106412 – REGRESSION(r139141): Assertion failure in WebCore::HTMLConstructionSite::HTMLConstructionSite

Bug 106412 - REGRESSION(r139141): Assertion failure in WebCore::HTMLConstructionSite::HTMLConstructionSite

Summary: REGRESSION(r139141): Assertion failure in WebCore::HTMLConstructionSite::HTML...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac Unspecified

Importance:	P2 Normal
Assignee:	Tony Gentilcore

URL:
Keywords:

Depends on:
Blocks:	79668 106375
	Show dependency tree / graph

Reported:	2013-01-08 20:54 PST by Stephanie Lewis
Modified:	2013-01-09 12:59 PST (History)
CC List:	8 users (show)

See Also:

Attachments
crash log (353.64 KB, application/octet-stream) 2013-01-08 20:54 PST, Stephanie Lewis	no flags	Details
Patch (2.17 KB, patch) 2013-01-09 09:56 PST, Tony Gentilcore	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stephanie Lewis 2013-01-08 20:54:43 PST

Created attachment 181836 [details]
crash log

Occurs on Mac Debug WK1 and WK2 Mountain Lion and Lion

Failing tests:
[540/1529] editing/style/justify-without-enclosing-block.xhtml failed unexpectedly (DumpRenderTree crashed [pid=8563])
[1134/1529] editing/execCommand/insert-list-xml.xhtml failed unexpectedly (DumpRenderTree crashed [pid=8566])
[1173/1529] editing/pasteboard/paste-noscript-xhtml.xhtml failed unexpectedly (DumpRenderTree crashed [pid=8572])
[1287/1529] editing/pasteboard/paste-xml.xhtml failed unexpectedly (DumpRenderTree crashed [pid=8598])

Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef

VM Regions Near 0xbbadbeef:
--> 
    __TEXT                 000000010089a000-000000010089b000 [    4K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess

Application Specific Information:
objc[40866]: garbage collection is OFF
CRASHING TEST: editing/pasteboard/paste-noscript-xhtml.xhtml

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010342b0d4 WebCore::HTMLConstructionSite::HTMLConstructionSite(WebCore::DocumentFragment*, WebCore::FragmentScriptingPermission, unsigned int) + 276 (HTMLConstructionSite.cpp:161)
1   com.apple.WebCore             	0x000000010342afb9 WebCore::HTMLConstructionSite::HTMLConstructionSite(WebCore::DocumentFragment*, WebCore::FragmentScriptingPermission, unsigned int) + 41 (HTMLConstructionSite.cpp:162)
2   com.apple.WebCore             	0x000000010350db69 WebCore::HTMLTreeBuilder::HTMLTreeBuilder(WebCore::HTMLDocumentParser*, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission, WebCore::HTMLParserOptions const&) + 121 (HTMLTreeBuilder.cpp:301)
3   com.apple.WebCore             	0x000000010350dadd WebCore::HTMLTreeBuilder::HTMLTreeBuilder(WebCore::HTMLDocumentParser*, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission, WebCore::HTMLParserOptions const&) + 61 (HTMLTreeBuilder.cpp:320)
4   com.apple.WebCore             	0x000000010344ad99 WebCore::HTMLTreeBuilder::create(WebCore::HTMLDocumentParser*, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission, WebCore::HTMLParserOptions const&) + 89 (HTMLTreeBuilder.h:67)
5   com.apple.WebCore             	0x0000000103448560 WebCore::HTMLDocumentParser::HTMLDocumentParser(WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission) + 352 (HTMLDocumentParser.cpp:92)
6   com.apple.WebCore             	0x00000001034483eb WebCore::HTMLDocumentParser::HTMLDocumentParser(WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission) + 43 (HTMLDocumentParser.cpp:99)
7   com.apple.WebCore             	0x000000010344bb37 WebCore::HTMLDocumentParser::create(WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission) + 71 (HTMLDocumentParser.h:93)
8   com.apple.WebCore             	0x000000010344a801 WebCore::HTMLDocumentParser::parseDocumentFragment(WTF::String const&, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission) + 49 (HTMLDocumentParser.cpp:547)
9   com.apple.WebCore             	0x00000001030463cb WebCore::DocumentFragment::parseHTML(WTF::String const&, WebCore::Element*, WebCore::FragmentScriptingPermission) + 43 (DocumentFragment.cpp:82)
10  com.apple.WebCore             	0x0000000103ceefa7 WebCore::createFragmentFromMarkup(WebCore::Document*, WTF::String const&, WTF::String const&, WebCore::FragmentScriptingPermission) + 231 (markup.cpp:673)
11  com.apple.WebCore             	0x0000000103e1cdcc WebCore::Pasteboard::documentFragment(WebCore::Frame*, WTF::PassRefPtr<WebCore::Range>, bool, bool&) + 1660 (PasteboardMac.mm:470)
12  com.apple.WebCore             	0x00000001031f6824 WebCore::Editor::pasteWithPasteboard(WebCore::Pasteboard*, bool) + 308 (EditorMac.mm:87)
13  com.apple.WebCore             	0x00000001031de6d9 WebCore::Editor::paste() + 265 (Editor.cpp:1031)
14  com.apple.WebCore             	0x00000001031f0da1 _ZN7WebCoreL12executePasteEPNS_5FrameEPNS_5EventENS_19EditorCommandSourceERKN3WTF6StringE + 97 (EditorCommand.cpp:915)
15  com.apple.WebCore             	0x00000001031ed2f0 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const + 208 (EditorCommand.cpp:1704)
16  com.apple.WebCore             	0x0000000102ffe54e WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 78 (Document.cpp:4177)
17  com.apple.WebCore             	0x00000001037c82c2 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) + 978 (JSDocument.cpp:2602)
18  ???                           	0x0000397ec9201045 0 + 63216702984261
19  com.apple.JavaScriptCore      	0x0000000101e2ca04 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) + 84 (JITCode.h:134)
20  com.apple.JavaScriptCore      	0x0000000101e29c7f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1519 (Interpreter.cpp:1055)
21  com.apple.JavaScriptCore      	0x0000000101c476f2 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 306 (CallData.cpp:39)
22  com.apple.WebCore             	0x0000000103739c12 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 (JSMainThreadExecState.h:56)
23  com.apple.WebCore             	0x000000010387b366 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1238 (JSEventListener.cpp:129)
24  com.apple.WebCore             	0x00000001032520c3 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 499 (EventTarget.cpp:211)
25  com.apple.WebCore             	0x0000000103251e95 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 325 (EventTarget.cpp:177)
26  com.apple.WebCore             	0x000000010319b4c0 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 272 (DOMWindow.cpp:1686)
27  com.apple.WebCore             	0x00000001031a24d8 WebCore::DOMWindow::dispatchLoadEvent() + 296 (DOMWindow.cpp:1660)
28  com.apple.WebCore             	0x0000000102ff76ef WebCore::Document::dispatchWindowLoadEvent() + 143 (Document.cpp:3663)
29  com.apple.WebCore             	0x0000000102ff51ad WebCore::Document::implicitClose() + 493 (Document.cpp:2421)
30  com.apple.WebCore             	0x00000001033196fb WebCore::FrameLoader::checkCallImplicitClose() + 155 (FrameLoader.cpp:834)
31  com.apple.WebCore             	0x00000001033193c3 WebCore::FrameLoader::checkCompleted() + 323 (FrameLoader.cpp:778)
32  com.apple.WebCore             	0x00000001033197c9 WebCore::FrameLoader::completed() + 185 (FrameLoader.cpp:1084)
33  com.apple.WebCore             	0x00000001033193e0 WebCore::FrameLoader::checkCompleted() + 352 (FrameLoader.cpp:781)
34  com.apple.WebCore             	0x0000000103319565 WebCore::FrameLoader::loadDone() + 21 (FrameLoader.cpp:723)
35  com.apple.WebCore             	0x0000000102d3d652 WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*) + 114 (CachedResourceLoader.cpp:723)
36  com.apple.WebCore             	0x00000001043ae1ff WebCore::SubresourceLoader::releaseResources() + 191 (SubresourceLoader.cpp:320)
37  com.apple.WebCore             	0x00000001041826eb WebCore::ResourceLoader::didFail(WebCore::ResourceError const&) + 283 (ResourceLoader.cpp:356)
38  com.apple.WebCore             	0x00000001043adfc5 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) + 453 (SubresourceLoader.cpp:296)
39  com.apple.WebCore             	0x0000000104182d35 WebCore::ResourceLoader::didFail(WebCore::ResourceHandle*, WebCore::ResourceError const&) + 101 (ResourceLoader.cpp:465)
40  com.apple.WebCore             	0x000000010417fa25 -[WebCoreResourceHandleAsDelegate connection:didFailWithError:] + 245 (ResourceHandleMac.mm:834)
41  com.apple.Foundation          	0x00007fff83187b3b ___NSURLConnectionDidFail_block_invoke_1 + 125
42  com.apple.Foundation          	0x00007fff83187ab8 _NSURLConnectionDidFail + 85
43  com.apple.CFNetwork           	0x00007fff8a37f75d URLConnectionClient::_clientDidFailWithError(__CFError*, URLConnectionClient::ClientConnectionEventQueue*) + 667
44  com.apple.CFNetwork           	0x00007fff8a37e915 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 885
45  com.apple.CFNetwork           	0x00007fff8a2a9231 URLConnectionClient::processEvents() + 185
46  com.apple.CFNetwork           	0x00007fff8a2a90d6 MultiplexerSource::perform() + 212
47  com.apple.CoreFoundation      	0x00007fff854734f1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
48  com.apple.CoreFoundation      	0x00007fff85472d5d __CFRunLoopDoSources0 + 253
49  com.apple.CoreFoundation      	0x00007fff85499b49 __CFRunLoopRun + 905
50  com.apple.CoreFoundation      	0x00007fff85499486 CFRunLoopRunSpecific + 230
51  com.apple.HIToolbox           	0x00007fff867f02bf RunCurrentEventLoopInMode + 277
52  com.apple.HIToolbox           	0x00007fff867f756d ReceiveNextEventCommon + 355
53  com.apple.HIToolbox           	0x00007fff867f73fa BlockUntilNextEventMatchingListInMode + 62
54  com.apple.AppKit              	0x00007fff84312779 _DPSNextEvent + 659
55  com.apple.AppKit              	0x00007fff8431207d -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135
56  com.apple.AppKit              	0x00007fff8430e9b9 -[NSApplication run] + 470
57  com.apple.WebCore             	0x00000001041b939c WebCore::RunLoop::run() + 92 (RunLoopMac.mm:37)
58  com.apple.WebKit2             	0x0000000100c65eaf int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMainDelegate>(WebKit::CommandLine const&) + 815 (ChildProcessMain.h:106)
59  com.apple.WebKit2             	0x0000000100c65b75 WebKit::WebProcessMain(WebKit::CommandLine const&) + 21 (WebProcessMainMac.mm:152)
60  com.apple.WebKit2             	0x0000000100b5f279 _ZL10WebKitMainRKN6WebKit11CommandLineE + 201 (WebKitMain.cpp:56)
61  com.apple.WebKit2             	0x0000000100b5f189 WebKitMain + 153 (WebKitMain.cpp:86)
62  com.apple.WebProcess          	0x000000010089ad92 main + 274
63  com.apple.WebProcess          	0x000000010089ac74 start + 52

Comment 1 Stephanie Lewis 2013-01-08 20:58:46 PST

Started failing here: http://trac.webkit.org/projects/webkit/changeset/139141

Comment 2 Stephanie Lewis 2013-01-08 21:24:56 PST

Landed expectations changes in http://trac.webkit.org/projects/webkit/changeset/139155

Comment 3 Geoffrey Garen 2013-01-08 23:09:57 PST

Should we roll out r139141?

Comment 4 Csaba Osztrogonác 2013-01-09 06:39:42 PST

Same assertion on Qt.

Comment 5 Tony Gentilcore 2013-01-09 09:56:09 PST

Created attachment 181939 [details]
Patch

Comment 6 WebKit Review Bot 2013-01-09 12:03:09 PST

Comment on attachment 181939 [details]
Patch

Clearing flags on attachment: 181939

Committed r139217: <http://trac.webkit.org/changeset/139217>

Comment 7 WebKit Review Bot 2013-01-09 12:03:13 PST

All reviewed patches have been landed.  Closing bug.

Comment 8 Adam Barth 2013-01-09 12:34:24 PST

Comment on attachment 181939 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=181939&action=review

> Source/WebCore/html/parser/HTMLConstructionSite.cpp:149
> -    ASSERT(m_document->isHTMLDocument());
> +    ASSERT(m_document->isHTMLDocument() || m_document->isXHTMLDocument());

Is this change needed as well?  The stack in the bug looks like only the fragment case, which should flow though the ASSERT on line 161.

Comment 9 Adam Barth 2013-01-09 12:34:48 PST

Interesting.  The editing code uses the HTML parser when editing XHTML documents?  That seems strange.

@rniwa: Is that expected?

Comment 10 Ryosuke Niwa 2013-01-09 12:37:00 PST

(In reply to comment #9)
> Interesting.  The editing code uses the HTML parser when editing XHTML documents?  That seems strange.
> 
> @rniwa: Is that expected?

Yes, that is expected.

Comment 11 Adam Barth 2013-01-09 12:59:53 PST

Thanks!