During SVG Fuzzing I've got an assertion faulire: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff4d23494 in WebCore::SVGLengthContext::determineViewport (this=0x7fffffffc640, width=@0x7fffffffc4f8: 0, height=@0x7fffffffc4fc: 0) at /home/reni/Data/REPOS/webkit/Source/WebCore/svg/SVGLengthContext.cpp:298 298 ASSERT(m_context->document()->documentElement() != m_context); The test was: <svg xmlns="http://www.w3.org/2000/svg"> <animate attributeName="width" to="0%"></animate> </svg>
Thanks Reni. Looks like (percentage?) animation of <svg> attributes hits an invalid code path. SVGLengthContext::determineViewport(): // SVGLengthContext should NEVER be used to resolve width/height values for <svg> elements, // as they require special treatment, due the relationship with the CSS width/height properties. ASSERT(m_context->document()->documentElement() != m_context); I'm not familiar with animations, but I'm guessing that special handling of <svg> targets may just not be implemented? I know Phil's been poking in this area so maybe he has more insight.
I cannot reproduce the issue anymore.