Bug 207417 - An SVG animated property animator can stop animation while other animators are still running
Summary: An SVG animated property animator can stop animation while other animators ar...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Said Abou-Hallawa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-02-07 16:28 PST by Wen Xu
Modified: 2020-05-26 21:01 PDT (History)
18 users (show)

See Also:

Attachments
Patch (7.50 KB, patch)
2020-02-10 18:04 PST, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Patch (16.96 KB, patch)
2020-05-19 17:34 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Patch (17.03 KB, patch)
2020-05-19 17:36 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Patch (16.96 KB, patch)
2020-05-26 19:04 PDT, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wen Xu 2020-02-07 16:28:21 PST 
A crash that can be reproduced with both master branch and Safari release.

PoC:

<svg id="v6" xmlns="http://www.w3.org/2000/svg">
<clipPath id="v54">
  <animate id="v55" attributeName="clipPathUnits"></animate>
  <set id="v57" attributeName="clipPathUnits" max="1s" min="0s" repeatCount="256" tabindex="2"></set>
  <set id="v63" attributeName="clipPathUnits"></set>
</clipPath>
</svg>

Log:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==76736==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00048898088b bp 0x7ffee5d45bd0 sp 0x7ffee5d45b20 T0)
==76736==The signal is caused by a READ memory access.
==76736==Hint: address points to the zero page.
==76736==WARNING: invalid path to external symbolizer!
==76736==WARNING: Failed to use and restart external symbolizer!
    #0 0x48898088a in void WebCore::SVGAnimatedDecoratedProperty<WebCore::SVGDecoratedEnumeration, unsigned int>::setAnimVal<WebCore::SVGUnitTypes::SVGUnitType>(WebCore::SVGUnitTypes::SVGUnitType const&) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e7288a)
    #1 0x48897fd61 in WebCore::SVGAnimatedEnumerationAnimator<WebCore::SVGUnitTypes::SVGUnitType>::animate(WebCore::SVGElement*, float, unsigned int) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e71d61)
    #2 0x48891b0fb in WebCore::SVGAnimateElementBase::calculateAnimatedValue(float, unsigned int) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e0d0fb)
    #3 0x488957844 in WebCore::SVGAnimationElement::updateAnimation(float, unsigned int) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e49844)
    #4 0x488da09b5 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement&, bool) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52929b5)
    #5 0x488db3405 in auto WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool)::$_2::operator()<WebCore::SVGSMILElement>(WebCore::SVGSMILElement*) const (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52a5405)
    #6 0x488d961ca in WebCore::SMILTimeContainer::processAnimations(WTF::Vector<WebCore::SVGSMILElement*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Function<void (WebCore::SVGSMILElement*)>&&) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52881ca)
    #7 0x488d949ab in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x52869ab)
    #8 0x488d93160 in WebCore::SMILTimeContainer::timerFired() (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x5285160)
    #9 0x487c452c6 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41372c6)
    #10 0x487cbc77e in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41ae77e)
    #11 0x7fff2f251803 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x9f803)
    #12 0x7fff2f2513bd in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x9f3bd)
    #13 0x7fff2f250e9d in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x9ee9d)
    #14 0x7fff2f235aec in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83aec)
    #15 0x7fff2f234bd2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x82bd2)
    #16 0x7fff318d81a7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x611a7)
    #17 0x7fff3198bd8a in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x114d8a)
    #18 0x7fff66b290e0 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x170e0)
    #19 0x7fff66b29026 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x17026)
    #20 0x7fff66b28b59 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x16b59)
    #21 0x47898d4c5 in WebKit::XPCServiceMain(int, char const**) (/Users/test/workspace/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x98d4c5)
    #22 0x7fff668da7fc in start (/usr/lib/system/libdyld.dylib:x86_64+0x1a7fc)

==76736==Register values:
rax = 0x0000100000000000  rbx = 0x00007ffee5d45b60  rcx = 0x00000000e5d45b03  rdx = 0x00001fffdcba8b04
rdi = 0x0000000000000000  rsi = 0x00007ffee5d45b40  rbp = 0x00007ffee5d45bd0  rsp = 0x00007ffee5d45b20
 r8 = 0x0000100000000000   r9 = 0x00000fffffffffff  r10 = 0x0000000000000000  r11 = 0xffffffffffffffff
r12 = 0x0000606000053028  r13 = 0x00007ffee5d45b20  r14 = 0x0000000000000000  r15 = 0x00001fffdcba8b64
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/Users/test/workspace/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4e7288a) in void WebCore::SVGAnimatedDecoratedProperty<WebCore::SVGDecoratedEnumeration, unsigned int>::setAnimVal<WebCore::SVGUnitTypes::SVGUnitType>(WebCore::SVGUnitTypes::SVGUnitType const&)
==76736==ABORTING
2020-02-07 19:20:31.663 MiniBrowser[76735:774496] WebContent process crashed; reloading

it seems that updateAnimation is called after stopAnimation, and |m_animVal| has already become null. is this a racing?


Reported by Wen Xu from SSLab at Georgia Tech.
Comment 1 Radar WebKit Bug Importer 2020-02-07 16:28:35 PST 
<rdar://problem/59278306>
Comment 2 Said Abou-Hallawa 2020-02-10 18:04:44 PST 
Created attachment 390330 [details]
Patch
Comment 3 Said Abou-Hallawa 2020-03-27 14:36:15 PDT 
Comment on attachment 390330 [details]
Patch

Will post a cleaner patch.
Comment 4 Ryosuke Niwa 2020-03-27 15:03:51 PDT 
There is no security implication here.
Comment 5 Said Abou-Hallawa 2020-05-19 17:34:28 PDT 
Created attachment 399788 [details]
Patch
Comment 6 Said Abou-Hallawa 2020-05-19 17:36:33 PDT 
Created attachment 399789 [details]
Patch
Comment 7 Said Abou-Hallawa 2020-05-26 19:04:32 PDT 
Created attachment 400293 [details]
Patch
Comment 8 EWS 2020-05-26 21:01:23 PDT 
Committed r262175: <https://trac.webkit.org/changeset/262175>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 400293 [details].