Bug 263288

Summary:	Regression(269372@main) Crash under SVGPathElement::attributeChanged()
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	SVG	Assignee:	Chris Dumez <cdumez>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	sabouhallawa, webkit-bug-importer, zimmermann
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified
Bug Depends on:
Bug Blocks:	263195

Description Chris Dumez 2023-10-17 15:08:08 PDT

Crash under SVGPathElement::attributeChanged():
```
Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   WebCore                       	       0x111aa4e74 WebCore::SVGPathElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 1500
1   WebCore                       	       0x110bab550 WebCore::Element::parserSetAttributes(std::__1::span<WebCore::Attribute const, 18446744073709551615ul>) + 1044
2   WebCore                       	       0x110f86e78 WebCore::HTMLConstructionSite::insertForeignElement(WebCore::AtomHTMLToken&&, WTF::AtomString const&) + 264
3   WebCore                       	       0x110fb0a90 WebCore::HTMLTreeBuilder::processTokenInForeignContent(WebCore::AtomHTMLToken&&) + 1020
4   WebCore                       	       0x110fb0480 WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomHTMLToken&&) + 200
5   WebCore                       	       0x10f4ca8e4 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 560
6   WebCore                       	       0x110f88134 WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString&&) + 208
```

Comment 1 Chris Dumez 2023-10-17 15:08:16 PDT

<rdar://117091905>

Comment 2 Chris Dumez 2023-10-17 15:11:05 PDT

Pull request: https://github.com/WebKit/WebKit/pull/19194

Comment 3 EWS 2023-10-17 16:19:24 PDT

Committed 269431@main (386d03be6b4c): <https://commits.webkit.org/269431@main>

Reviewed commits have been landed. Closing PR #19194 and removing active labels.