A crash that can be reproduced with both master branch and Safari release. PoC: <svg id="v6" xmlns="http://www.w3.org/2000/svg"> <clipPath id="v54"> <animate id="v55" attributeName="clipPathUnits"></animate> <set id="v57" attributeName="clipPathUnits" max="1s" min="0s" repeatCount="256" tabindex="2"></set> <set id="v63" attributeName="clipPathUnits"></set> </clipPath> </svg> Log: AddressSanitizer:DEADLYSIGNAL ================================================================= ==76736==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00048898088b bp 0x7ffee5d45bd0 sp 0x7ffee5d45b20 T0) ==76736==The signal is caused by a READ memory access. ==76736==Hint: address points to the zero page. ==76736==WARNING: invalid path to external symbolizer! ==76736==WARNING: Failed to use and restart external symbolizer! #0 0x48898088a in void WebCore::SVGAnimatedDecoratedProperty<WebCore::SVGDecoratedEnumeration, unsigned int>::setAnimVal<WebCore::SVGUnitTypes::SVGUnitType>(WebCore::SVGUnitTypes::SVGUnitType const&) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e7288a) #1 0x48897fd61 in WebCore::SVGAnimatedEnumerationAnimator<WebCore::SVGUnitTypes::SVGUnitType>::animate(WebCore::SVGElement*, float, unsigned int) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e71d61) #2 0x48891b0fb in WebCore::SVGAnimateElementBase::calculateAnimatedValue(float, unsigned int) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e0d0fb) #3 0x488957844 in WebCore::SVGAnimationElement::updateAnimation(float, unsigned int) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e49844) #4 0x488da09b5 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement&, bool) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52929b5) #5 0x488db3405 in auto WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool)::$_2::operator()<WebCore::SVGSMILElement>(WebCore::SVGSMILElement*) const (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52a5405) #6 0x488d961ca in WebCore::SMILTimeContainer::processAnimations(WTF::Vector<WebCore::SVGSMILElement*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Function<void (WebCore::SVGSMILElement*)>&&) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52881ca) #7 0x488d949ab in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52869ab) #8 0x488d93160 in WebCore::SMILTimeContainer::timerFired() (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5285160) #9 0x487c452c6 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41372c6) #10 0x487cbc77e in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41ae77e) #11 0x7fff2f251803 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x9f803) #12 0x7fff2f2513bd in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x9f3bd) #13 0x7fff2f250e9d in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x9ee9d) #14 0x7fff2f235aec in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83aec) #15 0x7fff2f234bd2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x82bd2) #16 0x7fff318d81a7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x611a7) #17 0x7fff3198bd8a in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x114d8a) #18 0x7fff66b290e0 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x170e0) #19 0x7fff66b29026 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x17026) #20 0x7fff66b28b59 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x16b59) #21 0x47898d4c5 in WebKit::XPCServiceMain(int, char const**) (/Users/test/workspace/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x98d4c5) #22 0x7fff668da7fc in start (/usr/lib/system/libdyld.dylib:x86_64+0x1a7fc) ==76736==Register values: rax = 0x0000100000000000 rbx = 0x00007ffee5d45b60 rcx = 0x00000000e5d45b03 rdx = 0x00001fffdcba8b04 rdi = 0x0000000000000000 rsi = 0x00007ffee5d45b40 rbp = 0x00007ffee5d45bd0 rsp = 0x00007ffee5d45b20 r8 = 0x0000100000000000 r9 = 0x00000fffffffffff r10 = 0x0000000000000000 r11 = 0xffffffffffffffff r12 = 0x0000606000053028 r13 = 0x00007ffee5d45b20 r14 = 0x0000000000000000 r15 = 0x00001fffdcba8b64 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e7288a) in void WebCore::SVGAnimatedDecoratedProperty<WebCore::SVGDecoratedEnumeration, unsigned int>::setAnimVal<WebCore::SVGUnitTypes::SVGUnitType>(WebCore::SVGUnitTypes::SVGUnitType const&) ==76736==ABORTING 2020-02-07 19:20:31.663 MiniBrowser[76735:774496] WebContent process crashed; reloading it seems that updateAnimation is called after stopAnimation, and |m_animVal| has already become null. is this a racing? Reported by Wen Xu from SSLab at Georgia Tech.
<rdar://problem/59278306>
Created attachment 390330 [details] Patch
Comment on attachment 390330 [details] Patch Will post a cleaner patch.
There is no security implication here.
Created attachment 399788 [details] Patch
Created attachment 399789 [details] Patch
Created attachment 400293 [details] Patch
Committed r262175: <https://trac.webkit.org/changeset/262175> All reviewed patches have been landed. Closing bug and clearing flags on attachment 400293 [details].