Bug 22398 - r39059: Crash when clearing webkitTransitionDuration in webkitTransitionEnd event handler
Summary: r39059: Crash when clearing webkitTransitionDuration in webkitTransitionEnd e...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Normal
Assignee: Chris Marrin
URL:
Keywords: InRadar
: 22276 22508 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-11-21 02:56 PST by Thomas Fuchs
Modified: 2008-12-08 09:22 PST (History)
8 users (show)

See Also:

Attachments
Reduced test case (305 bytes, text/html)
2008-11-21 03:19 PST, Thomas Fuchs 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Fuchs 2008-11-21 02:56:23 PST 
I've an event handler on document that is fired on 'webkitTransitionEnd'. If I try to set the affected element style.webkitTransitionDuration property to an empty string, WebKit nightly crashes.

I'll try to provide a reduced testcase.

Here's the crash log:

Version:         r38654 (38654)

Exception Type:  EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   ???                           	0x01d7c42d 0 + 30917677
1   com.apple.WebCore             	0x014485c2 WebCore::AnimationTimerCallback::timerFired(WebCore::Timer<WebCore::AnimationTimerBase>*) + 34
2   com.apple.WebCore             	0x0144b49b WebCore::Timer<WebCore::AnimationTimerBase>::fired() + 43
3   com.apple.WebCore             	0x01317635 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0ul> const&) + 133
4   com.apple.WebCore             	0x01317902 WebCore::TimerBase::sharedTimerFired() + 162
5   com.apple.WebCore             	0x012fd674 __ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 68
6   com.apple.CoreFoundation      	0x93b01b45 CFRunLoopRunSpecific + 4469
7   com.apple.CoreFoundation      	0x93b01cf8 CFRunLoopRunInMode + 88
8   com.apple.HIToolbox           	0x904aa480 RunCurrentEventLoopInMode + 283
9   com.apple.HIToolbox           	0x904aa299 ReceiveNextEventCommon + 374
10  com.apple.HIToolbox           	0x904aa10d BlockUntilNextEventMatchingListInMode + 106
11  com.apple.AppKit              	0x90fe03ed _DPSNextEvent + 657
12  com.apple.AppKit              	0x90fdfca0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
13  com.apple.Safari              	0x000080be 0x1000 + 28862
14  com.apple.AppKit              	0x90fd8cdb -[NSApplication run] + 795
15  com.apple.AppKit              	0x90fa5f14 NSApplicationMain + 574
16  com.apple.Safari              	0x000b9b46 0x1000 + 756550
Comment 1 Thomas Fuchs 2008-11-21 02:57:43 PST 
Clarification -- this happens only if I set the property WITHIN the transition end event handler.
Comment 2 Thomas Fuchs 2008-11-21 03:19:07 PST 
Created attachment 25346 [details]
Reduced test case
Comment 3 Thomas Fuchs 2008-11-26 05:28:24 PST 
Setting to P1 because of reproducible crash. Checked in r38760, too.
Comment 4 Timothy Hatcher 2008-11-26 09:15:04 PST 
*** Bug 22276 has been marked as a duplicate of this bug. ***
Comment 5 Timothy Hatcher 2008-11-26 09:15:19 PST 
*** Bug 22508 has been marked as a duplicate of this bug. ***
Comment 6 Simon Fraser (smfr) 2008-11-30 19:00:56 PST 
Maybe fixed by bug 22052 (which has a patch that needs review)
Comment 7 Chris Marrin 2008-12-01 14:59:04 PST 
Works with patches for 22052 and 22046, both of which dealt with crashes like this.
Comment 8 Oliver Hunt 2008-12-07 05:40:00 PST 
This crash still occurs, not sure if it's a regression or what
Comment 9 Simon Fraser (smfr) 2008-12-07 09:32:18 PST 
Yep, I can reproduce.
Comment 10 Oliver Hunt 2008-12-07 19:26:32 PST 
<rdar://problem/6426245> Reproducible crash when clearing webkitTransitionDuration in webkitTransitionEnd event handler (22398)

Trivial to trigger in "real world" code -- the inspector crashes due to this bug:
1. Go to http://nerget.com/working/crash.html
2. Open the inspector
3. Expand the console in the inspector window
4. click the link provided in the exception message
Comment 11 Oliver Hunt 2008-12-07 23:22:02 PST 
This regressed in r39059
Comment 12 Oliver Hunt 2008-12-08 02:36:53 PST 
Committing to http://svn.webkit.org/repository/webkit/trunk ...
	M	LayoutTests/ChangeLog
	A	LayoutTests/transitions/transition-duration-cleared-in-transitionend-crash-expected.txt
	A	LayoutTests/transitions/transition-duration-cleared-in-transitionend-crash.html
	M	WebCore/ChangeLog
	M	WebCore/page/animation/AnimationBase.cpp
Committed r39092
Comment 13 Simon Fraser (smfr) 2008-12-08 09:22:17 PST 
http://trac.webkit.org/changeset/39092