:525 #18 0x00000000016c99c5 in WebCore::ResourceLoader::didFinishLoading (this=0x7fffec568200, finishTime=0) at Source/WebCore/loader/ResourceLoader.cpp:441 #19 0x0000000002b243ee in WebCore::ResourceHandleInternal::didFinishLoading (this=0x7fffec631700, finishTime=0) at Source/WebCore/platform/network/chromium/ResourceHandle.cpp:156 725159 3 165048 morrita 2012-09-20 22:32:07 -0700 Created attachment 165048 reduced further 725161 4 165049 morrita 2012-09-20 22:34:21 -0700 Created attachment 165049 We don't need any script after all. 725163 5 165051 morrita 2012-09-20 22:34:53 -0700 Created attachment 165051 We don't need any script after all. 729174 6 165920 pdr 2012-09-26 20:49:19 -0700 Created attachment 165920 Remove overzealous assert This bug turned out to be fairly trivial: we should correctly determine that a non-SVG tag in SVG content cannot animate. I am also removing the security flag on this bug. This bug originated as part of a security issue but this bug is not security related. 731445 7 165920 zimmermann 2012-10-01 00:56:53 -0700 Comment on attachment 165920 Remove overzealous assert Good explanation, r=me. 731451 8 165920 webkit.review.bot 2012-10-01 01:01:17 -0700 Comment on attachment 165920 Remove overzealous assert Clearing flags on attachment: 165920 Committed r130011: <http://trac.webkit.org/changeset/130011> 731452 9 webkit.review.bot 2012-10-01 01:01:22 -0700 All reviewed patches have been landed. Closing bug. 165045 2012-09-20 22:18:57 -0700 2012-09-20 22:26:46 -0700 A reproduction. cr150996.svg image/svg+xml 399 morrita PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxnIGlkPSJ0YXJnZXQi PgogICAgPGF1ZGlvPgogICAgICA8YW5pbWF0ZT48L2FuaW1hdGU+CiAgICA8L2F1ZGlvPgogIDwv Zz4KPHNjcmlwdD4KZnVuY3Rpb24gcnVuKCkgewogICAgdmFyIHRhcmdldCA9IGRvY3VtZW50Lmdl dEVsZW1lbnRCeUlkKCJ0YXJnZXQiKTsKICAgIGRvY3VtZW50LmltcGxlbWVudGF0aW9uLmNyZWF0 ZURvY3VtZW50KCIiLCAiIiwgbnVsbCkuYWRvcHROb2RlKHRhcmdldCk7CiAgICBkb2N1bWVudC5k b2N1bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQodGFyZ2V0KTsKfQpkb2N1bWVudC5hZGRFdmVudExp c3RlbmVyKCJET01Db250ZW50TG9hZGVkIiwgcnVuLCBmYWxzZSk7Cjwvc2NyaXB0Pgo8L3N2Zz4K 165046 2012-09-20 22:26:46 -0700 2012-09-20 22:32:07 -0700 A repro cr150996.svg image/svg+xml 415 morrita PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxnIGlkPSJ0YXJnZXQi PgogICAgPG5vc3VjaGVsZW1lbnQ+CiAgICAgIDxhbmltYXRlPjwvYW5pbWF0ZT4KICAgIDwvbm9z dWNoZWxlbWVudD4KICA8L2c+CjxzY3JpcHQ+CmZ1bmN0aW9uIHJ1bigpIHsKICAgIHZhciB0YXJn ZXQgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgidGFyZ2V0Iik7CiAgICBkb2N1bWVudC5pbXBs ZW1lbnRhdGlvbi5jcmVhdGVEb2N1bWVudCgiIiwgIiIsIG51bGwpLmFkb3B0Tm9kZSh0YXJnZXQp OwogICAgZG9jdW1lbnQuZG9jdW1lbnRFbGVtZW50LmFwcGVuZENoaWxkKHRhcmdldCk7Cn0KZG9j dW1lbnQuYWRkRXZlbnRMaXN0ZW5lcigiRE9NQ29udGVudExvYWRlZCIsIHJ1biwgZmFsc2UpOwo8 L3NjcmlwdD4KPC9zdmc+Cg== 165048 2012-09-20 22:32:07 -0700 2012-09-20 22:34:21 -0700 reduced further cr150996.svg image/svg+xml 339 morrita PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxnIGlkPSJ0YXJnZXQi PgogICAgPG5vc3VjaGVsZW1lbnQ+CiAgICAgIDxhbmltYXRlPjwvYW5pbWF0ZT4KICAgIDwvbm9z dWNoZWxlbWVudD4KICA8L2c+CjxzY3JpcHQ+CmZ1bmN0aW9uIHJ1bigpIHsKICAgIHZhciB0YXJn ZXQgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgidGFyZ2V0Iik7CiAgICBkb2N1bWVudC5kb2N1 bWVudEVsZW1lbnQuYXBwZW5kQ2hpbGQodGFyZ2V0KTsKfQpkb2N1bWVudC5hZGRFdmVudExpc3Rl bmVyKCJET01Db250ZW50TG9hZGVkIiwgcnVuLCBmYWxzZSk7Cjwvc2NyaXB0Pgo8L3N2Zz4K 165049 2012-09-20 22:34:21 -0700 2012-09-20 22:34:53 -0700 We don't need any script after all. cr150996.svg image/svg+xml 140 morrita PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxnIGlkPSJ0YXJnZXQi PgogICAgPG5vc3VjaGVsZW1lbnQ+CiAgICAgIDxhbmltYXRlPjwvYW5pbWF0ZT4KICAgIDwvbm9z dWNoZWxlbWVudD4KICA8L2c+Cjwvc3ZnPgo= 165051 2012-09-20 22:34:53 -0700 2012-09-20 22:34:53 -0700 We don't need any script after all. cr150996.svg image/svg+xml 140 morrita PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxnIGlkPSJ0YXJnZXQi PgogICAgPG5vc3VjaGVsZW1lbnQ+CiAgICAgIDxhbmltYXRlPjwvYW5pbWF0ZT4KICAgIDwvbm9z dWNoZWxlbWVudD4KICA8L2c+Cjwvc3ZnPgo= 165920 2012-09-26 20:49:19 -0700 2012-10-01 01:01:17 -0700 Remove overzealous assert 97291.1.patch text/plain 2074 pdr SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDEyOTcyNCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI2IEBACisyMDEyLTA5LTI2ICBQaGlsaXAg Um9nZXJzICA8cGRyQGdvb2dsZS5jb20+CisKKyAgICAgICAgUmVtb3ZlIG92ZXJ6ZWFsb3VzIGFz c2VydCBpbiBTVkdFbGVtZW50Ojpsb2NhbEF0dHJpYnV0ZVRvUHJvcGVydHlNYXAKKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTk3MjkxCisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhpcyBwYXRjaCByZW1vdmVz IGFuIGFzc2VydCB3aGVyZSB3ZSBkaWQgbm90IGV4cGVjdAorICAgICAgICBTVkdFbGVtZW50Ojps b2NhbEF0dHJpYnV0ZVRvUHJvcGVydHlNYXAgd2hlcmUgd2UgZGlkIG5vdCB0byBiZSBjYWxsZWQu IFRoaXMKKyAgICAgICAgZnVuY3Rpb24gdHVybnMgb3V0IHRvIGJlIHVzZWZ1bCBhbmQgdGhpcyBw YXRjaCByZW1vdmVzIHRoYXQgYXNzZXJ0LgorCisgICAgICAgIElmIHdlIGVuY291bnRlciBhIG5v bi1TVkcgdGFnIGR1cmluZyBTVkcgcGFyc2luZyAoZS5nLiA8c3ZnPjxwcmljZT48L3N2Zz4pIHdl IHJldHVybiBhCisgICAgICAgIHZhbmlsbGEgU1ZHRWxlbWVudCBpbnN0YW5jZSBmcm9tIFNWR0Vs ZW1lbnRGYWN0b3J5OjpjcmVhdGVTVkdFbGVtZW50LiBQcmV2aW91c2x5LAorICAgICAgICB0cnlp bmcgdG8gYW5pbWF0ZSB0aGlzIHdvdWxkIEFTU0VSVCBiZWNhdXNlIGl0IHdhcyBub3QgcG9zc2li bGUgdG8gZGV0ZXJtaW5lIHRoZQorICAgICAgICBhbmltYXRlZCB0eXBlLiBBZnRlciB0aGlzIHBh dGNoLCBhbiBlbXB0eSBsb2NhbEF0dHJpYnV0ZVRvUHJvcGVydHlNYXAgaXMgdXNlZCBzbworICAg ICAgICB0aGF0IHRoZSBhbmltYXRlZCB0eXBlIHJldHVybmVkIGZyb20gU1ZHQW5pbWF0ZUVsZW1l bnQ6OmRldGVybWluZUFuaW1hdGVkUHJvcGVydHlUeXBlCisgICAgICAgIGlzIEFuaW1hdGVkVW5r bm93bi4KKworICAgICAgICBUaGlzIHBhdGNoIHNpbXBseSByZW1vdmVzIGFuIEFTU0VSVCBzbyBu byB0ZXN0IGlzIHByb3ZpZGVkLgorCisgICAgICAgICogc3ZnL1NWR0VsZW1lbnQuY3BwOgorICAg ICAgICAoV2ViQ29yZTo6U1ZHRWxlbWVudDo6bG9jYWxBdHRyaWJ1dGVUb1Byb3BlcnR5TWFwKToK KwogMjAxMi0wOC0wOSAgVGFrYXNoaSBTYWthbW90byAgPHRhc2FrQGdvb2dsZS5jb20+CiAKICAg ICAgICAgTW92ZSBJREwgZXh0ZW5kZWQgYXR0cmlidXRlcyB0byB0aGUgbG9jYXRpb24gc3BlY2lm aWVkIGluIFdlYklETApJbmRleDogU291cmNlL1dlYkNvcmUvc3ZnL1NWR0VsZW1lbnQuY3BwCj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL3N2Zy9TVkdFbGVtZW50LmNwcAkocmV2aXNpb24g MTI5NjcxKQorKysgU291cmNlL1dlYkNvcmUvc3ZnL1NWR0VsZW1lbnQuY3BwCSh3b3JraW5nIGNv cHkpCkBAIC01NjksMTAgKzU2OSw4IEBAIHZvaWQgU1ZHRWxlbWVudDo6dXBkYXRlQW5pbWF0ZWRT VkdBdHRyaWIKIAogU1ZHQXR0cmlidXRlVG9Qcm9wZXJ0eU1hcCYgU1ZHRWxlbWVudDo6bG9jYWxB dHRyaWJ1dGVUb1Byb3BlcnR5TWFwKCkKIHsKLSAgICBBU1NFUlRfTk9UX1JFQUNIRUQoKTsKLQot ICAgIERFRklORV9TVEFUSUNfTE9DQUwoU1ZHQXR0cmlidXRlVG9Qcm9wZXJ0eU1hcCwgZHVtbXlN YXAsICgpKTsKLSAgICByZXR1cm4gZHVtbXlNYXA7CisgICAgREVGSU5FX1NUQVRJQ19MT0NBTChT VkdBdHRyaWJ1dGVUb1Byb3BlcnR5TWFwLCBlbXB0eU1hcCwgKCkpOworICAgIHJldHVybiBlbXB0 eU1hcDsKIH0KIAogdm9pZCBTVkdFbGVtZW50OjpzeW5jaHJvbml6ZVJlcXVpcmVkRmVhdHVyZXMo dm9pZCogY29udGV4dEVsZW1lbnQpCg==