Bug 106428

Summary: Assertion faulire in SVGAnimatedPath.
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Renata Hodovan <rhodovan.u-szeged>
Status: RESOLVED FIXED    
Severity: Normal CC: d-r, fmalita, krit, pdr, schenney, webkit.review.bot, zherczeg, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test
none
Proposed patch allan.jensen: review+

Renata Hodovan
Reported 2013-01-09 01:48:16 PST
Created attachment 181877 [details] Test During SVG fuzzing I got a crash in the debug WebKit with the attached test: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff4a3ed8e in WebCore::SVGAnimatedPathAnimator::startAnimValAnimation (th qis=0x98d400, animatedTypes=...) at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimatedPath.cpp:45 45 ASSERT(animatedTypes.size() == 1); Backtrace: (gdb) bt #0 0x00007ffff4a3ed8e in WebCore::SVGAnimatedPathAnimator::startAnimValAnimation (this=0x98d400, animatedTypes=...) at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimatedPath.cpp:45 #1 0x00007ffff4a52f07 in WebCore::SVGAnimateElement::resetAnimatedType (this=0x9906c0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimateElement.cpp:214 #2 0x00007ffff49fb0cf in WebCore::SVGSMILElement::progress (this=0x9906c0, elapsed=..., resultElement=0x9906c0, seekToTime=false) at /home/reni/WebKit-git/Source/WebCore/svg/animation/SVGSMILElement.cpp:1104 #3 0x00007ffff49f09a5 in WebCore::SMILTimeContainer::updateAnimations (this=0x965eb0, elapsed=..., seekToTime=false) at /home/reni/WebKit-git/Source/WebCore/svg/animation/SMILTimeContainer.cpp:296 #4 0x00007ffff49efea6 in WebCore::SMILTimeContainer::begin (this=0x965eb0) at /home/reni/WebKit-git/Source/WebCore/svg/animation/SMILTimeContainer.cpp:142 #5 0x00007ffff4a18b8b in WebCore::SVGDocumentExtensions::startAnimations (this=0x967eb0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGDocumentExtensions.cpp:104 #6 0x00007ffff3e1d4c7 in WebCore::Document::implicitClose (this=0x960840) at /home/reni/WebKit-git/Source/WebCore/dom/Document.cpp:2486 #7 0x00007ffff42e45fb in WebCore::FrameLoader::checkCallImplicitClose (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:833 #8 0x00007ffff42e4381 in WebCore::FrameLoader::checkCompleted (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:776 #9 0x00007ffff42e40e6 in WebCore::FrameLoader::finishedParsing (this=0x719c28) at /home/reni/WebKit-git/Source/WebCore/loader/FrameLoader.cpp:709 #10 0x00007ffff3e24b87 in WebCore::Document::finishedParsing (this=0x960840) at /home/reni/WebKit-git/Source/WebCore/dom/Document.cpp:4421 #11 0x00007ffff48148a9 in WebCore::XMLDocumentParser::end (this=0x71fde0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParser.cpp:217 #12 0x00007ffff48148e6 in WebCore::XMLDocumentParser::finish (this=0x71fde0) at /home/reni/WebKit-git/Source/WebCore/xml/parser/XMLDocumentParser.cpp:229 #13 0x00007ffff42da3d6 in WebCore::DocumentWriter::end (this=0x74fa58) at /home/reni/WebKit-git/Source/WebCore/loader/DocumentWriter.cpp:244 #14 0x00007ffff42ca598 in WebCore::DocumentLoader::finishedLoading (this=0x74f9b0) at /home/reni/WebKit-git/Source/WebCore/loader/DocumentLoader.cpp:295 #15 0x00007ffff43055d6 in WebCore::MainResourceLoader::didFinishLoading (this=0x750b10, finishTime=0) at /home/reni/WebKit-git/Source/WebCore/loader/MainResourceLoader.cpp:558
Attachments
Test (228 bytes, image/svg+xml)
2013-01-09 01:48 PST, Renata Hodovan 		no flags
Details
Proposed patch (4.56 KB, patch)
2013-01-09 04:57 PST, Renata Hodovan 		allan.jensen: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2013-01-09 04:57:47 PST
Created attachment 181897 [details] Proposed patch
Philip Rogers
Comment 2 2013-01-09 11:55:13 PST
(In reply to comment #1) > Created an attachment (id=181897) [details] > Proposed patch This looks reasonable to me. I wonder why we even had that assertion in the first place, since we seem to iterate over the values right below the assertion.
Renata Hodovan
Comment 3 2013-03-18 10:40:50 PDT
Committed r146083: <http://trac.webkit.org/changeset/146083>
Note You need to log in before you can comment on or make changes to this bug.