Skip to content

REGRESSION(277450@main): OOB array read with SVG animation where keyPoints = 0. #27481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 1, 2024
Merged

REGRESSION(277450@main): OOB array read with SVG animation where keyPoints = 0. #27481

merged 1 commit into from
May 1, 2024

Conversation

@mscottapple
Copy link
Contributor

@mscottapple mscottapple commented Apr 18, 2024
edited by webkit-early-warning-system
Loading

53e67f6

REGRESSION(277450@main): OOB array read with SVG animation where keyPoints = 0.
https://bugs.webkit.org/show_bug.cgi?id=272929
rdar://126636733

Reviewed by Said Abou-Hallawa.

This change makes a couple additional, similar changes to the original changes
to better track the SVG spec. (See the original bug for more information.)

* LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash-expected.txt: Added.
* LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash.html: Added.
* Source/WebCore/svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::keyTimes const):
(WebCore::SVGAnimationElement::startedActiveInterval):

Canonical link: https://commits.webkit.org/278212@main

c1a7f24

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ❌ 🧪 mac-wk1 ✅ 🛠 wpe-skia
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
loading 🛠 tv-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🛠 watch
✅ 🛠 watch-sim

@mscottapple mscottapple self-assigned this Apr 18, 2024
@mscottapple mscottapple added the SVG For bugs in the SVG implementation. label Apr 18, 2024
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Apr 18, 2024
edited
Loading

EWS run on previous version of this PR (hash bbc0bf7)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ⏳ 🧪 wpe-wk2
✅ 🧪 webkitperl 🧪 ios-wk2 ⏳ 🧪 api-mac 🧪 api-wpe
🧪 ios-wk2-wpt ⏳ 🧪 mac-wk1 ✅ 🛠 wpe-skia
⏳ 🧪 api-ios 🧪 mac-wk2 ✅ 🛠 gtk
🛠 tv ⏳ 🧪 mac-AS-debug-wk2 🧪 gtk-wk2
✅ 🛠 tv-sim 🧪 mac-wk2-stress ✅ 🧪 api-gtk
🛠 watch
✅ 🛠 watch-sim

@mscottapple
Copy link
Contributor Author

mscottapple commented Apr 18, 2024

Added people involved with the change that introduced this crash.

@mscottapple mscottapple force-pushed the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch from bbc0bf7 to c55c930 Compare April 19, 2024 00:05
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Apr 19, 2024
edited
Loading

EWS run on previous version of this PR (hash c55c930)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ❌ 🧪 wpe-wk2
✅ 🧪 webkitperl ❌ 🧪 ios-wk2 loading 🧪 api-mac ✅ 🧪 api-wpe
❌ 🧪 ios-wk2-wpt ❌ 🧪 mac-wk1 ✅ 🛠 wpe-skia
loading 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2 ❌ 🧪 gtk-wk2
✅ 🛠 tv-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 watch
✅ 🛠 watch-sim

shallawa
shallawa reviewed Apr 19, 2024
View reviewed changes
@shallawa
Copy link
Contributor

shallawa commented Apr 19, 2024

Please include the blamed revision 277450@main in the title of the commit message.

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 19, 2024
@mscottapple mscottapple removed the merging-blocked Applied to prevent a change from being merged label Apr 22, 2024
@mscottapple mscottapple changed the title Fix an OOB array read with SVG animation where keyPoints = 0. REGRESSION(277450@main): OOB array read with SVG animation where keyPoints = 0. Apr 22, 2024
@mscottapple mscottapple force-pushed the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch from c55c930 to 01ff56b Compare April 22, 2024 21:14
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Apr 22, 2024
edited
Loading

EWS run on previous version of this PR (hash 01ff56b)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ❌ 🧪 mac-wk1 ✅ 🛠 wpe-skia
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2 ❌ 🧪 gtk-wk2
✅ 🛠 tv-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 watch
✅ 🛠 watch-sim

@mscottapple mscottapple requested a review from shallawa April 23, 2024 00:06
@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 23, 2024
@mscottapple mscottapple removed the merging-blocked Applied to prevent a change from being merged label Apr 23, 2024
@mscottapple mscottapple force-pushed the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch from 01ff56b to caa2678 Compare April 23, 2024 17:55
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Apr 23, 2024
edited
Loading

EWS run on previous version of this PR (hash caa2678)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ❌ 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-skia
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2 ❌ 🧪 gtk-wk2
✅ 🛠 tv-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 23, 2024
shallawa
shallawa requested changes Apr 23, 2024
View reviewed changes
@mscottapple mscottapple removed the merging-blocked Applied to prevent a change from being merged label Apr 23, 2024
@mscottapple mscottapple force-pushed the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch from caa2678 to a4cea47 Compare April 23, 2024 23:26
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Apr 23, 2024
edited
Loading

EWS run on previous version of this PR (hash a4cea47)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios 🛠 mac ✅ 🛠 wpe 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ⏳ 🧪 wpe-wk2
✅ 🧪 webkitperl ⏳ 🧪 ios-wk2 🧪 api-mac ✅ 🧪 api-wpe
⏳ 🧪 ios-wk2-wpt 🧪 mac-wk1 ✅ 🛠 wpe-skia
⏳ 🧪 api-ios 🧪 mac-wk2 ✅ 🛠 gtk
🛠 tv ⏳ 🧪 mac-AS-debug-wk2 ⏳ 🧪 gtk-wk2
🛠 tv-sim 🧪 mac-wk2-stress ⏳ 🧪 api-gtk
🛠 watch
🛠 watch-sim

@mscottapple mscottapple requested a review from shallawa April 23, 2024 23:30
shallawa
shallawa reviewed Apr 23, 2024
View reviewed changes
@mscottapple mscottapple force-pushed the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch from a4cea47 to 7b6d1a4 Compare April 24, 2024 00:09
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Apr 24, 2024
edited
Loading

EWS run on previous version of this PR (hash 7b6d1a4)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim loading 🛠 mac-AS-debug ❌ 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
❌ 🧪 ios-wk2-wpt ❌ 🧪 mac-wk1 ✅ 🛠 wpe-skia
✅ 🧪 api-ios ❌ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 tv ❌ 🧪 mac-AS-debug-wk2 ❌ 🧪 gtk-wk2
✅ 🛠 tv-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 watch
✅ 🛠 watch-sim

@mscottapple mscottapple requested a review from shallawa April 24, 2024 00:21
@shallawa
Copy link
Contributor

shallawa commented Apr 24, 2024

Please change the commit message to describe correctly the current change.

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 24, 2024
@mscottapple
Copy link
Contributor Author

mscottapple commented Apr 24, 2024

Now the test imported/w3c/web-platform-tests/svg/animations/animateMotion-keyPoints-001.html is failing with assert_equals: y position expected 0 but got -50

@shallawa
Copy link
Contributor

shallawa commented Apr 24, 2024

I think the specs is clear about the animateMotion overriding rules for the motion path and the overriding rules for the keyPoints.

But I think it is not clear about the overriding rules for the keyTimes when the calcMode is Paced and the animationMode is Path. When calcMode is Paced we usually use the values attribute to generate interpolated values for keyTimes. But with animationMode equal to Path I think values should be ignored in this case. And I would expect if calcMode is Paced and animationMode is Path is to have the attribute keyTimes specified in the <animateMotion> tag.

This is consistent with our code. In SVGAnimationElement::calculatePercentFromKeyPoints() we use m_keyTimesFromAttribute and not m_keyTimesForPaced as the working keyTimes. Look for where calculatePercentFromKeyPoints() is called. You will find it is called only if (calcMode != CalcMode::Paced || animationMode == AnimationMode::Path)

So to fix this issue, you will need to add this change to your patch.

const Vector<float>& SVGAnimationElement::keyTimes() const
{
    return calcMode() != CalcMode::Paced || animationMode() == AnimationMode::Path ? m_keyTimesFromAttribute : m_keyTimesForPaced;
}

@SupaYo
Copy link

SupaYo commented Apr 24, 2024

What do I have to do to fix the problem?

@mscottapple mscottapple removed the merging-blocked Applied to prevent a change from being merged label Apr 30, 2024
@mscottapple mscottapple force-pushed the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch from 7b6d1a4 to cd30bd5 Compare April 30, 2024 19:42
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Apr 30, 2024
edited
Loading

EWS run on previous version of this PR (hash cd30bd5)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ⏳ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt loading 🧪 mac-wk1 ✅ 🛠 wpe-skia
✅ 🧪 api-ios loading 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 tv ⏳ 🧪 mac-AS-debug-wk2 🧪 gtk-wk2
✅ 🛠 tv-sim ❌ 🧪 mac-wk2-stress ⏳ 🧪 api-gtk
✅ 🛠 watch
✅ 🛠 watch-sim

@mscottapple mscottapple force-pushed the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch from cd30bd5 to c1a7f24 Compare April 30, 2024 22:48
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Apr 30, 2024
edited
Loading

EWS run on current version of this PR (hash c1a7f24)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 wincairo
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ❌ 🧪 mac-wk1 ✅ 🛠 wpe-skia
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 tv ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
loading 🛠 tv-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label May 1, 2024
shallawa
shallawa approved these changes May 1, 2024
View reviewed changes
Source/WebCore/svg/SVGAnimationElement.cpp Outdated
Copy link
Contributor

@shallawa shallawa May 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: There is no need for the parentheses. The operator precedence should work as expected:

  1. The equality != and ==
  2. The logical &&
  3. The ternary conditional ? :

@shallawa shallawa added merge-queue Applied to send a pull request to merge-queue and removed merging-blocked Applied to prevent a change from being merged labels May 1, 2024
@mscottapple
REGRESSION(277450@main): OOB array read with SVG animation where keyP…
53e67f6 
…oints = 0.

https://bugs.webkit.org/show_bug.cgi?id=272929
rdar://126636733

Reviewed by Said Abou-Hallawa.

This change makes a couple additional, similar changes to the original changes
to better track the SVG spec. (See the original bug for more information.)

* LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash-expected.txt: Added.
* LayoutTests/svg/animations/animate-zero-keyPoints-should-not-crash.html: Added.
* Source/WebCore/svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::keyTimes const):
(WebCore::SVGAnimationElement::startedActiveInterval):

Canonical link: https://commits.webkit.org/278212@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch from c1a7f24 to 53e67f6 Compare May 1, 2024 17:08
@webkit-commit-queue
Copy link
Collaborator

webkit-commit-queue commented May 1, 2024

Committed 278212@main (53e67f6): https://commits.webkit.org/278212@main

Reviewed commits have been landed. Closing PR #27481 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 53e67f6 into WebKit:main May 1, 2024
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label May 1, 2024
@mscottapple mscottapple deleted the eng/OOB-array-read-with-SVG-animation-where-keyPoints--0 branch May 1, 2024 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shallawa shallawa shallawa approved these changes

@grorg grorg Awaiting requested review from grorg

@anttijk anttijk Awaiting requested review from anttijk

@graouts graouts Awaiting requested review from graouts

Assignees

@mscottapple mscottapple

Labels

SVG For bugs in the SVG implementation.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mscottapple @webkit-early-warning-system @shallawa @SupaYo @webkit-commit-queue @webkit-ews-buildbot