Bug 269355

Summary: Removing an <object> tag hangs tab
Product: WebKit Reporter: Matthias Götzke <m.goetzke>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Major CC: ahmad.saleem792, akeerthi, a_protyasha, rniwa, thorton
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Mac (Apple Silicon)   
OS: macOS 14   
Attachments:
Description Flags
Hang the Safari tab by removing an object tag. none

Matthias Götzke
Reported 2024-02-14 03:50:47 PST
Created attachment 469859 [details] Hang the Safari tab by removing an object tag. Running the HTML below you can get the Safari Tab to hang. It happens the moment an object added is removed again (see the button): E.g. removing this definition from the node tree (this does NOT work inside an iframe) `<object ref="builtin" type="application/pdf" style="position: absolute;z-index: -1;"><span></span></object>` Steps to Reproduce ------------------ Load the HTML inside the browser (not in an iframe) on a desktop mac. Pressing 'inc' will work After pressing 'crash' the browser engine hangs (it adds and then removes the object tag) It does not matter how you remove the object node, the tab becomes unusable. See the click handler for inc, but nothing really works anymore. Expected Results ---------------- Just like in Chrome/Edge/Firefox the node should just be removed. Build Data & Hardware --------------------- Safari 19617.1.17.11.12 and on 274622@main. Running on Sonoma 14.2.1 MacBookPro 16 M1 Max
Attachments
Hang the Safari tab by removing an object tag. (1.42 KB, text/html)
2024-02-14 03:50 PST, Matthias Götzke 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ahmad Saleem
Comment 1 2024-02-14 08:09:50 PST
I get following in console while loading: >> CoreGraphics PDF has logged an error. Set environment variable "CG_PDF_VERBOSE" to learn more. I was using 'release' build as of WebKit ToT (274623@main). It is reproducible hang and whole minibrowser start misbehaving and navigation becomes slow to interact.
Tim Horton
Comment 2 2024-02-14 16:24:23 PST
*** This bug has been marked as a duplicate of bug 268536 ***
Note You need to log in before you can comment on or make changes to this bug.