Bug 12434

Summary: Removing SVG animation element during animation crashes WebKit
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, jeffschiller, krit, rwlbuis, simon.fraser
Priority: P1 Keywords: InRadar
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.w3.org/Graphics/SVG/Test/20061213/htmlEmbedHarness/full-animate-elem-40-t.html
Bug Depends on:    
Bug Blocks: 41761    
Attachments:
Description Flags
test case (crashes safari) none

Description Eric Seidel (no email) 2007-01-27 03:21:50 PST 
This is similar to the bug:
http://bugs.webkit.org/show_bug.cgi?id=12065
which covers removing the animation *target* during animation.

This bug refers to removing the actual animation element.

See the attached test case.
Comment 1 Eric Seidel (no email) 2007-01-27 03:26:13 PST 
Created attachment 12703 [details]
test case (crashes safari)
Comment 2 Eric Seidel (no email) 2007-01-27 03:32:08 PST 
Part of the problem is that animation notification lists are held off of the time scheduler, which is held off of the containing <svg> element.  this is done because (according to the spec) each <svg> document fragment can have an independent animation timeline.  (Which sorta makes sense, given the desire to build an animation editor within SVG.)  So if you remove an animation element (even if it's kept alive) it will have trouble finding its <svg> element to remove itself from the notify list.

The best fix is to re-work the animation notify system, as discussed in:
http://bugs.webkit.org/show_bug.cgi?id=12432

But short of that, an easier fix, is to implement willRemove() and insertedIntoDocument() and add/remove the animation from the notify list on the parent <svg>.

In order to support independent timelines for <svg> document fragments (as mentioned in http://bugs.webkit.org/show_bug.cgi?id=12073), we'll need to actually be careful to update the animation element if moving between <svg> document fragments (that may also affect the target of the animation, among other things, and certainly would stop the animation when removing it from one fragment before inserting it into the other).
Comment 3 Eric Seidel (no email) 2007-01-27 03:51:59 PST 
I believe this bug is the cause of the crash here:
http://www.w3.org/Graphics/SVG/Test/20061213/htmlEmbedHarness/full-animate-elem-40-t.html
Comment 4 Maciej Stachowiak 2007-01-29 03:53:02 PST 
<rdar://problem/4960664>
Comment 5 Maciej Stachowiak 2007-02-07 01:09:03 PST 
<rdar://problem/4960506>
Comment 6 Maciej Stachowiak 2007-02-26 11:46:03 PST 
No longer a P1, since animation is disabled for now.
Comment 7 Eric Seidel (no email) 2007-10-18 00:31:17 PDT 
Animation has been re-enabled on trunk (as part of SVG_EXPERIMENTAL_FEATURES) thus this should be bumped back to P1 according to the bug guidelines (and mjs).
Comment 8 Eric Seidel (no email) 2007-12-27 01:42:56 PST 
Animation is turned off again in trunk (a good thing).  This can be pushed down to a P3.
Comment 9 Eric Seidel (no email) 2008-03-26 17:09:56 PDT 
Animation is back on.  This goes back to p1.
Comment 10 Simon Fraser (smfr) 2009-02-12 21:35:26 PST 
Related to bug 12065?
Comment 11 Rob Buis 2011-05-06 07:05:16 PDT 
I can't reproduce this using a recent checkout.
Cheers,

Rob.
Comment 12 Dirk Schulze 2011-05-06 09:42:57 PDT 
This was fixed several month ago. Forgot to close the bug.