Bug 120284

Summary: ASSERTION FAILED: m_context->document()->documentElement() != m_context in WebCore::SVGLengthContext::determineViewport
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, dino, d-r, fmalita, gyuyoung.kim, koivisto, kondapallykalyan, pdr, rwlbuis, schenney, tgergely.u-szeged, zimmermann
Priority: P2 Keywords: BlinkMergeCandidate
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
patch fixes assertion
none
Updated patch.
none
Tests added back. none

Description Renata Hodovan 2013-08-26 00:03:08 PDT 
In this test case SVGLenghtContext is used to resolve the width value of the <svg> element, what causes the assertion check fail:

<svg xmlns="http://www.w3.org/2000/svg">
    <set attributeName="width"></set>
</svg>


Backtrace:


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56f42bc in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56f42bc in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff4cba25a in WebCore::SVGLengthContext::determineViewport (this=0x7fffffffc610, width=@0x7fffffffc4c8: 0, height=@0x7fffffffc4cc: 0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGLengthContext.cpp:298
#2  0x00007ffff4cb9e03 in WebCore::SVGLengthContext::convertValueFromPercentageToUserUnits (this=0x7fffffffc610, value=1, mode=WebCore::LengthModeWidth, 
    ec=@0x7fffffffc570: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGLengthContext.cpp:189
#3  0x00007ffff4cb993b in WebCore::SVGLengthContext::convertValueToUserUnits (this=0x7fffffffc610, value=100, mode=WebCore::LengthModeWidth, 
    fromUnit=WebCore::LengthTypePercentage, ec=@0x7fffffffc570: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGLengthContext.cpp:110
#4  0x00007ffff4cb6ef1 in WebCore::SVGLength::value (this=0x9e9060, context=..., ec=@0x7fffffffc570: 0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGLength.cpp:194
#5  0x00007ffff4cb6e89 in WebCore::SVGLength::value (this=0x9e9060, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGLength.cpp:189
#6  0x00007ffff4c3b1dc in WebCore::SVGAnimatedLengthAnimator::calculateAnimatedValue (this=0x790110, percentage=1, repeatCount=0, from=0x9ea970, to=0x793be0, 
    toAtEndOfDuration=0x793be0, animated=0x791da0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGAnimatedLength.cpp:105
#7  0x00007ffff4c54e30 in WebCore::SVGAnimateElement::calculateAnimatedValue (this=0xa0c840, percentage=1, repeatCount=0, resultElement=0xa0c840)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGAnimateElement.cpp:141
#8  0x00007ffff4c5c78a in WebCore::SVGAnimationElement::updateAnimation (this=0xa0c840, percent=0, repeatCount=0, resultElement=0xa0c840)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGAnimationElement.cpp:632
#9  0x00007ffff4c07d33 in WebCore::SVGSMILElement::progress (this=0xa0c840, elapsed=..., resultElement=0xa0c840, seekToTime=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/animation/SVGSMILElement.cpp:1113
#10 0x00007ffff4bfdeeb in WebCore::SMILTimeContainer::updateAnimations (this=0x9e5110, elapsed=..., seekToTime=false)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/animation/SMILTimeContainer.cpp:293
#11 0x00007ffff4bfd3e5 in WebCore::SMILTimeContainer::begin (this=0x9e5110)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/animation/SMILTimeContainer.cpp:139
#12 0x00007ffff4c22d1b in WebCore::SVGDocumentExtensions::startAnimations (this=0x9e7160)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGDocumentExtensions.cpp:102
#13 0x00007ffff41af868 in WebCore::Document::implicitClose (this=0x9e0010) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2442
#14 0x00007ffff45af90d in WebCore::FrameLoader::checkCallImplicitClose (this=0x7d1878)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:850
#15 0x00007ffff45af67e in WebCore::FrameLoader::checkCompleted (this=0x7d1878) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:793
#16 0x00007ffff45af3b3 in WebCore::FrameLoader::finishedParsing (this=0x7d1878) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:726
#17 0x00007ffff41b67d9 in WebCore::Document::finishedParsing (this=0x9e0010) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4393
#18 0x00007ffff4a595a6 in WebCore::XMLDocumentParser::end (this=0x78fc90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/xml/parser/XMLDocumentParser.cpp:216
#19 0x00007ffff4a595e2 in WebCore::XMLDocumentParser::finish (this=0x78fc90)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/xml/parser/XMLDocumentParser.cpp:228
#20 0x00007ffff45a7213 in WebCore::DocumentWriter::end (this=0x693350) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:248
#21 0x00007ffff4599d52 in WebCore::DocumentLoader::finishedLoading (this=0x6932b0, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:402
#22 0x00007ffff4599ac0 in WebCore::DocumentLoader::notifyFinished (this=0x6932b0, resource=0x7b1110)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344
#23 0x00007ffff4580db6 in WebCore::CachedResource::checkNotify (this=0x7b1110)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
#24 0x00007ffff4580e8c in WebCore::CachedResource::finishLoading (this=0x7b1110)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#25 0x00007ffff457d5de in WebCore::CachedRawResource::finishLoading (this=0x7b1110, data=0x7bb050)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#26 0x00007ffff45e3c41 in WebCore::SubresourceLoader::didFinishLoading (this=0x7e0100, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282
#27 0x00007ffff45da52b in WebCore::ResourceLoader::didFinishLoading (this=0x7e0100, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488
#28 0x00007ffff4a85729 in WebCore::QNetworkReplyHandler::finish (this=0x7b8ed0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#29 0x00007ffff4a84448 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7b8f08)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#30 0x00007ffff4a84145 in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7b8f08, 
---Type <return> to continue, or q <return> to quit---
    method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a8556e <WebCore::QNetworkReplyHandler::finish()>)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216
#31 0x00007ffff4a85092 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7da4b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#32 0x00007ffff4a87a24 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7da4b0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffcf10)
    at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176
#33 0x00007ffff220f5cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#34 0x00007ffff221084e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#35 0x00007ffff3056dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#36 0x00007ffff305a075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#37 0x00007ffff21eadbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#38 0x00007ffff21eca76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#39 0x00007ffff2232333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#40 0x00007fffee3732d6 in g_main_dispatch (context=0x6623e0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3065
#41 g_main_context_dispatch (context=context@entry=0x6623e0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3641
#42 0x00007fffee373628 in g_main_context_iterate (context=context@entry=0x6623e0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3712
#43 0x00007fffee3736cc in g_main_context_iteration (context=0x6623e0, may_block=1) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3773
#44 0x00007ffff22324bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#45 0x00007ffff21e9d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#46 0x00007ffff21ed120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#47 0x0000000000420e32 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:50
#48 0x0000000000422911 in main (argc=2, argv=0x7fffffffdbe8) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:319
Comment 1 Renata Hodovan 2013-08-26 00:03:44 PDT 
Created attachment 209618 [details]
Test case
Comment 2 Tamas Gergely 2013-12-11 03:00:58 PST 
Created attachment 218946 [details]
patch fixes assertion

https://chromium.googlesource.com/chromium/blink/+/a7dedf81eb7008276bb6854f0e46465e039788f8

[SVG] Fix root element length values handling.

SVGLengthContext::determineViewport() currently asserts that we're not
resolving lengths for the topmost element, but there's nothing to
prevent such calls.

The CL updates determineViewport() to handle root elements geracefully
(using their current viewport). It also changes the signature slightly
to operate directly on a FloatSize, reducing some of the boiler-plate
client code.
Comment 3 Philip Rogers 2013-12-11 09:59:06 PST 
This patch only merges part ofhttps://chromium.googlesource.com/chromium/blink/+/a7dedf81eb7008276bb6854f0e46465e039788f8. Can you share why?
Comment 4 Tamas Gergely 2013-12-11 16:07:33 PST 
(In reply to comment #3)
> This patch only merges part ofhttps://chromium.googlesource.com/chromium/blink/+/a7dedf81eb7008276bb6854f0e46465e039788f8. Can you share why?

I did not want to mix up the bugfix and the refactoring because I was not sure that the latter is really required. But I've checked it again and it seems to be real improvement. I'll update the patch.
Comment 5 Tamas Gergely 2013-12-11 16:08:28 PST 
Created attachment 219011 [details]
Updated patch.
Comment 6 Philip Rogers 2013-12-16 09:31:38 PST 
Comment on attachment 219011 [details]
Updated patch.

Thanks for bringing this over. If you'll add the tests back to this patch, I'll r+ :)
Comment 7 Tamas Gergely 2013-12-17 08:28:44 PST 
Created attachment 219422 [details]
Tests added back.

Thanks. And sorry, I created the previous patch after adding but before committing the new files in my local repo, and it seems that git did not respect it.
Comment 8 WebKit Commit Bot 2013-12-17 08:31:34 PST 
Attachment 219422 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/svg/custom/svg-length-value-handled-expected.txt', u'LayoutTests/svg/custom/svg-length-value-handled.svg', u'LayoutTests/svg/dom/svg-root-lengths-expected.txt', u'LayoutTests/svg/dom/svg-root-lengths.html', u'Source/WebCore/ChangeLog', u'Source/WebCore/svg/SVGLengthContext.cpp', u'Source/WebCore/svg/SVGLengthContext.h', u'Source/WebCore/svg/graphics/filters/SVGFEImage.cpp', '--commit-queue']" exit_code: 1
ERROR: Source/WebCore/svg/SVGLengthContext.cpp:193:  Declaration has space between type name and * in return value * viewportSize  [whitespace/declaration] [3]
ERROR: Source/WebCore/svg/SVGLengthContext.cpp:195:  Declaration has space between type name and * in return value * viewportSize  [whitespace/declaration] [3]
ERROR: Source/WebCore/svg/SVGLengthContext.cpp:197:  Declaration has space between type name and * in return value * sqrtf  [whitespace/declaration] [3]
Total errors found: 3 in 9 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 9 Tamas Gergely 2013-12-18 02:08:43 PST 
(In reply to comment #8)
> Attachment 219422 [details] did not pass style-queue:
> 
> Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/svg/custom/svg-length-value-handled-expected.txt', u'LayoutTests/svg/custom/svg-length-value-handled.svg', u'LayoutTests/svg/dom/svg-root-lengths-expected.txt', u'LayoutTests/svg/dom/svg-root-lengths.html', u'Source/WebCore/ChangeLog', u'Source/WebCore/svg/SVGLengthContext.cpp', u'Source/WebCore/svg/SVGLengthContext.h', u'Source/WebCore/svg/graphics/filters/SVGFEImage.cpp', '--commit-queue']" exit_code: 1
> ERROR: Source/WebCore/svg/SVGLengthContext.cpp:193:  Declaration has space between type name and * in return value * viewportSize  [whitespace/declaration] [3]
> ERROR: Source/WebCore/svg/SVGLengthContext.cpp:195:  Declaration has space between type name and * in return value * viewportSize  [whitespace/declaration] [3]
> ERROR: Source/WebCore/svg/SVGLengthContext.cpp:197:  Declaration has space between type name and * in return value * sqrtf  [whitespace/declaration] [3]
> Total errors found: 3 in 9 files
> 
> 
> If any of these errors are false positives, please file a bug against check-webkit-style.

Yes, false positives. Reported in bug 125915.
Comment 10 WebKit Commit Bot 2013-12-18 10:10:56 PST 
Comment on attachment 219422 [details]
Tests added back.

Clearing flags on attachment: 219422

Committed r160774: <http://trac.webkit.org/changeset/160774>
Comment 11 WebKit Commit Bot 2013-12-18 10:11:02 PST 
All reviewed patches have been landed.  Closing bug.