Bug 196895

Summary: ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element
Product: WebKit Reporter: Said Abou-Hallawa <sabouhallawa>
Component: SVGAssignee: Said Abou-Hallawa <sabouhallawa>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
test case (will assert in debug)
none
Patch none

Description Said Abou-Hallawa 2019-04-13 02:42:26 PDT
Created attachment 367382 [details]
test case (will assert in debug)

Open the attached file. The following assertion will fire:

ASSERTION FAILED: listener.wasCreatedFromMarkup()
svg/SVGElement.cpp(434) : virtual bool WebCore::SVGElement::removeEventListener(const WTF::AtomicString &, WebCore::EventListener &, const WebCore::EventTarget::ListenerOptions &)
1   0x129513c29 WTFCrash
2   0x1140327eb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x117e697cc WebCore::SVGElement::removeEventListener(WTF::AtomicString const&, WebCore::EventListener&, WebCore::EventTarget::ListenerOptions const&)
4   0x1180c75ad WebCore::SVGTRefTargetEventListener::detach()
5   0x1180c89ae WebCore::SVGTRefElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&)
6   0x116640bd7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
7   0x116640ca7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
8   0x116640ca7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
9   0x116640a6f WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&)
10  0x11663cead WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource)
11  0x11663c6f0 WebCore::ContainerNode::removeChild(WebCore::Node&)
12  0x11663adca WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&)
13  0x11663a63a WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*)
14  0x1167fbdc9 WebCore::Node::after(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&)
15  0x114a76198 WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)
16  0x114a52c40 long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*)
17  0x114a5292c WebCore::jsElementPrototypeFunctionAfter(JSC::ExecState*)
18  0x64000c21016b
19  0x129a2e64c llint_entry
20  0x129a2e4d3 llint_entry
21  0x129a1b122 vmEntryToJavaScript
22  0x12a6a5277 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
23  0x12a6a58ad JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
24  0x12a97be9c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
25  0x12a97bf8a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
26  0x12a97c27e JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
27  0x11611ea58 WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
28  0x11616929c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)
29  0x1167a3a5a WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase)
30  0x1167a3502 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)
31  0x117178d0e WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)
Comment 1 Said Abou-Hallawa 2019-04-13 03:14:53 PDT
Created attachment 367383 [details]
Patch
Comment 2 Said Abou-Hallawa 2019-04-13 03:17:05 PDT
<rdar://problem/33951014>
Comment 3 Darin Adler 2019-04-13 07:52:48 PDT
Comment on attachment 367383 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=367383&action=review

> Source/WebCore/svg/SVGUseElement.cpp:325
>          for (auto& descendant : descendantsOfType<SVGElement>(*clone))
>              descendant.setCorrespondingElement(nullptr);
> +        if (is<SVGElement>(clone))
> +            downcast<SVGElement>(*clone).setCorrespondingElement(nullptr);

Too bad there’s not a more elegant way to writing this. Just need a version of descendantsOfType that also includes the item itself if it has the right type.
Comment 4 WebKit Commit Bot 2019-04-15 11:54:28 PDT
Comment on attachment 367383 [details]
Patch

Clearing flags on attachment: 367383

Committed r244276: <https://trac.webkit.org/changeset/244276>
Comment 5 WebKit Commit Bot 2019-04-15 11:54:29 PDT
All reviewed patches have been landed.  Closing bug.