Bug 143519

Summary: ASSERTION FAILED: m_templateInsertionModes.isEmpty() in WebCore::HTMLTreeBuilder::finished
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, commit-queue, darin, esprehn+autocc, gyuyoung.kim, rniwa
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 154996, 157022, 157026    
Bug Blocks: 116980, 154614    
Attachments:
Description Flags
Test case
none
WIP
none
Fixes the bug darin: review+

Description Renata Hodovan 2015-04-08 05:26:52 PDT
Created attachment 250345 [details]
Test case

Load this test with debug WebKit:


<!DOCTYPE html>
<ins></ins>
<template>
    <frameset></frameset>
</template>


Note: the issue is present, reported but isn't fixed yet in Blink either: http://crbug.com/475002


Backtrace:

ASSERTION FAILED: m_templateInsertionModes.isEmpty()
../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp(2937) : void WebCore::HTMLTreeBuilder::finished()

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff8f53b700 (LWP 11681)]
0x00007fffed3987a4 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321	    *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fffed3987a4 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff30f2050 in WebCore::HTMLTreeBuilder::finished (this=0x7fffd57e7480) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2937
#2  0x00007ffff30bdfee in WebCore::HTMLDocumentParser::end (this=0x7fffd4017cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:402
#3  0x00007ffff30be0bc in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7fffd4017cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:411
#4  0x00007ffff30bcd6c in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7fffd4017cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:132
#5  0x00007ffff30be0f3 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7fffd4017cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:423
#6  0x00007ffff30be1a1 in WebCore::HTMLDocumentParser::finish (this=0x7fffd4017cc0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:451
#7  0x00007ffff3227b5b in WebCore::DocumentWriter::end (this=0x7fffd401aca0) at ../../Source/WebCore/loader/DocumentWriter.cpp:247
#8  0x00007ffff321320b in WebCore::DocumentLoader::finishedLoading (this=0x7fffd401ac00, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:429
#9  0x00007ffff3212f74 in WebCore::DocumentLoader::notifyFinished (this=0x7fffd401ac00, resource=0x7fffd403e000) at ../../Source/WebCore/loader/DocumentLoader.cpp:376
#10 0x00007ffff32c7348 in WebCore::CachedResource::checkNotify (this=0x7fffd403e000) at ../../Source/WebCore/loader/cache/CachedResource.cpp:291
#11 0x00007ffff32c7446 in WebCore::CachedResource::finishLoading (this=0x7fffd403e000) at ../../Source/WebCore/loader/cache/CachedResource.cpp:307
#12 0x00007ffff32c39c5 in WebCore::CachedRawResource::finishLoading (this=0x7fffd403e000, data=0x7fffd5fcf750) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:104
#13 0x00007ffff3276c45 in WebCore::SubresourceLoader::didFinishLoading (this=0x7fffd40b0000, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:371
#14 0x00007ffff3272597 in WebCore::ResourceLoader::didFinishLoading (this=0x7fffd40b0000, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:562
#15 0x00007ffff3c1cd7d in WebCore::readCallback (asyncResult=0x9371a0, data=0x7fffd5fc6da0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1318
#16 0x00007fffeae7f7d6 in async_ready_callback_wrapper (source_object=0x82f670, res=0x9371a0, user_data=user_data@entry=0x7fffd5fc6da0) at ginputstream.c:523
#17 0x00007fffeaea50d5 in g_task_return_now (task=0x9371a0) at gtask.c:1077
#18 0x00007fffeaea50f9 in complete_in_idle_cb (task=0x9371a0) at gtask.c:1086
#19 0x00007fffea15da2d in g_main_dispatch (context=0x478c20) at gmain.c:3064
#20 g_main_context_dispatch (context=context@entry=0x478c20) at gmain.c:3663
#21 0x00007fffea15dd98 in g_main_context_iterate (context=0x478c20, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734
#22 0x00007fffea15e05a in g_main_loop_run (loop=0x4f8470) at gmain.c:3928
#23 0x00007ffff431a260 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#24 0x00007ffff27f7192 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd8f8) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#25 0x00007ffff27f6ff7 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd8f8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:77
#26 0x00000000004008d1 in main (argc=2, argv=0x7fffffffd8f8) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44
Comment 1 Ryosuke Niwa 2016-03-02 23:05:26 PST
I have a fix but there's a bug in a relevant W3C test :(

https://github.com/w3c/web-platform-tests/pull/2653
Comment 2 Ryosuke Niwa 2016-03-02 23:05:56 PST
Created attachment 272733 [details]
WIP
Comment 3 Ryosuke Niwa 2016-03-03 18:37:30 PST
Two more tests need to be fixed first: https://github.com/w3c/web-platform-tests/pull/2655
Comment 4 Ryosuke Niwa 2016-04-26 00:28:44 PDT
Created attachment 277349 [details]
Fixes the bug
Comment 5 Ryosuke Niwa 2016-04-26 00:29:23 PDT
Comment on attachment 277349 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=277349&action=review

> LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-template-element/template-element/template-as-a-descendant-expected.txt:7
> -PASS Template element as a descendant of the FRAMESET element. Template element is created by innerHTML 
> +FAIL Template element as a descendant of the FRAMESET element. Template element is created by innerHTML assert_not_equals: Template element should be a descendant of the FRAMESET element got disallowed value null
>  PASS Template element as an indirect descendant of the BODY element. Template element is created by innerHTML 
>  PASS Template element as an indirect descendant of the HEAD element. Template element is created by innerHTML 
> -PASS Template element as an indirect descendant of the FRAMESET element. Template element is created by innerHTML 
> +FAIL Template element as an indirect descendant of the FRAMESET element. Template element is created by innerHTML assert_not_equals: Template element should be a descendant of the FRAMESET element got disallowed value null

These FAIL will be PASS instead once the reimportation of tests completes in the bug 157026.
Comment 6 Ryosuke Niwa 2016-04-26 15:06:59 PDT
Committed r200108: <http://trac.webkit.org/changeset/200108>