RESOLVED FIXED Bug 64671
REGRESSION (Safari 5.0.5 - ToT): crash in SVG test http://dev.w3.org/SVG/profiles/1.1F2/test/harness/htmlObjectApproved/animate-elem-39-t.html 
https://bugs.webkit.org/show_bug.cgi?id=64671
Summary REGRESSION (Safari 5.0.5 - ToT): crash in SVG test http://dev.w3.org/SVG/prof...
lars.sonchocky-helldorf
Reported 2011-07-17 13:25:09 PDT
WebKit nightly crashes in http://dev.w3.org/SVG/profiles/1.1F2/test/harness/htmlObjectApproved/animate-elem-39-t.html. See attachment
Attachments
64671_crash_log (53.02 KB, text/plain)
2011-07-17 13:29 PDT, lars.sonchocky-helldorf 		no flags
Details
minimized from original url, causing crash in SVGSMILElement::progress (647 bytes, image/svg+xml)
2011-07-27 08:55 PDT, Scott Graham 		no flags
Details
Patch (4.71 KB, patch)
2012-01-20 16:39 PST, Stephen Chenney 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
lars.sonchocky-helldorf
Comment 1 2011-07-17 13:29:08 PDT
Created attachment 101118 [details] 64671_crash_log crash log for this bug
Dirk Schulze
Comment 2 2011-07-17 22:43:17 PDT
The PaintServer crashes because of a missing RenderStyle on SVGFonts. I couldn't reproduce it locally when SVGFonts are not online.
Alexey Proskuryakov
Comment 3 2011-07-18 10:30:45 PDT
I cannot reproduce with Safari 5.0.5, so marking as regression.
Dirk Schulze
Comment 4 2011-07-20 03:51:41 PDT
(In reply to comment #3) > I cannot reproduce with Safari 5.0.5, so marking as regression. It's an assertion, no crash. Have you checked debug version of WebKit? IIRC we have this bug for a longer time and I think we even had it on Safari 5.
Dirk Schulze
Comment 5 2011-07-20 03:52:17 PDT
*** Bug 53858 has been marked as a duplicate of this bug. ***
Scott Graham
Comment 6 2011-07-27 08:55:05 PDT
Created attachment 102148 [details] minimized from original url, causing crash in SVGSMILElement::progress
Scott Graham
Comment 7 2011-07-27 08:56:01 PDT
I'm seeing an assert in SVGSMILElement::progress (not the same as the crash?). It appears to be caused by update order as there's multiple begins that are "showAnchor.end+1s" including showAnchor's.
Stephen Chenney
Comment 8 2012-01-20 07:11:17 PST
*** Bug 64940 has been marked as a duplicate of this bug. ***
Stephen Chenney
Comment 9 2012-01-20 07:11:43 PST
*** Bug 66888 has been marked as a duplicate of this bug. ***
Stephen Chenney
Comment 10 2012-01-20 07:12:17 PST
*** Bug 73710 has been marked as a duplicate of this bug. ***
Stephen Chenney
Comment 11 2012-01-20 07:12:53 PST
*** Bug 74788 has been marked as a duplicate of this bug. ***
Stephen Chenney
Comment 12 2012-01-20 11:52:00 PST
To clarrify what this bug is about, on a seemingly random basis many of the tests of the form svg/W3C-SVG-1.1/animate-elem-??-?.svg and also svg/animations/svginteger-animation-1.html all fail with one of two assertions in SVGSMILElement::progress for Mac and Linux.
Stephen Chenney
Comment 13 2012-01-20 16:39:26 PST
Created attachment 123409 [details] Patch
Stephen Chenney
Comment 14 2012-01-20 16:41:10 PST
I think this change addresses the crash, and also ensures that the callback method for "no longer active" fires. It is also safe to just remove the offending assert, but then the callback would not fire.
Nikolas Zimmermann
Comment 15 2012-01-21 00:34:16 PST
Comment on attachment 123409 [details] Patch Looks good, r=me. Thanks for investigating!
WebKit Review Bot
Comment 16 2012-01-21 00:51:53 PST
Comment on attachment 123409 [details] Patch Clearing flags on attachment: 123409 Committed r105572: <http://trac.webkit.org/changeset/105572>
WebKit Review Bot
Comment 17 2012-01-21 00:51:58 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.