Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: bafe45b6d47fd40d4d5991734739bc80f3832973
https://github.com/WebKit/WebKit/commit/bafe45b6d47fd40d4d5991734739bc80f3832973
Author: Chris Dumez <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
A LayoutTests/fast/svg/SVGPathElement-toJS-crash-expected.txt
A LayoutTests/fast/svg/SVGPathElement-toJS-crash.html
M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Log Message:
-----------
Cherry-pick 302286@main (bc93fb064a1a).
https://bugs.webkit.org/show_bug.cgi?id=301605
RELEASE_ASSERT in toJSNewlyCreated() to SVGPathElement
https://bugs.webkit.org/show_bug.cgi?id=301605
rdar://163020232
Reviewed by Darin Adler.
The vtable validation generated in toJSNewlyCreated() was using an offset
that doesn't match our actual implementation. Fix the offset used in the
bindings generator to address the assertion failure.
Test: fast/svg/SVGPathElement-toJS-crash.html
* LayoutTests/fast/svg/SVGPathElement-toJS-crash-expected.txt: Added.
* LayoutTests/fast/svg/SVGPathElement-toJS-crash.html: Added.
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(GetGnuVTableOffsetForType):
Canonical link: https://commits.webkit.org/302286@main
Canonical link: https://commits.webkit.org/298234.235@webkitglib/2.50
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
