Bug 97291 - Assertion failed on dynamically inserted <animation> element
Summary: Assertion failed on dynamically inserted <animation> element
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 420+
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-20 22:18 PDT by Hajime Morrita
Modified: 2012-10-01 01:01 PDT (History)
7 users (show)

See Also:

Attachments
A reproduction. (399 bytes, image/svg+xml)
2012-09-20 22:18 PDT, Hajime Morrita 		no flags Details
A repro (415 bytes, image/svg+xml)
2012-09-20 22:26 PDT, Hajime Morrita 		no flags Details
reduced further (339 bytes, image/svg+xml)
2012-09-20 22:32 PDT, Hajime Morrita 		no flags Details
We don't need any script after all. (140 bytes, image/svg+xml)
2012-09-20 22:34 PDT, Hajime Morrita 		no flags Details
We don't need any script after all. (140 bytes, image/svg+xml)
2012-09-20 22:34 PDT, Hajime Morrita 		no flags Details
Remove overzealous assert (2.03 KB, patch)
2012-09-26 20:49 PDT, Philip Rogers 		no flags Details | Formatted Diff | Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hajime Morrita 2012-09-20 22:18:57 PDT 
Created attachment 165045 [details]
A reproduction.

This upstreams http://code.google.com/p/chromium/issues/detail?id=150966
Comment 1 Hajime Morrita 2012-09-20 22:26:46 PDT 
Created attachment 165046 [details]
A repro
Comment 2 Hajime Morrita 2012-09-20 22:27:39 PDT 
Callstack:
SHOULD NEVER BE REACHED
Source/WebCore/svg/SVGElement.cpp(572) : virtual WebCore::SVGAttributeToPropertyMap& WebCore::SVGElement::localAttributeToPropertyMap()
1   0x1fdcb7d
....

Program received signal SIGSEGV, Segmentation fault.
0x0000000001fdcb87 in WebCore::SVGElement::localAttributeToPropertyMap (this=0x7fffec5c6e80) at Source/WebCore/svg/SVGElement.cpp:572
572	    ASSERT_NOT_REACHED();
(gdb) bt 20
#0  0x0000000001fdcb87 in WebCore::SVGElement::localAttributeToPropertyMap (this=0x7fffec5c6e80) at Source/WebCore/svg/SVGElement.cpp:572
#1  0x0000000001fdbbf5 in WebCore::SVGElement::animatedPropertyTypeForAttribute (this=0x7fffec5c6e80, attributeName=..., propertyTypes=...) at Source/WebCore/svg/SVGElement.cpp:338
#2  0x0000000001fb38e2 in WebCore::SVGAnimateElement::determineAnimatedPropertyType (this=0x7fffec07c580, targetElement=0x7fffec5c6e80) at Source/WebCore/svg/SVGAnimateElement.cpp:68
#3  0x0000000001fb568f in WebCore::SVGAnimateElement::targetElementWillChange (this=0x7fffec07c580, currentTarget=0x0, newTarget=0x7fffec5c6e80) at Source/WebCore/svg/SVGAnimateElement.cpp:408
#4  0x000000000207468b in WebCore::SVGSMILElement::targetElement (this=0x7fffec07c580) at Source/WebCore/svg/animation/SVGSMILElement.cpp:566
#5  0x000000000206e013 in WebCore::SMILTimeContainer::updateAnimations (this=0x7ffff7ec70c0, elapsed=..., seekToTime=false) at Source/WebCore/svg/animation/SMILTimeContainer.cpp:229
#6  0x000000000206d8f6 in WebCore::SMILTimeContainer::begin (this=0x7ffff7ec70c0) at Source/WebCore/svg/animation/SMILTimeContainer.cpp:100
#7  0x0000000001fc6ee2 in WebCore::SVGDocumentExtensions::startAnimations (this=0x7ffff7e68500) at Source/WebCore/svg/SVGDocumentExtensions.cpp:105
#8  0x0000000000875128 in WebCore::Document::implicitClose (this=0x7ffff7f04000) at Source/WebCore/dom/Document.cpp:2609
#9  0x0000000001697a9d in WebCore::FrameLoader::checkCallImplicitClose (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:807
#10 0x000000000169780d in WebCore::FrameLoader::checkCompleted (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:750
#11 0x000000000169755d in WebCore::FrameLoader::finishedParsing (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:683
#12 0x000000000087de9e in WebCore::Document::finishedParsing (this=0x7ffff7f04000) at Source/WebCore/dom/Document.cpp:4899
#13 0x00000000017f84e5 in WebCore::XMLDocumentParser::end (this=0x7ffff7e9d900) at Source/WebCore/xml/parser/XMLDocumentParser.cpp:212
#14 0x00000000017f851e in WebCore::XMLDocumentParser::finish (this=0x7ffff7e9d900) at Source/WebCore/xml/parser/XMLDocumentParser.cpp:224
#15 0x000000000168adcf in WebCore::DocumentWriter::end (this=0x7ffff7f030c0) at Source/WebCore/loader/DocumentWriter.cpp:244
#16 0x00000000016797e7 in WebCore::DocumentLoader::finishedLoading (this=0x7ffff7f03000) at Source/WebCore/loader/DocumentLoader.cpp:300
#17 0x00000000016b5851 in WebCore::MainResourceLoader::didFinishLoading (this=0x7fffec568200, finishTime=0) at Source/WebCore/loader/MainResourceLoader.cpp:525
#18 0x00000000016c99c5 in WebCore::ResourceLoader::didFinishLoading (this=0x7fffec568200, finishTime=0) at Source/WebCore/loader/ResourceLoader.cpp:441
#19 0x0000000002b243ee in WebCore::ResourceHandleInternal::didFinishLoading (this=0x7fffec631700, finishTime=0) at Source/WebCore/platform/network/chromium/ResourceHandle.cpp:156
Comment 3 Hajime Morrita 2012-09-20 22:32:07 PDT 
Created attachment 165048 [details]
reduced further
Comment 4 Hajime Morrita 2012-09-20 22:34:21 PDT 
Created attachment 165049 [details]
We don't need any script after all.
Comment 5 Hajime Morrita 2012-09-20 22:34:53 PDT 
Created attachment 165051 [details]
We don't need any script after all.
Comment 6 Philip Rogers 2012-09-26 20:49:19 PDT 
Created attachment 165920 [details]
Remove overzealous assert

This bug turned out to be fairly trivial: we should correctly determine that a non-SVG tag in SVG content cannot animate.

I am also removing the security flag on this bug. This bug originated as part of a security issue but this bug is not security related.
Comment 7 Nikolas Zimmermann 2012-10-01 00:56:53 PDT 
Comment on attachment 165920 [details]
Remove overzealous assert

Good explanation, r=me.
Comment 8 WebKit Review Bot 2012-10-01 01:01:17 PDT 
Comment on attachment 165920 [details]
Remove overzealous assert

Clearing flags on attachment: 165920

Committed r130011: <http://trac.webkit.org/changeset/130011>
Comment 9 WebKit Review Bot 2012-10-01 01:01:22 PDT 
All reviewed patches have been landed.  Closing bug.