[Webkit-unassigned] [Bug 197137] New: REGRESSION (r243137): SVGViewElement.viewTarget should not return a new object

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Apr 20 01:30:11 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=197137

            Bug ID: 197137
           Summary: REGRESSION (r243137): SVGViewElement.viewTarget should
                    not return a new object
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Open the attached test case. The following assertion fires:

0x0000000762c6d4c0 in ::WTFCrash() at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/Assertions.cpp:305
0x0000000749defb5b in WTFCrashWithInfo(int, char const*, char const*, int) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/Assertions.h:566
0x000000074b159905 in std::__1::enable_if<std::is_same<WebCore::SVGStringList, WebCore::SVGStringList>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::SVGStringList>::WrapperClass*>::type WebCore::createWrapper<WebCore::SVGStringList, WebCore::SVGStringList>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> >&&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/bindings/js/JSDOMWrapperCache.h:185
0x000000074b1597ec in WebCore::toJSNewlyCreated(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> >&&) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/DerivedSources/WebCore/JSSVGStringList.cpp:381
0x000000074b194500 in JSC::JSValue WebCore::JSConverter<WebCore::IDLInterface<WebCore::SVGStringList> >::convertNewlyCreated<WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> > >(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> >&&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/bindings/js/JSDOMConvertInterface.h:87
0x000000074b1944a0 in JSC::JSValue WebCore::toJSNewlyCreated<WebCore::IDLInterface<WebCore::SVGStringList>, WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> > >(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> >&&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/bindings/js/JSDOMConvertBase.h:162
0x000000074b194414 in std::__1::enable_if<!(IsExceptionOr<WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> > >::value), JSC::JSValue>::type WebCore::toJSNewlyCreated<WebCore::IDLInterface<WebCore::SVGStringList>, WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> > >(JSC::ExecState&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WTF::Ref<WebCore::SVGStringList, WTF::DumbPtrTraits<WebCore::SVGStringList> >&&) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/bindings/js/JSDOMConvertBase.h:207
0x000000074b1942d3 in WebCore::jsSVGViewElementViewTargetGetter(JSC::ExecState&, WebCore::JSSVGViewElement&, JSC::ThrowScope&) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/DerivedSources/WebCore/JSSVGViewElement.cpp:198
0x000000074b186750 in long long WebCore::IDLAttribute<WebCore::JSSVGViewElement>::get<&(WebCore::jsSVGViewElementViewTargetGetter(JSC::ExecState&, WebCore::JSSVGViewElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)3>(JSC::ExecState&, long long, char const*) at /Volumes/Data/WebKit/OpenSource/Source/WebCore/bindings/js/JSDOMAttribute.h:69
0x000000074b186638 in WebCore::jsSVGViewElementViewTarget(JSC::ExecState*, long long, JSC::PropertyName) at /Volumes/Data/WebKit/OpenSource/WebKitBuild/Debug/DerivedSources/WebCore/JSSVGViewElement.cpp:204

r243137 removes the tear off objects of SVGStringList. Since the SVGElements now owns Ref pointers to the SVG properties, there is no need to create wrappers for these properties anymore. Therefore all the DOM objects accessing the same property should wrap the same Ref pointer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190420/04c6fd8f/attachment.html>

More information about the webkit-unassigned mailing list