[Webkit-unassigned] [Bug 173178] svg/animations/svglength-element-removed-crash.svg is flaky
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 9 14:25:27 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=173178
--- Comment #3 from Filip Pizlo <fpizlo at apple.com> ---
(In reply to Alexey Proskuryakov from comment #2)
> Ryan, can you disable the test for now? That fix was definitely addressing a
> JSC bug and test flakiness, while this may be just a bad test.
>
> But it is somewhat surprising.
Maybe this SVG test was inadvertently taking advantage of LLInt's old wrong behavior. It would flake, because the wrong behavior was in a LLInt optimization, so sometimes you wouldn't get the wrong behavior.
Specifically, what happens if you have both a custom property and an element called "foo". What does document.foo do? Some what the property, some want the element. Correct behavior is to give the element, LLInt would sometimes give the property.
I agree that it's worth skipping the SVG test. It's probably not too hard to fix, if I'm right about what's going on.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170609/a2a405b3/attachment.html>
More information about the webkit-unassigned
mailing list