Bug 258226
| Summary: | Handle SVGLength resolving in an inactive document gracefully | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ahmad Saleem <ahmad.saleem792> |
| Component: | SVG | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | sabouhallawa, webkit-bug-importer, zimmermann |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | https://jsfiddle.net/4x7kzser/ | ||
Ahmad Saleem
Hi Team,
While going through Blink commit's, I came across following bug, where we throw console error while Firefox Nightly 116 and Chrome Canary 116 does not.
Blink Commit: https://src.chromium.org/viewvc/blink?view=revision&revision=196269
WebKit Source: https://searchfox.org/wubkat/source/Source/WebCore/svg/SVGLengthContext.cpp#233
I think it is easier to merge this and match other browsers but raising to get input.
Thanks!
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Ahmad Saleem
I merge and it still does not get rid of console error, so it is different case but I think it is more about potential case fix since it was identified by ‘ClusterFuzz’ tool used by Google.
Ahmad Saleem
Manage to confirm that it does not fix bug and not crash in 'Debug' with this patch and without patch, we get:
stderr:
SHOULD NEVER BE REACHED
/Users/ahmadsaleem/Documents/GitHub-Webkit-origin/Webkit/Source/WebCore/svg/SVGLengthContext.cpp(234) : const WebCore::RenderStyle *WebCore::renderStyleForLengthResolving(const WebCore::SVGElement *)
1 0x133bc1c68 WTFCrash
2 0x14d0434a0 WebCore::BaseAudioContext::currentSampleFrame() const
3 0x14fcf682c WebCore::renderStyleForLengthResolving(WebCore::SVGElement const*)
4 0x14fcf5ec0 WebCore::SVGLengthContext::convertValueFromEMSToUserUnits(float) const
5 0x14fcf5d18 WebCore::SVGLengthContext::convertValueToUserUnits(float, WebCore::SVGLengthType, WebCore::SVGLengthMode) const
6 0x14fcf7e50 WebCore::SVGLengthValue::valueForBindings(WebCore::SVGLengthContext const&) const
7 0x14bfef6a8 WebCore::SVGLength::valueForBindings()
8 0x14bfef614 WebCore::jsSVGLength_valueGetter(JSC::JSGlobalObject&, WebCore::JSSVGLength&)
9 0x14bf4f3f4 long long WebCore::IDLAttribute<WebCore::JSSVGLength>::get<&WebCore::jsSVGLength_valueGetter(JSC::JSGlobalObject&, WebCore::JSSVGLength&), (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long long, JSC::PropertyName)
10 0x14bf4f2c8 WebCore::jsSVGLength_value(JSC::JSGlobalObject*, long long, JSC::PropertyName)
11 0x1357efb64 WTF::FunctionPtr<(WTF::PtrTag)57072, long long (JSC::JSGlobalObject*, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, JSC::PropertyName) const
12 0x135a57bd8 JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const
13 0x13420cc34 JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const
14 0x134f0d1a8 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const
15 0x135556b20 JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)
16 0x135556920 llint_slow_path_get_by_id
17 0x13426d898 llint_entry
18 0x134261808 vmEntryToJavaScript
19 0x1353ae34c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*,
Radar WebKit Bug Importer
<rdar://problem/112704896>
Ahmad Saleem
PR: https://github.com/WebKit/WebKit/pull/16010
EWS
Committed 266250@main (f538153c2220): <https://commits.webkit.org/266250@main>
Reviewed commits have been landed. Closing PR #16010 and removing active labels.