SVG with animation crashes WebKit+SVG
I have not had a chance to either reduce, or diagnose. It seemed to be crashing in animation code, but
looked like it might be smashing memory. Possibly relating to the svgz changes I have in my tree. (w/o
the svgz changes attached to http://bugzilla.opendarwin.org/show_bug.cgi?id=5246 it's not possible to
view this SVG w/o first downloading and decompressing it.
This seems to be smashing the stack, or somehow confusing gdb. Viewing this svg in DrawTest, with
libgmalloc leads to this backtrace:
#0 0x0191b87c in typeinfo for KDOM::KDOMPart ()
#1 0x0137fe90 in KSVG::TimeScheduler::slotTimerNotify (this=0xe7c64000) at /Volumes/Stuff/
#2 0x013800a0 in KSVG::TimeScheduler::connectIntervalTimer (this=0xbfffdfd0, element=0x108d634)
#3 0x0126f0d8 in KWQSlot::call (this=0xe7c64fec, job=0xbfffe078, data=0x50100646 <Address
0x50100646 out of bounds>, size=-519811140) at /Volumes/Stuff/Projects/WKOpen2/WebCore/
#4 0x0126e984 in KWQSignal::connect (this=0x41e00000, slot=@0x0) at /Volumes/Stuff/Projects/
#5 0x0108d690 in +[KWQSingleShotTimerTarget targetWithQObject:member:] (self=0x40300000,
_cmd=0x0, object=0x40300000, member=0x0) at /Volumes/Stuff/Projects/WKOpen2/WebCore/kwq/
#6 0x0108d6d4 in +[KWQSingleShotTimerTarget targetWithQObject:member:] (self=0xff,
_cmd=0xbfffe220, object=0x2, member=0x4 <Address 0x4 out of bounds>) at /Volumes/Stuff/
#7 0x928dd57c in __NSFireTimer ()
#8 0x90770ae0 in __CFRunLoopDoTimer ()
#9 0x9075d458 in __CFRunLoopRun ()
#10 0x9075ca0c in CFRunLoopRunSpecific ()
#11 0x93182260 in RunCurrentEventLoopInMode ()
#12 0x9318186c in ReceiveNextEventCommon ()
#13 0x93181760 in BlockUntilNextEventMatchingListInMode ()
#14 0x93680904 in _DPSNextEvent ()
#15 0x936805c8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#16 0x9367cb0c in -[NSApplication run] ()
#17 0x9376d618 in NSApplicationMain ()
#18 0x000eafa4 in main (argc=1, argv=0xbffff85c) at /Volumes/Stuff/Projects/WKOpen2/
Which is total nonsense.
Created attachment 4351 [details]
Reduced test case.
This test is more reduced than before, but still could be smaller.
Created attachment 4357 [details]
More reduced test case
This very simple SVG example causes the crash.
This example would not make sense though. More information is needed to create
a proper SVG.
Needs to change the keyword to HasReduction
Created attachment 4359 [details]
Checks isSVGElement() and prints an error message if not the case.
Comment on attachment 4359 [details]
This is a wonderful isolation of the problem. We now know *what* is going
wrong, but not yet *why*. This fix notices a symtom of the problem (that
somehow we have an animation setup pointing at a KDOM element instead of a
KSVG2 element) but does not answer the question why? and is "too late" a place
to fix. We need to find out why this gets set up this way in the first place,
and make this check earlier. "tit.key()" is typed SVGElementImpl, according to
the map... so the fact that something other than an SVGElementImpl got in there
is the bug, not that when pulling it out we didn't check correctly. This is a
good start, but not the right fix yet.
Created attachment 4361 [details]
a static_cast in SVGAnimationElementImpl::targetElement() was converting
KDOM::XMLElementImpl to SVGElementImpl for not yet implemented elements.
Comment on attachment 4361 [details]
This shoudl use the svg_dynamic_cast function instead.