RESOLVED FIXED116979
ASSERTION FAILED: !m_adoptionIsRequired in void WebCore::TreeShared<NodeType>::ref() 
https://bugs.webkit.org/show_bug.cgi?id=116979
Summary ASSERTION FAILED: !m_adoptionIsRequired in void WebCore::TreeShared<NodeType>...
Renata Hodovan
Reported 2013-05-29 11:04:30 PDT
Created attachment 203218 [details] Test case The attached tests crashes in debug mode. Crashlog & backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff575275d in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff575275d in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 #1 0x00007ffff3bfd4d1 in WebCore::TreeShared<WebCore::Node>::ref (this=0x8d0ae0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/TreeShared.h:65 #2 0x00007ffff42cc5c2 in WebCore::Node::refEventTarget (this=0x8d0ad0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:792 #3 0x00007ffff3fc7039 in WebCore::EventTarget::ref (this=0x8d0ad0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.h:106 #4 0x00007ffff3fc7e9f in WTF::refIfNotNull<WebCore::EventTarget> (ptr=0x8d0ad0) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/PassRefPtr.h:46 #5 0x00007ffff4246327 in WTF::PassRefPtr<WebCore::EventTarget>::PassRefPtr (this=0x7fffffffbde0, ptr=0x8d0ad0) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/PassRefPtr.h:60 #6 0x00007ffff42994f8 in WebCore::EventDispatcher::dispatchScopedEvent (node=0x8d0ad0, mediator=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:73 #7 0x00007ffff42d0f3c in WebCore::Node::dispatchScopedEventDispatchMediator (this=0x8d0ad0, eventDispatchMediator=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2274 #8 0x00007ffff42d0eeb in WebCore::Node::dispatchScopedEvent (this=0x8d0ad0, event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2269 #9 0x00007ffff42d11e0 in WebCore::Node::dispatchSubtreeModifiedEvent (this=0x8d0ad0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2298 #10 0x00007ffff428f71d in WebCore::Element::didAddAttribute (this=0x8d0ad0, name=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:2952
Attachments
Test case (133 bytes, text/html)
2013-05-29 11:04 PDT, Renata Hodovan 		no flags
Details
Patch (7.24 KB, patch)
2013-08-14 19:21 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (4.51 KB, patch)
2013-08-15 11:41 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Rob Buis
Comment 1 2013-08-14 19:21:58 PDT
Created attachment 208781 [details] Patch
Antti Koivisto
Comment 2 2013-08-15 06:40:29 PDT
Comment on attachment 208781 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208781&action=review > Source/WebCore/html/HTMLProgressElement.cpp:159 > RefPtr<ProgressInnerElement> inner = ProgressInnerElement::create(document()); > + inner->setPseudo(AtomicString("-webkit-progress-inner-element", AtomicString::ConstructFromLiteral)); It would be nicer to make these setPseudo calls in ::create() so it is not possible to construct ProgressInnerElement and pals without the right pseudo type.
Rob Buis
Comment 3 2013-08-15 08:02:24 PDT
(In reply to comment #2) > (From update of attachment 208781 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=208781&action=review > > > Source/WebCore/html/HTMLProgressElement.cpp:159 > > RefPtr<ProgressInnerElement> inner = ProgressInnerElement::create(document()); > > + inner->setPseudo(AtomicString("-webkit-progress-inner-element", AtomicString::ConstructFromLiteral)); > > It would be nicer to make these setPseudo calls in ::create() so it is not possible to construct ProgressInnerElement and pals without the right pseudo type. Great idea, I fixed it before landing. A shame that we are not always consistent here.
Rob Buis
Comment 4 2013-08-15 08:03:42 PDT
Committed r154099: <http://trac.webkit.org/changeset/154099>
Darin Adler
Comment 5 2013-08-15 10:41:25 PDT
Comment on attachment 208781 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208781&action=review > Source/WebCore/html/shadow/ProgressShadowElement.h:69 > + ProgressBarElement(Document*); Shouldn’t this constructor be private, if it’s only supposed to be called by the create function? > Source/WebCore/html/shadow/ProgressShadowElement.h:81 > + ProgressValueElement(Document*); Same question.
Rob Buis
Comment 6 2013-08-15 10:46:40 PDT
(In reply to comment #5) > (From update of attachment 208781 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=208781&action=review > > > Source/WebCore/html/shadow/ProgressShadowElement.h:69 > > + ProgressBarElement(Document*); > > Shouldn’t this constructor be private, if it’s only supposed to be called by the create function? > > > Source/WebCore/html/shadow/ProgressShadowElement.h:81 > > + ProgressValueElement(Document*); > > Same question. Good point, I'll try to make a follow-up patch.
Rob Buis
Comment 7 2013-08-15 11:41:08 PDT
Reopening to attach new patch.
Rob Buis
Comment 8 2013-08-15 11:41:13 PDT
Created attachment 208827 [details] Patch
WebKit Commit Bot
Comment 9 2013-08-15 12:51:49 PDT
Comment on attachment 208827 [details] Patch Clearing flags on attachment: 208827 Committed r154121: <http://trac.webkit.org/changeset/154121>
WebKit Commit Bot
Comment 10 2013-08-15 12:51:52 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.