Bug 197372 - Assertion fires when animating the 'class' attribute of an SVG element
Summary: Assertion fires when animating the 'class' attribute of an SVG element
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Said Abou-Hallawa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-04-29 09:38 PDT by Said Abou-Hallawa
Modified: 2019-12-02 14:06 PST (History)
8 users (show)

See Also:

Attachments
test case (513 bytes, image/svg+xml)
2019-04-29 09:38 PDT, Said Abou-Hallawa 		no flags Details
Patch (11.09 KB, patch)
2019-04-29 09:50 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Patch (12.44 KB, patch)
2019-06-03 11:42 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Patch (22.87 KB, patch)
2019-07-01 14:51 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Patch (22.62 KB, patch)
2019-07-02 15:37 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Patch (20.26 KB, patch)
2019-07-02 16:42 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Patch (22.76 KB, patch)
2019-07-02 17:01 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Said Abou-Hallawa 2019-04-29 09:38:02 PDT 
Created attachment 368462 [details]
test case

Open the attached test case in a debug build. The following assertion will fire:


0x0000000120fa93ee in ::WTFCrash() at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/Assertions.cpp:305
0x000000010bdeb929 in WebCore::SVGAnimatedPrimitiveProperty<WTF::String>::currentValue() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedPrimitiveProperty.h:103
0x000000010d9fe692 in WebCore::SVGElement::className() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGElement.h:149
0x000000010d9fe572 in WebCore::SVGElement::svgAttributeChanged(WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGElement.cpp:858
0x000000010db39d75 in WebCore::SVGGraphicsElement::svgAttributeChanged(WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGGraphicsElement.cpp:150
0x000000010db3aea2 in WebCore::SVGGeometryElement::svgAttributeChanged(WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGGeometryElement.cpp:116
0x000000010dbf9c38 in WebCore::SVGRectElement::svgAttributeChanged(WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGRectElement.cpp:87
0x000000010dce07bd in WebCore::SVGAttributeAnimator::applyAnimatedPropertyChange(WebCore::SVGElement*, WebCore::QualifiedName const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAttributeAnimator.cpp:100
0x000000010dce09ab in WebCore::SVGAttributeAnimator::applyAnimatedPropertyChange(WebCore::SVGElement*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAttributeAnimator.cpp:117
0x000000010d97d6fb in WebCore::SVGAnimatedPropertyAnimator<WebCore::SVGAnimatedPrimitiveProperty<WTF::String>, WebCore::SVGAnimationStringFunction>::apply(WebCore::SVGElement*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedPropertyAnimator.h:80
0x000000010d968202 in WebCore::SVGAnimateElementBase::applyResultsToTarget() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGAnimateElementBase.cpp:176
0x000000010dcb678d in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/animation/SMILTimeContainer.cpp:321
0x000000010dcb6020 in WebCore::SMILTimeContainer::begin() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/animation/SMILTimeContainer.cpp:138
0x000000010d9f5fa1 in WebCore::SVGDocumentExtensions::startAnimations() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGDocumentExtensions.cpp:97
0x000000010c3a65ca in WebCore::Document::implicitClose() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/Document.cpp:3007

This is a regression of removing the SVG tear off objects. But the attached text did not work correctly before removing them also.

The assertion fires because the animated primitive property do not share the animVal with all its instances.
Comment 1 Said Abou-Hallawa 2019-04-29 09:50:07 PDT 
Created attachment 368463 [details]
Patch
Comment 2 Said Abou-Hallawa 2019-04-29 09:52:27 PDT 
<rdar://problem/50225885>
Comment 3 Said Abou-Hallawa 2019-06-03 11:42:58 PDT 
Created attachment 371199 [details]
Patch
Comment 4 Ryosuke Niwa 2019-06-25 15:53:00 PDT 
Comment on attachment 371199 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=371199&action=review

> Source/WebCore/svg/properties/SVGAnimatedPrimitiveProperty.h:155
> -    mutable Optional<PropertyType> m_animVal;
> +    mutable std::shared_ptr<PropertyType> m_animVal;

We don't use shared_Ptr anywhere else in our codebase.
Can we just wrap PropertyType in some RefCounted object? Like SharedPropertyType?
e.g. class SharedPropertyType : public RefCounted<SharedPropertyType> public PropertyType { }
This would avoid an extra malloc for shared_ptr.
Comment 5 Said Abou-Hallawa 2019-07-01 14:51:50 PDT 
Created attachment 373269 [details]
Patch
Comment 6 Darin Adler 2019-07-01 16:53:11 PDT 
Comment on attachment 373269 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=373269&action=review

> Source/WebCore/ChangeLog:24
> +        -- Add a special case for the 'class' attribute to invalidate the style
> +           of the target element when its animVal changes.

To me, this doesn’t seem like the right solution. Knowledge about which DOM attributes have effect on style should not be concentrated in the SVGAttributeAnimator class. Instead that knowledge should live in the DOM classes themselves. I’m puzzled at the choice to add this special case here.
Comment 7 Said Abou-Hallawa 2019-07-02 15:37:50 PDT 
Created attachment 373365 [details]
Patch
Comment 8 Ryosuke Niwa 2019-07-02 15:40:59 PDT 
Comment on attachment 373365 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=373365&action=review

> Source/WebCore/svg/properties/SVGPrimitiveProperty.h:33
> +class SVGPrimitiveProperty : public SVGProperty {

Maybe SVGSharedPrimitiveProperty?
Comment 9 Said Abou-Hallawa 2019-07-02 15:41:30 PDT 
Comment on attachment 373269 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=373269&action=review

>> Source/WebCore/ChangeLog:24
>> +           of the target element when its animVal changes.
> 
> To me, this doesn’t seem like the right solution. Knowledge about which DOM attributes have effect on style should not be concentrated in the SVGAttributeAnimator class. Instead that knowledge should live in the DOM classes themselves. I’m puzzled at the choice to add this special case here.

I moved the special handling to SVGAnimatedStringAnimator because we need to check whether the attribute's name is equal to 'class' or not. The SVGAnimatedString is not suitable because it does not know about the attribute's name.
Comment 10 Said Abou-Hallawa 2019-07-02 16:42:49 PDT 
Created attachment 373371 [details]
Patch
Comment 11 Said Abou-Hallawa 2019-07-02 17:01:54 PDT 
Created attachment 373373 [details]
Patch
Comment 12 WebKit Commit Bot 2019-07-02 18:42:05 PDT 
Comment on attachment 373373 [details]
Patch

Clearing flags on attachment: 373373

Committed r247085: <https://trac.webkit.org/changeset/247085>
Comment 13 WebKit Commit Bot 2019-07-02 18:42:07 PDT 
All reviewed patches have been landed.  Closing bug.