Bug 109699
| Summary: | ASSERT(m_context->document()->documentElement() != m_context) in SVGLengthContext | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Renata Hodovan <rhodovan.u-szeged> |
| Component: | SVG | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | Normal | CC: | fmalita, krit, pdr, zherczeg, zimmermann |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 116980 | ||
Renata Hodovan
During SVG Fuzzing I've got an assertion faulire:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4d23494 in WebCore::SVGLengthContext::determineViewport (this=0x7fffffffc640, width=@0x7fffffffc4f8: 0, height=@0x7fffffffc4fc: 0)
at /home/reni/Data/REPOS/webkit/Source/WebCore/svg/SVGLengthContext.cpp:298
298 ASSERT(m_context->document()->documentElement() != m_context);
The test was:
<svg xmlns="http://www.w3.org/2000/svg">
<animate attributeName="width" to="0%"></animate>
</svg>
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Florin Malita
Thanks Reni.
Looks like (percentage?) animation of <svg> attributes hits an invalid code path.
SVGLengthContext::determineViewport():
// SVGLengthContext should NEVER be used to resolve width/height values for <svg> elements,
// as they require special treatment, due the relationship with the CSS width/height properties.
ASSERT(m_context->document()->documentElement() != m_context);
I'm not familiar with animations, but I'm guessing that special handling of <svg> targets may just not be implemented? I know Phil's been poking in this area so maybe he has more insight.
Renata Hodovan
I cannot reproduce the issue anymore.