Bug 225684

Summary: REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, cgarcia, darin, esprehn+autocc, ews-watchlist, kangil.han, koivisto, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=224408
Bug Depends on:    
Bug Blocks: 148695    
Attachments:
Description Flags
Patch darin: review+

Description Ryosuke Niwa 2021-05-11 19:25:38 PDT 
e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001090fcdf3 WTFCrashWithInfo(int, char const*, char const*, int) + 19
1   com.apple.WebCore             	0x000000010a3df43a WebCore::SlotAssignment::assignedNodesForSlot(WebCore::HTMLSlotElement const&, WebCore::ShadowRoot&) + 426
2   com.apple.WebCore             	0x000000010a5e96d0 WebCore::HTMLSlotElement::assignedNodes() const + 64
3   com.apple.WebCore             	0x000000010a301f1e WebCore::ComposedTreeIterator::traverseNextInShadowTree() + 222
4   com.apple.WebCore             	0x000000010aeb019c WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 316
5   com.apple.WebCore             	0x000000010a3e3031 WebCore::SlotAssignment::didChangeSlot(WTF::AtomString const&, WebCore::ShadowRoot&) + 257
6   com.apple.WebCore             	0x000000010a36f4be WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) + 270
7   com.apple.WebCore             	0x000000010a3124fa WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 58
8   com.apple.WebCore             	0x000000010a312382 WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&) + 130
9   com.apple.WebCore             	0x000000010a306016 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 998
10  com.apple.WebCore             	0x000000010a3a812d WebCore::Node::appendChild(WebCore::Node&) + 93
11  com.apple.WebCore             	0x0000000109744a0f WebCore::jsNodePrototypeFunction_appendChild(JSC::JSGlobalObject*, JSC::CallFrame*) + 223

<rdar://77799319>
Comment 1 Ryosuke Niwa 2021-05-11 20:11:16 PDT 
Created attachment 428338 [details]
Patch
Comment 2 Darin Adler 2021-05-11 21:58:09 PDT 
Comment on attachment 428338 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=428338&action=review

> Source/WebCore/ChangeLog:14
> +        the shadow root is conncted to a document but HTMLSlotElement isn't since its connected flag has not been updated yet.

Typo in connected.
Comment 3 Ryosuke Niwa 2021-05-12 10:12:29 PDT 
(In reply to Darin Adler from comment #2)
> Comment on attachment 428338 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=428338&action=review
> 
> > Source/WebCore/ChangeLog:14
> > +        the shadow root is conncted to a document but HTMLSlotElement isn't since its connected flag has not been updated yet.
> 
> Typo in connected.

Fixed. Thanks for the review.
Comment 4 Ryosuke Niwa 2021-05-12 10:13:24 PDT 
Committed r277373 (237631@main): <https://commits.webkit.org/237631@main>