[Webkit-unassigned] [Bug 207920] Crash in SVGElement::removeEventListener with symbol element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 3 13:54:36 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=207920

--- Comment #5 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 392321
  --> https://bugs.webkit.org/attachment.cgi?id=392321
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=392321&action=review

> Source/WebCore/ChangeLog:13
> +        Note that Chrome shares the behavior of a symbol element + use element being transformed into a svg element in the shadow DOM, but Firefox
> +        does not.  This means that Chrome's behavior is slightly different than the WebKit behavior here (they apply event handlers to the parent

This is not really relevant. What's important is whether a setting event handler attribute
on a disconnected SVG element transfers the event handler to window or not.
Firefox doesn't whilst Chrome does.

> LayoutTests/fast/events/onresize-svg-parent-window.html:11
> +            document.body.appendChild(iframe);
> +            didFireResize = false;

This test doesn't work because Firefox doesn't synchronously load iframe.
Let's fix that by putting iframe.contentWindow.requestAnimationFrame inside iframe.onload as in:
didFireResize = false;
iframe.onload = () {
    iframe.contentWindow.requestAnimationFrame(() => {
      ..
}
document.body.appendChild(iframe);

> LayoutTests/fast/events/onresize-svg-parent-window.html:14
> +                svg.setAttribute('onresize', 'top.didFireResize = true');

Let's also add a check for on error like this:
svg.setAttribute('onerror', 'top.didFireOnError = true');
Declare didFireOnError next to didFireResize.

> LayoutTests/fast/events/onresize-svg-parent-window.html:17
> +                    shouldBeFalse('didFireResize');

Assert also that shouldBeFalse('didFireOnError');

> LayoutTests/fast/events/onresize-svg-parent-window.html:18
> +                });

Then after this requestAnimationFrame, do something like this: iframe.contentWindow.eval('throw "error"');

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200303/d3d534cc/attachment.htm>

More information about the webkit-unassigned mailing list