263288 – Regression(269372@main) Crash under SVGPathElement::attributeChanged()

Bug 263288 - Regression(269372@main) Crash under SVGPathElement::attributeChanged()

Summary: Regression(269372@main) Crash under SVGPathElement::attributeChanged()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:	263195
	Show dependency tree / graph

Reported:	2023-10-17 15:08 PDT by Chris Dumez
Modified:	2023-10-17 16:19 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2023-10-17 15:08:08 PDT

Crash under SVGPathElement::attributeChanged():
```
Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   WebCore                       	       0x111aa4e74 WebCore::SVGPathElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 1500
1   WebCore                       	       0x110bab550 WebCore::Element::parserSetAttributes(std::__1::span<WebCore::Attribute const, 18446744073709551615ul>) + 1044
2   WebCore                       	       0x110f86e78 WebCore::HTMLConstructionSite::insertForeignElement(WebCore::AtomHTMLToken&&, WTF::AtomString const&) + 264
3   WebCore                       	       0x110fb0a90 WebCore::HTMLTreeBuilder::processTokenInForeignContent(WebCore::AtomHTMLToken&&) + 1020
4   WebCore                       	       0x110fb0480 WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomHTMLToken&&) + 200
5   WebCore                       	       0x10f4ca8e4 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 560
6   WebCore                       	       0x110f88134 WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString&&) + 208
```

Comment 1 Chris Dumez 2023-10-17 15:08:16 PDT

<rdar://117091905>

Comment 2 Chris Dumez 2023-10-17 15:11:05 PDT

Pull request: https://github.com/WebKit/WebKit/pull/19194

Comment 3 EWS 2023-10-17 16:19:24 PDT

Committed 269431@main (386d03be6b4c): <https://commits.webkit.org/269431@main>

Reviewed commits have been landed. Closing PR #19194 and removing active labels.