Bug 10366

Summary: WebKit asserts on innerHTML insert of embed referencing XML which failed to parse
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: ap, ddkilzer, ggaren, rwlbuis
Priority: P2    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.mobiusportal.com/
Bug Depends on: 7476    
Bug Blocks:    

Eric Seidel (no email)
Reported 2006-08-12 03:05:41 PDT
WebKit asserts on innerHTML insert of embed referencing XML which failed to parse ================= ASSERTION FAILED: self == [[self page] mainFrame] || m_frame->ownerElement() (/Stuff/Projects/WebKit/WebCore/bridge/mac/WebCoreFrameBridge.mm:1015 -[WebCoreFrameBridge installInFrame:]) ================= when viewing http://www.mobiusportal.com/ I expect it's because they try to dynamically insert an embed which references a broken SVG document. I bet that is causing us to go down a code path we have not gone down before. This does not reproduce until the fix for bug 7476 is landed.
Attachments
Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2006-08-14 23:55:31 PDT
I'm able to hit the same assert by loading this file: http://lab.vodafone.com/chlsel/chlsel.xhtml
David Kilzer (:ddkilzer)
Comment 2 2006-12-28 14:23:25 PST
This may also be reproduced using Hixie's Live DOM Viewer by doing the following: 1. Open Safari. 2. Open Hixie's Live DOM Viewer: http://software.hixie.ch/utilities/js/live-dom-viewer/ 3. Paste in an <embed src=""></embed> tag referencing a non-existent image: <embed src="foo.gif"></embed> 4. Position the cursor at the end of the "</embed>" tag. 5. Hit the delete key faster than the Rendered View is able to reload the missing image. In debug builds, this causes the following assertion (using a locally-built debug build of WebKit r18456 with Safari 2.0.4 (419.3) on Mac OS X 10.4.8 (8N1037)): ASSERTION FAILED: m_frame == m_frame->page()->mainFrame() || m_frame->ownerElement() (/Users/dkilzer/Projects/WebKit/WebCore/page/mac/WebCoreFrameBridge.mm:576 -[WebCoreFrameBridge installInFrame:]) Segmentation fault And stack trace: Thread 0 Crashed: 0 com.apple.WebCore 0x01100e27 -[WebCoreFrameBridge installInFrame:] + 131 (WebCoreFrameBridge.mm:576) 1 com.apple.WebKit 0x00399c20 WebFrameLoaderClient::makeDocumentView() + 318 (WebFrameLoaderClient.mm:209) 2 com.apple.WebCore 0x013740b3 WebCore::FrameLoader::transitionToCommitted(NSDictionary*) + 707 (FrameLoaderMac.mm:953) 3 com.apple.WebCore 0x0137627a WebCore::FrameLoader::commitProvisionalLoad(NSDictionary*) + 130 (FrameLoaderMac.mm:527) 4 com.apple.WebCore 0x01370e3d WebCore::DocumentLoader::commitIfReady() + 73 (DocumentLoaderMac.mm:287) 5 com.apple.WebCore 0x01371609 WebCore::DocumentLoader::commitLoad(char const*, int) + 35 (DocumentLoaderMac.mm:324) 6 com.apple.WebCore 0x0137184c WebCore::DocumentLoader::receivedData(char const*, int) + 76 (DocumentLoaderMac.mm:338) 7 com.apple.WebCore 0x01372c33 WebCore::FrameLoader::receivedData(char const*, int) + 41 (FrameLoaderMac.mm:568) 8 com.apple.WebCore 0x0137b0d2 WebCore::MainResourceLoader::addData(char const*, int, bool) + 80 (MainResourceLoaderMac.mm:148) 9 com.apple.WebCore 0x013799e7 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 83 (ResourceLoaderMac.mm:282) 10 com.apple.WebCore 0x0137b407 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 281 (MainResourceLoaderMac.mm:312) 11 com.apple.WebCore 0x01379676 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 58 (ResourceLoaderMac.mm:442) 12 com.apple.WebCore 0x013888be -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 172 (ResourceHandleMac.mm:278) 13 com.apple.Foundation 0x9265eb86 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 641 14 com.apple.Foundation 0x9265ce67 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 686 15 com.apple.Foundation 0x9265cb41 _sendCallbacks + 201 16 com.apple.CoreFoundation 0x9082afd2 CFRunLoopRunSpecific + 1213 17 com.apple.CoreFoundation 0x9082ab0e CFRunLoopRunInMode + 61 18 com.apple.HIToolbox 0x92ddabef RunCurrentEventLoopInMode + 285 19 com.apple.HIToolbox 0x92dda2fd ReceiveNextEventCommon + 385 20 com.apple.HIToolbox 0x92dda154 BlockUntilNextEventMatchingListInMode + 81 21 com.apple.AppKit 0x9327f465 _DPSNextEvent + 572 22 com.apple.AppKit 0x9327f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 23 com.apple.Safari 0x00006cea 0x1000 + 23786 24 com.apple.AppKit 0x93278ddb -[NSApplication run] + 512 25 com.apple.AppKit 0x9326cd2f NSApplicationMain + 573 26 com.apple.Safari 0x0005f54a 0x1000 + 386378 27 com.apple.Safari 0x0005f471 0x1000 + 386161
David Kilzer (:ddkilzer)
Comment 3 2006-12-28 14:31:44 PST
*** Bug 10853 has been marked as a duplicate of this bug. ***
Rob Buis
Comment 4 2012-06-09 16:28:36 PDT
Unfortunately the two test urls do not work anymore. The Live DOM Viewer test scenario does not trigger the bug for me (OS X Lion trunk debug).
Alexey Proskuryakov
Comment 5 2012-06-11 12:57:38 PDT
Ditto.
Note You need to log in before you can comment on or make changes to this bug.