RESOLVED FIXED 188519
[Web Animations] Crash under AnimationTimeline::cancelOrRemoveDeclarativeAnimation() 
https://bugs.webkit.org/show_bug.cgi?id=188519
Summary [Web Animations] Crash under AnimationTimeline::cancelOrRemoveDeclarativeAnim...
Antoine Quint
Reported 2018-08-13 10:09:30 PDT
When loading www.seloger.com we crash in AnimationTimeline::cancelOrRemoveDeclarativeAnimation() with a null `animation` parameter.
Attachments
Patch (5.82 KB, patch)
2018-08-14 07:23 PDT, Antoine Quint 		eric.carlson: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antoine Quint
Comment 1 2018-08-13 10:10:31 PDT
We also have a crash in this function in webkit.org/b/188253.
Radar WebKit Bug Importer
Comment 2 2018-08-13 10:11:16 PDT
<rdar://problem/43237889>
Antoine Quint
Comment 3 2018-08-13 10:12:00 PDT
I also came across webkit.org/b/188518 trying to figure out why the site was crashing. To reproduce this crash, we need to comment out the ASSERT() from that other bug.
Antoine Quint
Comment 4 2018-08-13 11:24:40 PDT
In this case we would crash because we blindly assumed an animation that was found in the previous style must be in the list of running animations but in fact it could have been removed already due to the element being removed from the DOM. So when we iterate over names of animations that were found in the previous style but not in the new style, we must make a null check to ensure that there is an animation to remove. Adding an ASSERT() in AnimationTimeline::cancelOrRemoveDeclarativeAnimation() will also clarify the contract here.
Antoine Quint
Comment 5 2018-08-13 11:29:55 PDT
*** Bug 188253 has been marked as a duplicate of this bug. ***
Antoine Quint
Comment 6 2018-08-14 07:23:45 PDT
Created attachment 347072 [details] Patch
Antoine Quint
Comment 7 2018-08-14 08:15:14 PDT
Committed r234848: <https://trac.webkit.org/changeset/234848>
Note You need to log in before you can comment on or make changes to this bug.