[webkit-changes] [WebKit/WebKit] 686693: Release assertion failure in LegacyRenderSVGShape:...
Rob Buis
noreply at github.com
Sat Feb 1 03:21:36 PST 2025
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6866936923f71c78e121c3f98c950ada4a991841
https://github.com/WebKit/WebKit/commit/6866936923f71c78e121c3f98c950ada4a991841
Author: Rob Buis <rbuis at igalia.com>
Date: 2025-02-01 (Sat, 01 Feb 2025)
Changed paths:
A LayoutTests/svg/crash-svg-filter-empty-viewport-expected.txt
A LayoutTests/svg/crash-svg-filter-empty-viewport.svg
M Source/WebCore/svg/SVGLengthContext.cpp
Log Message:
-----------
Release assertion failure in LegacyRenderSVGShape::strokeBoundingBox()
https://bugs.webkit.org/show_bug.cgi?id=285429
Reviewed by Said Abou-Hallawa.
The test case converts the SVG baseVal x/y values on the filter from a percentage to a
user unit. To do this convertValueFromUserUnitsToPercentage is used, but the divisor
in the calculation will be zero since the filter width/height is zero (due to empty outer svg viewport), so in the
end SVG baseVal x/y values will be set to NaN.
This causes a problem on when calculating the filter repaint rect in SVGRenderSupport::intersectRepaintRectWithResources
since the x and y values are NaN, causing m_accurateRepaintBoundingBox to be an empty Markable object and thus the
Release assertion failure upon dereference.
To fix this detect whenever the divisor is zero in convertValueFromUserUnitsToPercentage and return 0 if so.
* LayoutTests/svg/crash-svg-filter-empty-viewport-expected.txt: Added.
* LayoutTests/svg/crash-svg-filter-empty-viewport.svg: Added.
* Source/WebCore/svg/SVGLengthContext.cpp:
(WebCore::SVGLengthContext::convertValueFromUserUnitsToPercentage const):
Canonical link: https://commits.webkit.org/289664@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list