Bug 258226 - Handle SVGLength resolving in an inactive document gracefully
Summary: Handle SVGLength resolving in an inactive document gracefully
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL: https://jsfiddle.net/4x7kzser/
Keywords: BrowserCompat, InRadar
Depends on:
Blocks:
 
Reported: 2023-06-16 16:38 PDT by Ahmad Saleem
Modified: 2023-07-24 09:30 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ahmad Saleem 2023-06-16 16:38:50 PDT 
Hi Team,

While going through Blink commit's, I came across following bug, where we throw console error while Firefox Nightly 116 and Chrome Canary 116 does not.

Blink Commit: https://src.chromium.org/viewvc/blink?view=revision&revision=196269

WebKit Source: https://searchfox.org/wubkat/source/Source/WebCore/svg/SVGLengthContext.cpp#233

I think it is easier to merge this and match other browsers but raising to get input.

Thanks!
Comment 1 Ahmad Saleem 2023-06-17 07:14:23 PDT 
I merge and it still does not get rid of console error, so it is different case but I think it is more about potential case fix since it was identified by ‘ClusterFuzz’ tool used by Google.
Comment 2 Ahmad Saleem 2023-07-22 04:26:37 PDT 
Manage to confirm that it does not fix bug and not crash in 'Debug' with this patch and without patch, we get:

stderr:
SHOULD NEVER BE REACHED
/Users/ahmadsaleem/Documents/GitHub-Webkit-origin/Webkit/Source/WebCore/svg/SVGLengthContext.cpp(234) : const WebCore::RenderStyle *WebCore::renderStyleForLengthResolving(const WebCore::SVGElement *)
1   0x133bc1c68 WTFCrash
2   0x14d0434a0 WebCore::BaseAudioContext::currentSampleFrame() const
3   0x14fcf682c WebCore::renderStyleForLengthResolving(WebCore::SVGElement const*)
4   0x14fcf5ec0 WebCore::SVGLengthContext::convertValueFromEMSToUserUnits(float) const
5   0x14fcf5d18 WebCore::SVGLengthContext::convertValueToUserUnits(float, WebCore::SVGLengthType, WebCore::SVGLengthMode) const
6   0x14fcf7e50 WebCore::SVGLengthValue::valueForBindings(WebCore::SVGLengthContext const&) const
7   0x14bfef6a8 WebCore::SVGLength::valueForBindings()
8   0x14bfef614 WebCore::jsSVGLength_valueGetter(JSC::JSGlobalObject&, WebCore::JSSVGLength&)
9   0x14bf4f3f4 long long WebCore::IDLAttribute<WebCore::JSSVGLength>::get<&WebCore::jsSVGLength_valueGetter(JSC::JSGlobalObject&, WebCore::JSSVGLength&), (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long long, JSC::PropertyName)
10  0x14bf4f2c8 WebCore::jsSVGLength_value(JSC::JSGlobalObject*, long long, JSC::PropertyName)
11  0x1357efb64 WTF::FunctionPtr<(WTF::PtrTag)57072, long long (JSC::JSGlobalObject*, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, JSC::PropertyName) const
12  0x135a57bd8 JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const
13  0x13420cc34 JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const
14  0x134f0d1a8 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const
15  0x135556b20 JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)
16  0x135556920 llint_slow_path_get_by_id
17  0x13426d898 llint_entry
18  0x134261808 vmEntryToJavaScript
19  0x1353ae34c JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*,
Comment 3 Radar WebKit Bug Importer 2023-07-22 04:26:49 PDT 
<rdar://problem/112704896>
Comment 4 Ahmad Saleem 2023-07-22 04:50:09 PDT 
PR: https://github.com/WebKit/WebKit/pull/16010
Comment 5 EWS 2023-07-24 09:30:19 PDT 
Committed 266250@main (f538153c2220): <https://commits.webkit.org/266250@main>

Reviewed commits have been landed. Closing PR #16010 and removing active labels.