WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
204766
Crash when animating an enum attribute for multiple instances of an SVG element
https://bugs.webkit.org/show_bug.cgi?id=204766
Summary
Crash when animating an enum attribute for multiple instances of an SVG element
Said Abou-Hallawa
Reported
2019-12-02 13:48:09 PST
Created
attachment 384655
[details]
test case (will crash) Open the attached test case. WebKit will crash because of null reference with the following call stack: #0 0x00000004ee682cf5 in WebCore::SVGLengthAdjustType WebCore::SVGAnimatedDecoratedProperty<WebCore::SVGDecoratedEnumeration, unsigned int>::currentValue<WebCore::SVGLengthAdjustType>() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/properties/SVGAnimatedDecoratedProperty.h:114 #1 0x00000004ee67bb14 in WebCore::SVGTextContentElement::lengthAdjust() const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/svg/SVGTextContentElement.h:89 #2 0x00000004ee67f534 in WebCore::SVGTextLayoutEngine::parentDefinesTextLength(WebCore::RenderObject*) const at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:151 #3 0x00000004ee67f708 in WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath(WebCore::SVGInlineTextBox&, WebCore::RenderSVGInlineText&, WebCore::RenderStyle const&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:411 #4 0x00000004ee67aec7 in WebCore::SVGTextLayoutEngine::layoutInlineTextBox(WebCore::SVGInlineTextBox&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:225 #5 0x00000004ee67a6df in WebCore::SVGRootInlineBox::layoutCharactersInTextBoxes(WebCore::InlineFlowBox*, WebCore::SVGTextLayoutEngine&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRootInlineBox.cpp:108 #6 0x00000004ee67a4c9 in WebCore::SVGRootInlineBox::computePerCharacterLayoutInformation() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRootInlineBox.cpp:91 #7 0x00000004ee1e830d in WebCore::ComplexLineLayout::createLineBoxesFromBidiRuns(unsigned int, WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/ComplexLineLayout.cpp:1238 #8 0x00000004ee1ea59b in WebCore::ComplexLineLayout::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/ComplexLineLayout.cpp:1424 #9 0x00000004ee1e8954 in WebCore::ComplexLineLayout::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/ComplexLineLayout.cpp:1332 #10 0x00000004ee1ee8ae in WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/ComplexLineLayout.cpp:1741 #11 0x00000004ee2b0872 in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/RenderBlockFlow.cpp:683 #12 0x00000004ee6498c2 in WebCore::RenderSVGText::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGText.cpp:408 #13 0x00000004ee6657dd in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:273 #14 0x00000004ee5fbd78 in WebCore::RenderSVGContainer::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGContainer.cpp:71 #15 0x00000004ee6657dd in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:273 #16 0x00000004ee5fbd78 in WebCore::RenderSVGContainer::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGContainer.cpp:71 #17 0x00000004ee6657dd in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:273 #18 0x00000004ee642770 in WebCore::RenderSVGRoot::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/rendering/svg/RenderSVGRoot.cpp:160 #19 0x00000004edbbc60f in WebCore::FrameViewLayoutContext::layout() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/page/FrameViewLayoutContext.cpp:247 #20 0x00000004edb5cd9c in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/page/FrameView.cpp:4321 #21 0x00000004edbe095c in WebCore::Page::layoutIfNeeded() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/page/Page.cpp:1318 #22 0x00000004edbe0a0a in WebCore::Page::updateRendering() at /Volumes/Data/WebKit/OpenSource/Source/WebCore/page/Page.cpp:1334 #23 0x00000004e14329d1 in WebKit::WebPage::updateRendering() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/WebPage.cpp:3702 #24 0x00000004e10c0801 in WebKit::TiledCoreAnimationDrawingArea::flushLayers(WebKit::TiledCoreAnimationDrawingArea::FlushType) at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:467 #25 0x00000004e10c4d77 in WebKit::TiledCoreAnimationDrawingArea::layerFlushRunLoopCallback() at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:931 #26 0x00000004e10c7bd8 in WebKit::TiledCoreAnimationDrawingArea::TiledCoreAnimationDrawingArea(WebKit::WebPage&, WebKit::WebPageCreationParameters const&)::$_1::operator()() const at /Volumes/Data/WebKit/OpenSource/Source/WebKit/WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:91
Attachments
test case (will crash)
(336 bytes, image/svg+xml)
2019-12-02 13:48 PST
,
Said Abou-Hallawa
no flags
Details
Patch
(8.49 KB, patch)
2019-12-02 14:03 PST
,
Said Abou-Hallawa
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1
2019-12-02 14:03:06 PST
Created
attachment 384659
[details]
Patch
Said Abou-Hallawa
Comment 2
2019-12-02 14:05:31 PST
<
rdar://problem/57565270
>
Nikolas Zimmermann
Comment 3
2019-12-02 14:13:43 PST
Comment on
attachment 384659
[details]
Patch Good catch, said!
WebKit Commit Bot
Comment 4
2019-12-02 16:38:23 PST
Comment on
attachment 384659
[details]
Patch Clearing flags on attachment: 384659 Committed
r253017
: <
https://trac.webkit.org/changeset/253017
>
WebKit Commit Bot
Comment 5
2019-12-02 16:38:25 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug