Bug 225684

Summary: REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, cgarcia, darin, esprehn+autocc, ews-watchlist, kangil.han, koivisto, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=224408
Bug Depends on:    
Bug Blocks: 148695    
Attachments:
Description Flags
Patch darin: review+

Ryosuke Niwa
Reported 2021-05-11 19:25:38 PDT
e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001090fcdf3 WTFCrashWithInfo(int, char const*, char const*, int) + 19 1 com.apple.WebCore 0x000000010a3df43a WebCore::SlotAssignment::assignedNodesForSlot(WebCore::HTMLSlotElement const&, WebCore::ShadowRoot&) + 426 2 com.apple.WebCore 0x000000010a5e96d0 WebCore::HTMLSlotElement::assignedNodes() const + 64 3 com.apple.WebCore 0x000000010a301f1e WebCore::ComposedTreeIterator::traverseNextInShadowTree() + 222 4 com.apple.WebCore 0x000000010aeb019c WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 316 5 com.apple.WebCore 0x000000010a3e3031 WebCore::SlotAssignment::didChangeSlot(WTF::AtomString const&, WebCore::ShadowRoot&) + 257 6 com.apple.WebCore 0x000000010a36f4be WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) + 270 7 com.apple.WebCore 0x000000010a3124fa WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 58 8 com.apple.WebCore 0x000000010a312382 WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&) + 130 9 com.apple.WebCore 0x000000010a306016 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 998 10 com.apple.WebCore 0x000000010a3a812d WebCore::Node::appendChild(WebCore::Node&) + 93 11 com.apple.WebCore 0x0000000109744a0f WebCore::jsNodePrototypeFunction_appendChild(JSC::JSGlobalObject*, JSC::CallFrame*) + 223 <rdar://77799319>
Attachments
Patch (4.99 KB, patch)
2021-05-11 20:11 PDT, Ryosuke Niwa 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2021-05-11 20:11:16 PDT
Created attachment 428338 [details] Patch
Darin Adler
Comment 2 2021-05-11 21:58:09 PDT
Comment on attachment 428338 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=428338&action=review > Source/WebCore/ChangeLog:14 > + the shadow root is conncted to a document but HTMLSlotElement isn't since its connected flag has not been updated yet. Typo in connected.
Ryosuke Niwa
Comment 3 2021-05-12 10:12:29 PDT
(In reply to Darin Adler from comment #2) > Comment on attachment 428338 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=428338&action=review > > > Source/WebCore/ChangeLog:14 > > + the shadow root is conncted to a document but HTMLSlotElement isn't since its connected flag has not been updated yet. > > Typo in connected. Fixed. Thanks for the review.
Ryosuke Niwa
Comment 4 2021-05-12 10:13:24 PDT
Committed r277373 (237631@main): <https://commits.webkit.org/237631@main>
Note You need to log in before you can comment on or make changes to this bug.