RESOLVED FIXED 97291
Assertion failed on dynamically inserted <animation> element 
https://bugs.webkit.org/show_bug.cgi?id=97291
Summary Assertion failed on dynamically inserted <animation> element
Hajime Morrita
Reported 2012-09-20 22:18:57 PDT
Created attachment 165045 [details] A reproduction. This upstreams http://code.google.com/p/chromium/issues/detail?id=150966
Attachments
A reproduction. (399 bytes, image/svg+xml)
2012-09-20 22:18 PDT, Hajime Morrita 		no flags
Details
A repro (415 bytes, image/svg+xml)
2012-09-20 22:26 PDT, Hajime Morrita 		no flags
Details
reduced further (339 bytes, image/svg+xml)
2012-09-20 22:32 PDT, Hajime Morrita 		no flags
Details
We don't need any script after all. (140 bytes, image/svg+xml)
2012-09-20 22:34 PDT, Hajime Morrita 		no flags
Details
We don't need any script after all. (140 bytes, image/svg+xml)
2012-09-20 22:34 PDT, Hajime Morrita 		no flags
Details
Remove overzealous assert (2.03 KB, patch)
2012-09-26 20:49 PDT, Philip Rogers 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Hajime Morrita
Comment 1 2012-09-20 22:26:46 PDT
Created attachment 165046 [details] A repro
Hajime Morrita
Comment 2 2012-09-20 22:27:39 PDT
Callstack: SHOULD NEVER BE REACHED Source/WebCore/svg/SVGElement.cpp(572) : virtual WebCore::SVGAttributeToPropertyMap& WebCore::SVGElement::localAttributeToPropertyMap() 1 0x1fdcb7d .... Program received signal SIGSEGV, Segmentation fault. 0x0000000001fdcb87 in WebCore::SVGElement::localAttributeToPropertyMap (this=0x7fffec5c6e80) at Source/WebCore/svg/SVGElement.cpp:572 572 ASSERT_NOT_REACHED(); (gdb) bt 20 #0 0x0000000001fdcb87 in WebCore::SVGElement::localAttributeToPropertyMap (this=0x7fffec5c6e80) at Source/WebCore/svg/SVGElement.cpp:572 #1 0x0000000001fdbbf5 in WebCore::SVGElement::animatedPropertyTypeForAttribute (this=0x7fffec5c6e80, attributeName=..., propertyTypes=...) at Source/WebCore/svg/SVGElement.cpp:338 #2 0x0000000001fb38e2 in WebCore::SVGAnimateElement::determineAnimatedPropertyType (this=0x7fffec07c580, targetElement=0x7fffec5c6e80) at Source/WebCore/svg/SVGAnimateElement.cpp:68 #3 0x0000000001fb568f in WebCore::SVGAnimateElement::targetElementWillChange (this=0x7fffec07c580, currentTarget=0x0, newTarget=0x7fffec5c6e80) at Source/WebCore/svg/SVGAnimateElement.cpp:408 #4 0x000000000207468b in WebCore::SVGSMILElement::targetElement (this=0x7fffec07c580) at Source/WebCore/svg/animation/SVGSMILElement.cpp:566 #5 0x000000000206e013 in WebCore::SMILTimeContainer::updateAnimations (this=0x7ffff7ec70c0, elapsed=..., seekToTime=false) at Source/WebCore/svg/animation/SMILTimeContainer.cpp:229 #6 0x000000000206d8f6 in WebCore::SMILTimeContainer::begin (this=0x7ffff7ec70c0) at Source/WebCore/svg/animation/SMILTimeContainer.cpp:100 #7 0x0000000001fc6ee2 in WebCore::SVGDocumentExtensions::startAnimations (this=0x7ffff7e68500) at Source/WebCore/svg/SVGDocumentExtensions.cpp:105 #8 0x0000000000875128 in WebCore::Document::implicitClose (this=0x7ffff7f04000) at Source/WebCore/dom/Document.cpp:2609 #9 0x0000000001697a9d in WebCore::FrameLoader::checkCallImplicitClose (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:807 #10 0x000000000169780d in WebCore::FrameLoader::checkCompleted (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:750 #11 0x000000000169755d in WebCore::FrameLoader::finishedParsing (this=0x7ffff7ea0498) at Source/WebCore/loader/FrameLoader.cpp:683 #12 0x000000000087de9e in WebCore::Document::finishedParsing (this=0x7ffff7f04000) at Source/WebCore/dom/Document.cpp:4899 #13 0x00000000017f84e5 in WebCore::XMLDocumentParser::end (this=0x7ffff7e9d900) at Source/WebCore/xml/parser/XMLDocumentParser.cpp:212 #14 0x00000000017f851e in WebCore::XMLDocumentParser::finish (this=0x7ffff7e9d900) at Source/WebCore/xml/parser/XMLDocumentParser.cpp:224 #15 0x000000000168adcf in WebCore::DocumentWriter::end (this=0x7ffff7f030c0) at Source/WebCore/loader/DocumentWriter.cpp:244 #16 0x00000000016797e7 in WebCore::DocumentLoader::finishedLoading (this=0x7ffff7f03000) at Source/WebCore/loader/DocumentLoader.cpp:300 #17 0x00000000016b5851 in WebCore::MainResourceLoader::didFinishLoading (this=0x7fffec568200, finishTime=0) at Source/WebCore/loader/MainResourceLoader.cpp:525 #18 0x00000000016c99c5 in WebCore::ResourceLoader::didFinishLoading (this=0x7fffec568200, finishTime=0) at Source/WebCore/loader/ResourceLoader.cpp:441 #19 0x0000000002b243ee in WebCore::ResourceHandleInternal::didFinishLoading (this=0x7fffec631700, finishTime=0) at Source/WebCore/platform/network/chromium/ResourceHandle.cpp:156
Hajime Morrita
Comment 3 2012-09-20 22:32:07 PDT
Created attachment 165048 [details] reduced further
Hajime Morrita
Comment 4 2012-09-20 22:34:21 PDT
Created attachment 165049 [details] We don't need any script after all.
Hajime Morrita
Comment 5 2012-09-20 22:34:53 PDT
Created attachment 165051 [details] We don't need any script after all.
Philip Rogers
Comment 6 2012-09-26 20:49:19 PDT
Created attachment 165920 [details] Remove overzealous assert This bug turned out to be fairly trivial: we should correctly determine that a non-SVG tag in SVG content cannot animate. I am also removing the security flag on this bug. This bug originated as part of a security issue but this bug is not security related.
Nikolas Zimmermann
Comment 7 2012-10-01 00:56:53 PDT
Comment on attachment 165920 [details] Remove overzealous assert Good explanation, r=me.
WebKit Review Bot
Comment 8 2012-10-01 01:01:17 PDT
Comment on attachment 165920 [details] Remove overzealous assert Clearing flags on attachment: 165920 Committed r130011: <http://trac.webkit.org/changeset/130011>
WebKit Review Bot
Comment 9 2012-10-01 01:01:22 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.