Bug 135838

Summary: ASSERTION FAILED: m_intervalBegin.isFinite() in WebCore::SVGSMILElement::notifyDependentsIntervalChanged
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Renata Hodovan <rhodovan.u-szeged>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, dino, d-r, fmalita, gyuyoung.kim, pdr, schenney, sergio, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Proposed patch none

Renata Hodovan
Reported 2014-08-12 05:46:49 PDT
The failing test case: <svg xmlns="http://www.w3.org/2000/svg"> <animateMotion begin="689328207834365109403786593332753148024s"/> </svg> Backtrace: ASSERTION FAILED: m_intervalBegin.isFinite() ../../Source/WebCore/svg/animation/SVGSMILElement.cpp(1126) : void WebCore::SVGSMILElement::notifyDependentsIntervalChanged(WebCore::SVGSMILElement::NewOrExistingInterval) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff97537700 (LWP 15250)] 0x000000000044c8a9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 329 *(int *)(uintptr_t)0xbbadbeef = 0; #0 0x000000000044c8a9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 #1 0x00007ffff42a66e3 in WebCore::SVGSMILElement::notifyDependentsIntervalChanged (this=0x863180, newOrExisting=WebCore::SVGSMILElement::NewInterval) at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:1126 #2 0x00007ffff42a51f1 in WebCore::SVGSMILElement::resolveFirstInterval (this=0x863180) at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:854 #3 0x00007ffff42a1b98 in WebCore::SVGSMILElement::insertedInto (this=0x863180, rootParent=...) at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:261 #4 0x00007ffff36b3a27 in WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument (this=0x7fffffffd090, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:200 #5 0x00007ffff36b3bdf in WebCore::ChildNodeInsertionNotifier::notify (this=0x7fffffffd090, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:228 #6 0x00007ffff36b1876 in WebCore::ContainerNode::parserAppendChild (this=0x861430, newChild=...) at ../../Source/WebCore/dom/ContainerNode.cpp:761 #7 0x00007ffff39cdaba in WebCore::insert (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:98 #8 0x00007ffff39cdb13 in WebCore::executeInsertTask (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:105 #9 0x00007ffff39cdd19 in WebCore::executeTask (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:143 #10 0x00007ffff39ce03e in WebCore::HTMLConstructionSite::executeQueuedTasks (this=0x9a08c8) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:193 #11 0x00007ffff39fcb64 in WebCore::HTMLTreeBuilder::constructTree (this=0x9a08b0, token=0x7fffffffd210) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:366 #12 0x00007ffff39d6546 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x9eb840, rawToken=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:356 #13 0x00007ffff39d6189 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x9eb840, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:309 #14 0x00007ffff39d597f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x9eb840, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:189 #15 0x00007ffff39d6b11 in WebCore::HTMLDocumentParser::append (this=0x9eb840, inputSource=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:440 #16 0x00007ffff36c72cf in WebCore::DecodedDataDocumentParser::flush (this=0x9eb840, writer=...) at ../../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #17 0x00007ffff3b1e029 in WebCore::DocumentWriter::end (this=0xac1890) at ../../Source/WebCore/loader/DocumentWriter.cpp:247 #18 0x00007ffff3b0b0b7 in WebCore::DocumentLoader::finishedLoading (this=0xac17f0, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441 #19 0x00007ffff3b0ae20 in WebCore::DocumentLoader::notifyFinished (this=0xac17f0, resource=0x8576b0) at ../../Source/WebCore/loader/DocumentLoader.cpp:375 #20 0x00007ffff3bb199b in WebCore::CachedResource::checkNotify (this=0x8576b0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:334 #21 0x00007ffff3bb1a82 in WebCore::CachedResource::finishLoading (this=0x8576b0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:350 #22 0x00007ffff3baea21 in WebCore::CachedRawResource::finishLoading (this=0x8576b0, data=0x7d5db0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:101 #23 0x00007ffff3b654ae in WebCore::SubresourceLoader::didFinishLoading (this=0x857c10, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:310 #24 0x00007ffff3b6199b in WebCore::ResourceLoader::didFinishLoading (this=0x857c10, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:518 #25 0x00007ffff441bf5b in WebCore::readCallback (asyncResult=0x99f9f0, data=0x858640) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302 #26 0x00007fffee5732ea in async_ready_callback_wrapper (source_object=0xa59b30, res=0x99f9f0, user_data=0x858640) at ginputstream.c:519 #27 0x00007fffee592ceb in g_task_return_now (task=0x99f9f0) at gtask.c:1108 #28 0x00007fffee592d09 in complete_in_idle_cb (task=0x99f9f0) at gtask.c:1117 #29 0x00007fffee8c22e6 in g_main_dispatch (context=0x744bc0) at gmain.c:3065 #30 g_main_context_dispatch (context=context@entry=0x744bc0) at gmain.c:3641 #31 0x00007fffee8c2638 in g_main_context_iterate (context=0x744bc0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712 #32 0x00007fffee8c2a3a in g_main_loop_run (loop=0x7bd010) at gmain.c:3906 #33 0x00007ffff4a67850 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #34 0x00007ffff321d850 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #35 0x00007ffff321d6b5 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 #36 0x000000000044c28d in main (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32
Attachments
Proposed patch (4.57 KB, patch)
2014-08-12 05:49 PDT, Renata Hodovan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2014-08-12 05:49:05 PDT
Created attachment 236442 [details] Proposed patch
Darin Adler
Comment 2 2014-08-12 14:57:31 PDT
Comment on attachment 236442 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=236442&action=review > Source/WebCore/svg/animation/SVGSMILElement.cpp:308 > + if (!ok || !SMILTime(result).isFinite()) Seems fine, but don’t we also want to reject negative numbers? Also, I see the code to construct an SMILTime rejects NaN. What prevents toDouble from returning NaN?
WebKit Commit Bot
Comment 3 2014-08-12 15:30:49 PDT
Comment on attachment 236442 [details] Proposed patch Clearing flags on attachment: 236442 Committed r172496: <http://trac.webkit.org/changeset/172496>
WebKit Commit Bot
Comment 4 2014-08-12 15:30:54 PDT
All reviewed patches have been landed. Closing bug.
Renata Hodovan
Comment 5 2014-08-18 01:57:28 PDT
(In reply to comment #2) > (From update of attachment 236442 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=236442&action=review > > > Source/WebCore/svg/animation/SVGSMILElement.cpp:308 > > + if (!ok || !SMILTime(result).isFinite()) > > Seems fine, but don’t we also want to reject negative numbers? Negative values are valid for representing animation offsets: http://www.w3.org/TR/SVG/animate.html#OffsetValueSyntax > Also, I see the code to construct an SMILTime rejects NaN. What prevents toDouble from returning NaN? If the given value is not a number than toDouble sets the |ok| flag to false to indicate that something went wrong and the result will be set to unresolved.
Note You need to log in before you can comment on or make changes to this bug.