Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: bc93fb064a1ac98ade6e69f44b5342599b8c68da
https://github.com/WebKit/WebKit/commit/bc93fb064a1ac98ade6e69f44b5342599b8c68da
Author: Chris Dumez <[email protected]>
Date: 2025-10-29 (Wed, 29 Oct 2025)
Changed paths:
A LayoutTests/fast/svg/SVGPathElement-toJS-crash-expected.txt
A LayoutTests/fast/svg/SVGPathElement-toJS-crash.html
M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Log Message:
-----------
RELEASE_ASSERT in toJSNewlyCreated() to SVGPathElement
https://bugs.webkit.org/show_bug.cgi?id=301605
rdar://163020232
Reviewed by Darin Adler.
The vtable validation generated in toJSNewlyCreated() was using an offset
that doesn't match our actual implementation. Fix the offset used in the
bindings generator to address the assertion failure.
Test: fast/svg/SVGPathElement-toJS-crash.html
* LayoutTests/fast/svg/SVGPathElement-toJS-crash-expected.txt: Added.
* LayoutTests/fast/svg/SVGPathElement-toJS-crash.html: Added.
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(GetGnuVTableOffsetForType):
Canonical link: https://commits.webkit.org/302286@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
