Bug 64671

Summary: REGRESSION (Safari 5.0.5 - ToT): crash in SVG test http://dev.w3.org/SVG/profiles/1.1F2/test/harness/htmlObjectApproved/animate-elem-39-t.html
Product: WebKit Reporter: lars.sonchocky-helldorf
Component: SVGAssignee: Stephen Chenney <schenney>
Status: RESOLVED FIXED    
Severity: Normal CC: enne, jknotten, krit, pkasting, schenney, scottmg, thorton, webkit.review.bot, zimmermann
Priority: P1 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://dev.w3.org/SVG/profiles/1.1F2/test/harness/htmlObjectApproved/animate-elem-39-t.html
Attachments:
Description Flags
64671_crash_log
none
minimized from original url, causing crash in SVGSMILElement::progress
none
Patch none

Description lars.sonchocky-helldorf 2011-07-17 13:25:09 PDT 
WebKit nightly crashes in http://dev.w3.org/SVG/profiles/1.1F2/test/harness/htmlObjectApproved/animate-elem-39-t.html. See attachment
Comment 1 lars.sonchocky-helldorf 2011-07-17 13:29:08 PDT 
Created attachment 101118 [details]
64671_crash_log

crash log for this bug
Comment 2 Dirk Schulze 2011-07-17 22:43:17 PDT 
The PaintServer crashes because of a missing RenderStyle on SVGFonts. I couldn't reproduce it locally when SVGFonts are not online.
Comment 3 Alexey Proskuryakov 2011-07-18 10:30:45 PDT 
I cannot reproduce with Safari 5.0.5, so marking as regression.
Comment 4 Dirk Schulze 2011-07-20 03:51:41 PDT 
(In reply to comment #3)
> I cannot reproduce with Safari 5.0.5, so marking as regression.

It's an assertion, no crash. Have you checked debug version of WebKit? IIRC we have this bug for a longer time and I think we even had it on Safari 5.
Comment 5 Dirk Schulze 2011-07-20 03:52:17 PDT 
*** Bug 53858 has been marked as a duplicate of this bug. ***
Comment 6 Scott Graham 2011-07-27 08:55:05 PDT 
Created attachment 102148 [details]
minimized from original url, causing crash in SVGSMILElement::progress
Comment 7 Scott Graham 2011-07-27 08:56:01 PDT 
I'm seeing an assert in SVGSMILElement::progress (not the same as the crash?). It appears to be caused by update order as there's multiple begins that are "showAnchor.end+1s" including showAnchor's.
Comment 8 Stephen Chenney 2012-01-20 07:11:17 PST 
*** Bug 64940 has been marked as a duplicate of this bug. ***
Comment 9 Stephen Chenney 2012-01-20 07:11:43 PST 
*** Bug 66888 has been marked as a duplicate of this bug. ***
Comment 10 Stephen Chenney 2012-01-20 07:12:17 PST 
*** Bug 73710 has been marked as a duplicate of this bug. ***
Comment 11 Stephen Chenney 2012-01-20 07:12:53 PST 
*** Bug 74788 has been marked as a duplicate of this bug. ***
Comment 12 Stephen Chenney 2012-01-20 11:52:00 PST 
To clarrify what this bug is about, on a seemingly random basis many of the tests of the form

  svg/W3C-SVG-1.1/animate-elem-??-?.svg

and also

  svg/animations/svginteger-animation-1.html

all fail with one of two assertions in SVGSMILElement::progress for Mac and Linux.
Comment 13 Stephen Chenney 2012-01-20 16:39:26 PST 
Created attachment 123409 [details]
Patch
Comment 14 Stephen Chenney 2012-01-20 16:41:10 PST 
I think this change addresses the crash, and also ensures that the callback method for "no longer active" fires. It is also safe to just remove the offending assert, but then the callback would not fire.
Comment 15 Nikolas Zimmermann 2012-01-21 00:34:16 PST 
Comment on attachment 123409 [details]
Patch

Looks good, r=me. Thanks for investigating!
Comment 16 WebKit Review Bot 2012-01-21 00:51:53 PST 
Comment on attachment 123409 [details]
Patch

Clearing flags on attachment: 123409

Committed r105572: <http://trac.webkit.org/changeset/105572>
Comment 17 WebKit Review Bot 2012-01-21 00:51:58 PST 
All reviewed patches have been landed.  Closing bug.