108485 – Assertion faulire in SVGAnimatedType::valueAsString()

Bug 108485 - Assertion faulire in SVGAnimatedType::valueAsString()

Summary: Assertion faulire in SVGAnimatedType::valueAsString()

Status:	RESOLVED DUPLICATE of bug 118744

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2013-01-31 07:50 PST by Renata Hodovan
Modified:	2013-07-30 05:53 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2013-01-31 07:50:00 PST

During SVG fuzzing I've got the following ASSERT_NOT_REACHED assertion faulire:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff59d0f6a in WebCore::SVGAnimatedType::valueAsString (this=0xa69ff0) at /home/reni/repos/webkit2/Source/WebCore/svg/SVGAnimatedType.cpp:268
268	        ASSERT_NOT_REACHED();


Test:

<svg xmlns="http://www.w3.org/2000/svg">
	<circle>
		<animateTransform attributeName="transform" attributeType="CSS"></animateTransform>
	</circle>
</svg>

The problem is that the type of the SVGAnimatedType object is AnimatedTransformList what doesn't need valueAsString() support theoretically.

Comment 1 Renata Hodovan 2013-07-30 05:53:35 PDT


*** This bug has been marked as a duplicate of bug 118744 ***