RESOLVED FIXED 22398
r39059: Crash when clearing webkitTransitionDuration in webkitTransitionEnd event handler 
https://bugs.webkit.org/show_bug.cgi?id=22398
Summary r39059: Crash when clearing webkitTransitionDuration in webkitTransitionEnd e...
Thomas Fuchs
Reported 2008-11-21 02:56:23 PST
I've an event handler on document that is fired on 'webkitTransitionEnd'. If I try to set the affected element style.webkitTransitionDuration property to an empty string, WebKit nightly crashes. I'll try to provide a reduced testcase. Here's the crash log: Version: r38654 (38654) Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 ??? 0x01d7c42d 0 + 30917677 1 com.apple.WebCore 0x014485c2 WebCore::AnimationTimerCallback::timerFired(WebCore::Timer<WebCore::AnimationTimerBase>*) + 34 2 com.apple.WebCore 0x0144b49b WebCore::Timer<WebCore::AnimationTimerBase>::fired() + 43 3 com.apple.WebCore 0x01317635 WebCore::TimerBase::fireTimers(double, WTF::Vector<WebCore::TimerBase*, 0ul> const&) + 133 4 com.apple.WebCore 0x01317902 WebCore::TimerBase::sharedTimerFired() + 162 5 com.apple.WebCore 0x012fd674 __ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 68 6 com.apple.CoreFoundation 0x93b01b45 CFRunLoopRunSpecific + 4469 7 com.apple.CoreFoundation 0x93b01cf8 CFRunLoopRunInMode + 88 8 com.apple.HIToolbox 0x904aa480 RunCurrentEventLoopInMode + 283 9 com.apple.HIToolbox 0x904aa299 ReceiveNextEventCommon + 374 10 com.apple.HIToolbox 0x904aa10d BlockUntilNextEventMatchingListInMode + 106 11 com.apple.AppKit 0x90fe03ed _DPSNextEvent + 657 12 com.apple.AppKit 0x90fdfca0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 13 com.apple.Safari 0x000080be 0x1000 + 28862 14 com.apple.AppKit 0x90fd8cdb -[NSApplication run] + 795 15 com.apple.AppKit 0x90fa5f14 NSApplicationMain + 574 16 com.apple.Safari 0x000b9b46 0x1000 + 756550
Attachments
Reduced test case (305 bytes, text/html)
2008-11-21 03:19 PST, Thomas Fuchs 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Thomas Fuchs
Comment 1 2008-11-21 02:57:43 PST
Clarification -- this happens only if I set the property WITHIN the transition end event handler.
Thomas Fuchs
Comment 2 2008-11-21 03:19:07 PST
Created attachment 25346 [details] Reduced test case
Thomas Fuchs
Comment 3 2008-11-26 05:28:24 PST
Setting to P1 because of reproducible crash. Checked in r38760, too.
Timothy Hatcher
Comment 4 2008-11-26 09:15:04 PST
*** Bug 22276 has been marked as a duplicate of this bug. ***
Timothy Hatcher
Comment 5 2008-11-26 09:15:19 PST
*** Bug 22508 has been marked as a duplicate of this bug. ***
Simon Fraser (smfr)
Comment 6 2008-11-30 19:00:56 PST
Maybe fixed by bug 22052 (which has a patch that needs review)
Chris Marrin
Comment 7 2008-12-01 14:59:04 PST
Works with patches for 22052 and 22046, both of which dealt with crashes like this.
Oliver Hunt
Comment 8 2008-12-07 05:40:00 PST
This crash still occurs, not sure if it's a regression or what
Simon Fraser (smfr)
Comment 9 2008-12-07 09:32:18 PST
Yep, I can reproduce.
Oliver Hunt
Comment 10 2008-12-07 19:26:32 PST
<rdar://problem/6426245> Reproducible crash when clearing webkitTransitionDuration in webkitTransitionEnd event handler (22398) Trivial to trigger in "real world" code -- the inspector crashes due to this bug: 1. Go to http://nerget.com/working/crash.html 2. Open the inspector 3. Expand the console in the inspector window 4. click the link provided in the exception message
Oliver Hunt
Comment 11 2008-12-07 23:22:02 PST
This regressed in r39059
Oliver Hunt
Comment 12 2008-12-08 02:36:53 PST
Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog A LayoutTests/transitions/transition-duration-cleared-in-transitionend-crash-expected.txt A LayoutTests/transitions/transition-duration-cleared-in-transitionend-crash.html M WebCore/ChangeLog M WebCore/page/animation/AnimationBase.cpp Committed r39092
Simon Fraser (smfr)
Comment 13 2008-12-08 09:22:17 PST
http://trac.webkit.org/changeset/39092
Note You need to log in before you can comment on or make changes to this bug.