Closed Bug 1474969 Opened 7 years ago Closed 6 years ago

Assertion failure: startArr.Length() <= 1 (Invalid start-point for animateMotion interpolation), at src/dom/svg/SVGMotionSMILType.cpp:403

Categories

(Core :: SVG, defect, P3)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1343357
Tracking Flags:
Tracking Status
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

testcase.html
100 bytes, text/html
Details
Attached file testcase.html
Reduced with m-c: BuildID=20180711094246 SourceStamp=aff060ad3204234adae2d59b3776207c6687ebfc Assertion failure: startArr.Length() <= 1 (Invalid start-point for animateMotion interpolation), at src/dom/svg/SVGMotionSMILType.cpp:403 #0 mozilla::SVGMotionSMILType::Interpolate(nsSMILValue const&, nsSMILValue const&, double, nsSMILValue&) const src/dom/svg/SVGMotionSMILType.cpp:394:3 #1 nsSMILAnimationFunction::InterpolateResult(FallibleTArray<nsSMILValue> const&, nsSMILValue&, nsSMILValue&) src/dom/smil/nsSMILAnimationFunction.cpp:438:18 #2 nsSMILAnimationFunction::ComposeResult(nsISMILAttr const&, nsSMILValue&) src/dom/smil/nsSMILAnimationFunction.cpp:263:9 #3 nsSMILCompositor::ComposeAttribute(bool&) src/dom/smil/nsSMILCompositor.cpp:106:29 #4 nsSMILAnimationController::DoSample(bool) src/dom/smil/nsSMILAnimationController.cpp:454:17 #5 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4275:46 #6 nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7391:12 #7 nsIDocument::FlushPendingNotifications(mozilla::FlushType) src/dom/base/nsDocument.cpp:7330:3 #8 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:694:14 #9 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:627:5 #10 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp #11 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28 #12 nsIDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:8250:18 #13 nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8172:9 #14 nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5065:3 #15 mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1217:13 #16 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #17 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14 #18 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #19 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #20 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10 #21 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3 #22 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #23 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:920:22 #24 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9 #25 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10 #26 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3 #27 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34 #28 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #29 main src/browser/app/nsBrowserApp.cpp:287:18 #30 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #31 _start (firefox+0x423724)
Flags: in-testsuite?
status-firefox63: --- → affected
I think we expect to be animating from a single point to another point, but we somehow end up animating from two points instead of from one. I forget precisely how we end up with 2 points and what that signifies... In any case, this doesn't seem dangerous, as we're simply throwing away (ignoring) the second point, and not reading past the end of an array or anything. I poked around in rr a bit -- it looks like we generate the two-entry array via appending in SandwichAdd here: https://searchfox.org/mozilla-central/rev/a80651653faa78fa4dfbd238d099c2aad1cec304/dom/svg/SVGMotionSMILType.cpp#328 ...and then that forms the "starArr" array that we assert about when composing our to="..." animation, a little later on, here: https://searchfox.org/mozilla-central/rev/a80651653faa78fa4dfbd238d099c2aad1cec304/dom/svg/SVGMotionSMILType.cpp#402-403
Priority: -- → P3
Flags: needinfo?(dholbert)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(dholbert)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: