282704 – RELEASE_ASSERT(a.globalPosition() != b.globalPosition()) is failing for animations with no timeline

RESOLVED FIXED 282704

RELEASE_ASSERT(a.globalPosition() != b.globalPosition()) is failing for animations with no timeline

https://bugs.webkit.org/show_bug.cgi?id=282704

Summary RELEASE_ASSERT(a.globalPosition() != b.globalPosition()) is failing for anima...

Adan Lopez

Reported 2024-11-06 11:29:01 PST

This bug is due to animations being created with a null timeline never gets the global position updated, then when comparing them we hit a release assert. Testcase: ======= <p>This test passes if it doesn't crash.</p> <script> if (testRunner) testRunner.dumpAsText(); function eventhandler() { varx = new Animation(new KeyframeEffect(document.documentElement, null, 1), null); varx.pause(); htmlvar.crossOrigin = "crossorigin"; } function loading() { document.getAnimations(); } </script> <body onload=loading()> <img id="htmlvar" onerror="eventhandler()" src="x"></img> Stack Trace ========= frame #0: WebCore`WebCore::compareAnimationsByCompositeOrder(WebCore::WebAnimation const&, WebCore::WebAnimation const&)+0xd6b frame #1: WebCore`void std::__1::__stable_sort<std::__1::_ClassicAlgPolicy, WebCore::Document::matchingAnimations(WTF::Function<bool (WebCore::Element&)> const&)::$_1&, WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*>(WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*, WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*, WebCore::Document::matchingAnimations(WTF::Function<bool (WebCore::Element&)> const&)::$_1&, std::__1::iterator_traits<WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*>::difference_type, std::__1::iterator_traits<WTF::RefPtr<WebCore::WebAnimation, WTF::RawPtrTraits<WebCore::WebAnimation>, WTF::DefaultRefDerefTraits<WebCore::WebAnimation>>*>::value_type*, long)+0x102 frame #2: WebCore`WebCore::Document::matchingAnimations(WTF::Function<bool (WebCore::Element&)> const&)+0x8f0 frame #3: WebCore`WebCore::Document::getAnimations()+0xcf frame #4: WebCore`WebCore::jsDocumentPrototypeFunction_getAnimations(JSC::JSGlobalObject*, JSC::CallFrame*)+0x221 frame #5: `0x1f51e4037+ frame #6: JavaScriptCore`jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__651_callHelper__dispatch+0x2 frame #7: JavaScriptCore`jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__665_callHelper__dispatch+0x2 frame #8: JavaScriptCore`llint_call_javascript+0x5 frame #9: JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0xce8 frame #10: JavaScriptCore`JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x101 frame #11: WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xc9f frame #12: WebCore`WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x589 frame #13: WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x196 frame #14: WebCore`WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x4f2 frame #15: WebCore`WebCore::LocalDOMWindow::dispatchLoadEvent()+0x5d6 frame #16: WebCore`WebCore::Document::dispatchWindowLoadEvent()+0x138 frame #17: WebCore`WebCore::Document::implicitClose()+0x86c frame #18: WebCore`WebCore::FrameLoader::checkCallImplicitClose()+0x1ee frame #19: WebCore`WebCore::FrameLoader::checkCompleted()+0x562 frame #20: WebCore`WebCore::FrameLoader::checkCompletenessNow()+0x2c2 frame #21: WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal()+0x3db frame #22: WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*)+0x78 frame #23: CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x13 frame #24: CoreFoundation`__CFRunLoopDoTimer+0x320 frame #25: CoreFoundation`__CFRunLoopDoTimers+0x11c frame #26: CoreFoundation`__CFRunLoopRun+0x8d4 frame #27: CoreFoundation`CFRunLoopRunSpecific+0x217 frame #28: Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 frame #29: Foundation`-[NSRunLoop(NSRunLoop) run]+0x4b frame #30: libxpc.dylib`_xpc_objc_main+0x271 frame #31: libxpc.dylib`_xpc_main+0xda frame #32: libxpc.dylib`xpc_main+0x37 frame #33: WebKit`WebKit::XPCServiceMain(int, char const**)+0xa9 frame #34: dyld`start+0x70c

Attachments
Add attachment proposed patch, testcase, etc.

Adan Lopez

Comment 1 2024-11-06 12:33:01 PST

<rdar://problem/137178526>

Adan Lopez

Comment 2 2024-11-06 12:48:17 PST

Pull request: https://github.com/WebKit/WebKit/pull/36280

EWS

Comment 3 2024-11-07 11:39:00 PST

Committed 286294@main (5ac2cec4ba7e): <https://commits.webkit.org/286294@main> Reviewed commits have been landed. Closing PR #36280 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Animations

Assignee

Nobody

Reported

2024-11-06 11:29 PST

Modified

2024-11-07 11:39 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks