Bug 109699 - ASSERT(m_context->document()->documentElement() != m_context) in SVGLengthContext
Summary: ASSERT(m_context->document()->documentElement() != m_context) in SVGLengthCon...
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2013-02-13 08:16 PST by Renata Hodovan
Modified: 2014-09-08 02:36 PDT (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2013-02-13 08:16:46 PST 
During SVG Fuzzing I've got an assertion faulire:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4d23494 in WebCore::SVGLengthContext::determineViewport (this=0x7fffffffc640, width=@0x7fffffffc4f8: 0, height=@0x7fffffffc4fc: 0)
    at /home/reni/Data/REPOS/webkit/Source/WebCore/svg/SVGLengthContext.cpp:298
298	    ASSERT(m_context->document()->documentElement() != m_context);



The test was:

<svg xmlns="http://www.w3.org/2000/svg">
	<animate attributeName="width" to="0%"></animate>
</svg>
Comment 1 Florin Malita 2013-02-14 07:59:48 PST 
Thanks Reni.

Looks like (percentage?) animation of <svg> attributes hits an invalid code path.

SVGLengthContext::determineViewport():

    // SVGLengthContext should NEVER be used to resolve width/height values for <svg> elements,
    // as they require special treatment, due the relationship with the CSS width/height properties.
    ASSERT(m_context->document()->documentElement() != m_context);


I'm not familiar with animations, but I'm guessing that special handling of <svg> targets may just not be implemented? I know Phil's been poking in this area so maybe he has more insight.
Comment 2 Renata Hodovan 2014-09-08 02:36:04 PDT 
I cannot reproduce the issue anymore.