Bug 135838

Summary: ASSERTION FAILED: m_intervalBegin.isFinite() in WebCore::SVGSMILElement::notifyDependentsIntervalChanged
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: SVGAssignee: Renata Hodovan <rhodovan.u-szeged>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, dino, d-r, fmalita, gyuyoung.kim, pdr, schenney, sergio, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Proposed patch none

Description Renata Hodovan 2014-08-12 05:46:49 PDT 
The failing test case:

<svg xmlns="http://www.w3.org/2000/svg">
 <animateMotion begin="689328207834365109403786593332753148024s"/>
</svg>


Backtrace:


ASSERTION FAILED: m_intervalBegin.isFinite()
../../Source/WebCore/svg/animation/SVGSMILElement.cpp(1126) : void WebCore::SVGSMILElement::notifyDependentsIntervalChanged(WebCore::SVGSMILElement::NewOrExistingInterval)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff97537700 (LWP 15250)]
0x000000000044c8a9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
329	    *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x000000000044c8a9 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
#1  0x00007ffff42a66e3 in WebCore::SVGSMILElement::notifyDependentsIntervalChanged (this=0x863180, newOrExisting=WebCore::SVGSMILElement::NewInterval) at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:1126
#2  0x00007ffff42a51f1 in WebCore::SVGSMILElement::resolveFirstInterval (this=0x863180) at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:854
#3  0x00007ffff42a1b98 in WebCore::SVGSMILElement::insertedInto (this=0x863180, rootParent=...) at ../../Source/WebCore/svg/animation/SVGSMILElement.cpp:261
#4  0x00007ffff36b3a27 in WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument (this=0x7fffffffd090, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:200
#5  0x00007ffff36b3bdf in WebCore::ChildNodeInsertionNotifier::notify (this=0x7fffffffd090, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:228
#6  0x00007ffff36b1876 in WebCore::ContainerNode::parserAppendChild (this=0x861430, newChild=...) at ../../Source/WebCore/dom/ContainerNode.cpp:761
#7  0x00007ffff39cdaba in WebCore::insert (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:98
#8  0x00007ffff39cdb13 in WebCore::executeInsertTask (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:105
#9  0x00007ffff39cdd19 in WebCore::executeTask (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:143
#10 0x00007ffff39ce03e in WebCore::HTMLConstructionSite::executeQueuedTasks (this=0x9a08c8) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:193
#11 0x00007ffff39fcb64 in WebCore::HTMLTreeBuilder::constructTree (this=0x9a08b0, token=0x7fffffffd210) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:366
#12 0x00007ffff39d6546 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x9eb840, rawToken=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:356
#13 0x00007ffff39d6189 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x9eb840, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:309
#14 0x00007ffff39d597f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x9eb840, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:189
#15 0x00007ffff39d6b11 in WebCore::HTMLDocumentParser::append (this=0x9eb840, inputSource=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:440
#16 0x00007ffff36c72cf in WebCore::DecodedDataDocumentParser::flush (this=0x9eb840, writer=...) at ../../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#17 0x00007ffff3b1e029 in WebCore::DocumentWriter::end (this=0xac1890) at ../../Source/WebCore/loader/DocumentWriter.cpp:247
#18 0x00007ffff3b0b0b7 in WebCore::DocumentLoader::finishedLoading (this=0xac17f0, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441
#19 0x00007ffff3b0ae20 in WebCore::DocumentLoader::notifyFinished (this=0xac17f0, resource=0x8576b0) at ../../Source/WebCore/loader/DocumentLoader.cpp:375
#20 0x00007ffff3bb199b in WebCore::CachedResource::checkNotify (this=0x8576b0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:334
#21 0x00007ffff3bb1a82 in WebCore::CachedResource::finishLoading (this=0x8576b0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:350
#22 0x00007ffff3baea21 in WebCore::CachedRawResource::finishLoading (this=0x8576b0, data=0x7d5db0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:101
#23 0x00007ffff3b654ae in WebCore::SubresourceLoader::didFinishLoading (this=0x857c10, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:310
#24 0x00007ffff3b6199b in WebCore::ResourceLoader::didFinishLoading (this=0x857c10, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:518
#25 0x00007ffff441bf5b in WebCore::readCallback (asyncResult=0x99f9f0, data=0x858640) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302
#26 0x00007fffee5732ea in async_ready_callback_wrapper (source_object=0xa59b30, res=0x99f9f0, user_data=0x858640) at ginputstream.c:519
#27 0x00007fffee592ceb in g_task_return_now (task=0x99f9f0) at gtask.c:1108
#28 0x00007fffee592d09 in complete_in_idle_cb (task=0x99f9f0) at gtask.c:1117
#29 0x00007fffee8c22e6 in g_main_dispatch (context=0x744bc0) at gmain.c:3065
#30 g_main_context_dispatch (context=context@entry=0x744bc0) at gmain.c:3641
#31 0x00007fffee8c2638 in g_main_context_iterate (context=0x744bc0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712
#32 0x00007fffee8c2a3a in g_main_loop_run (loop=0x7bd010) at gmain.c:3906
#33 0x00007ffff4a67850 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#34 0x00007ffff321d850 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#35 0x00007ffff321d6b5 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73
#36 0x000000000044c28d in main (argc=2, argv=0x7fffffffda58) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32
Comment 1 Renata Hodovan 2014-08-12 05:49:05 PDT 
Created attachment 236442 [details]
Proposed patch
Comment 2 Darin Adler 2014-08-12 14:57:31 PDT 
Comment on attachment 236442 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=236442&action=review

> Source/WebCore/svg/animation/SVGSMILElement.cpp:308
> +    if (!ok || !SMILTime(result).isFinite())

Seems fine, but don’t we also want to reject negative numbers? Also, I see the code to construct an SMILTime rejects NaN. What prevents toDouble from returning NaN?
Comment 3 WebKit Commit Bot 2014-08-12 15:30:49 PDT 
Comment on attachment 236442 [details]
Proposed patch

Clearing flags on attachment: 236442

Committed r172496: <http://trac.webkit.org/changeset/172496>
Comment 4 WebKit Commit Bot 2014-08-12 15:30:54 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 5 Renata Hodovan 2014-08-18 01:57:28 PDT 
(In reply to comment #2)
> (From update of attachment 236442 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=236442&action=review
> 
> > Source/WebCore/svg/animation/SVGSMILElement.cpp:308
> > +    if (!ok || !SMILTime(result).isFinite())
> 
> Seems fine, but don’t we also want to reject negative numbers?

Negative values are valid for representing animation offsets: http://www.w3.org/TR/SVG/animate.html#OffsetValueSyntax

> Also, I see the code to construct an SMILTime rejects NaN. What prevents toDouble from returning NaN?

If the given value is not a number than toDouble sets the |ok| flag to false to indicate that something went wrong and the result will be set to unresolved.