Bug 122092 - ASSERTION FAILED: isHTMLTitleElement(m_titleElement.get()) in WebCore::Document::setTitle
Summary: ASSERTION FAILED: isHTMLTitleElement(m_titleElement.get()) in WebCore::Docume...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Renata Hodovan
URL:
Keywords:
: 123856 (view as bug list)
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2013-09-30 02:22 PDT by Renata Hodovan
Modified: 2013-11-05 19:46 PST (History)
14 users (show)

See Also:

Attachments
Test case (163 bytes, text/html)
2013-09-30 02:24 PDT, Renata Hodovan 		no flags Details
Proposed patch (4.99 KB, patch)
2013-10-09 07:57 PDT, Renata Hodovan 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2013-09-30 02:22:33 PDT 
The failing test:

<html>
	<svg>
		<title>title</title>
	</svg>
	<script> document.write("<title>"); document.title = "Property"; document.write("Written</title>");</script>
</html>


The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff4095653 in WebCore::Document::setTitle (this=0x89da80, title=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:1560
#2  0x00007ffff4dc9c4f in WebCore::setJSDocumentTitle (exec=0x7fff967c1fa0, thisObject=0x7fff8df1feb0, value=...) at generated/JSDocument.cpp:1653
#3  0x00007ffff4dd3c70 in JSC::putEntry<WebCore::JSDocument> (exec=0x7fff967c1fa0, entry=0x8ff750, propertyName=..., value=..., thisObj=0x7fff8df1feb0, 
    shouldThrow=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Lookup.h:301
#4  0x00007ffff4dd3980 in JSC::lookupPut<WebCore::JSDocument> (exec=0x7fff967c1fa0, propertyName=..., value=..., table=..., thisObj=0x7fff8df1feb0, 
    shouldThrow=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Lookup.h:319
#5  0x00007ffff4dd31ba in JSC::lookupPut<WebCore::JSDocument, WebCore::JSNode> (exec=0x7fff967c1fa0, propertyName=..., value=..., table=..., 
    thisObj=0x7fff8df1feb0, slot=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Lookup.h:332
#6  0x00007ffff4dc9aa5 in WebCore::JSDocument::put (cell=0x7fff8df1feb0, exec=0x7fff967c1fa0, propertyName=..., value=..., slot=...)
    at generated/JSDocument.cpp:1614
#7  0x00007ffff4ebbcd6 in JSC::lookupPut<WebCore::JSHTMLDocument, WebCore::JSDocument> (exec=0x7fff967c1fa0, propertyName=..., value=..., table=..., 
    thisObj=0x7fff8df1feb0, slot=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Lookup.h:333
#8  0x00007ffff4ebaa35 in WebCore::JSHTMLDocument::put (cell=0x7fff8df1feb0, exec=0x7fff967c1fa0, propertyName=..., value=..., slot=...)
    at generated/JSHTMLDocument.cpp:320
#9  0x00007ffff536e48d in JSC::JSValue::put (this=0x7fffffffaf70, exec=0x7fff967c1fa0, propertyName=..., value=..., slot=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703
#10 0x00007ffff5473aa6 in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7fff967c1fa0, pc=0x8fd550)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:583
#11 0x00007ffff67453f1 in llint_op_put_by_id () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5
#12 0x00007fff967c1fa0 in ?? ()
#13 0x0000000000761f28 in ?? ()
#14 0x00007fffffffb080 in ?? ()
#15 0x00007ffff541de2f in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:214
#16 0x00007ffff54311e2 in JSC::JITCode::execute (this=0x8d0f60, stack=0x761f28, callFrame=0x7fff967c1fa0, vm=0x80f5c0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46
#17 0x00007ffff541a654 in JSC::Interpreter::execute (this=0x761f10, program=0x7fff8df5fef0, callFrame=0x7fff8e03f9b0, thisObj=0x7fff8e07ffd8)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:888
#18 0x00007ffff5513275 in JSC::evaluate (exec=0x7fff8e03f9b0, source=..., thisValue=..., returnedException=0x7fffffffc6a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83
#19 0x00007ffff3e563ef in WebCore::JSMainThreadExecState::evaluate (exec=0x7fff8e03f9b0, source=..., thisValue=..., exception=0x7fffffffc6a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:62
#20 0x00007ffff3e75d0a in WebCore::ScriptController::evaluateInWorld (this=0x769180, sourceCode=..., world=0x7a5480)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScriptController.cpp:142
#21 0x00007ffff3e75e18 in WebCore::ScriptController::evaluate (this=0x769180, sourceCode=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScriptController.cpp:158
#22 0x00007ffff415e2d1 in WebCore::ScriptElement::executeScript (this=0x8d92b8, sourceCode=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ScriptElement.cpp:315
#23 0x00007ffff415dafa in WebCore::ScriptElement::prepareScript (this=0x8d92b8, scriptStartPosition=..., 
    supportLegacyTypes=WebCore::ScriptElement::DisallowLegacyTypeInTypeAttribute)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ScriptElement.cpp:246
#24 0x00007ffff431777e in WebCore::HTMLScriptRunner::runScript (this=0x7605a0, script=0x8d9250, scriptStartPosition=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLScriptRunner.cpp:312
#25 0x00007ffff4316ef4 in WebCore::HTMLScriptRunner::execute (this=0x7605a0, scriptElement=..., scriptStartPosition=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLScriptRunner.cpp:181
#26 0x00007ffff43036cb in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0x76d8f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:272
#27 0x00007ffff43037b6 in WebCore::HTMLDocumentParser::canTakeNextToken (this=0x76d8f0, mode=WebCore::HTMLDocumentParser::AllowYield, session=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:291
#28 0x00007ffff4303da9 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x76d8f0, mode=WebCore::HTMLDocumentParser::AllowYield)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:536
---Type <return> to continue, or q <return> to quit---
#29 0x00007ffff4303539 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x76d8f0, mode=WebCore::HTMLDocumentParser::AllowYield)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:236
#30 0x00007ffff430461f in WebCore::HTMLDocumentParser::append (this=0x76d8f0, inputSource=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:742
#31 0x00007ffff408be6a in WebCore::DecodedDataDocumentParser::flush (this=0x76d8f0, writer=0x6e1fb0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#32 0x00007ffff44a075f in WebCore::DocumentWriter::end (this=0x6e1fb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:242
#33 0x00007ffff4492d46 in WebCore::DocumentLoader::finishedLoading (this=0x6e1f10, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408
#34 0x00007ffff4492ab4 in WebCore::DocumentLoader::notifyFinished (this=0x6e1f10, resource=0x7422a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345
#35 0x00007ffff4479bcc in WebCore::CachedResource::checkNotify (this=0x7422a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
#36 0x00007ffff4479ca6 in WebCore::CachedResource::finishLoading (this=0x7422a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#37 0x00007ffff4476360 in WebCore::CachedRawResource::finishLoading (this=0x7422a0, data=0x791110)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#38 0x00007ffff44dcc2d in WebCore::SubresourceLoader::didFinishLoading (this=0x774690, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:283
#39 0x00007ffff44d34e7 in WebCore::ResourceLoader::didFinishLoading (this=0x774690, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:489
#40 0x00007ffff49954b5 in WebCore::QNetworkReplyHandler::finish (this=0x777fe0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#41 0x00007ffff49940dd in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x778018)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#42 0x00007ffff4993ddb in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x778018, method=
    (void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff49952fa <WebCore::QNetworkReplyHandler::finish()>)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216
#43 0x00007ffff4994da8 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x756d40)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#44 0x00007ffff4997728 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x756d40, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffd240)
    at .moc/release-shared/moc_QNetworkReplyHandler.cpp:175
#45 0x00007ffff1d9ed71 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#46 0x00007ffff1da033e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#47 0x00007ffff2c6ea24 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5
#48 0x00007ffff2c71eb6 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5
#49 0x00007ffff1d778f4 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#50 0x00007ffff1d7a1a9 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#51 0x00007ffff1dc19c3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#52 0x00007fffeeb88d53 in g_main_dispatch (context=0x656e00) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:2539
#53 g_main_context_dispatch (context=0x656e00) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3075
#54 0x00007fffeeb890a0 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x656e00, self=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3146
#55 g_main_context_iterate (context=0x656e00, block=<optimized out>, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3083
#56 0x00007fffeeb89164 in g_main_context_iteration (context=0x656e00, may_block=1) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3207
#57 0x00007ffff1dc1e04 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#58 0x00007ffff1d7668b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#59 0x00007ffff1d7a6de in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5
#60 0x0000000000420da0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:50
#61 0x0000000000422880 in main (argc=2, argv=0x7fffffffdf18) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:319
Comment 1 Renata Hodovan 2013-09-30 02:24:19 PDT 
Created attachment 212964 [details]
Test case
Comment 2 Renata Hodovan 2013-10-09 07:57:36 PDT 
Created attachment 213778 [details]
Proposed patch

The problem was that m_titleElement element could be both HTMLTitleElement and SVGTitleElement. This way the assertion was wrong.

The patch is backported from Blink: https://src.chromium.org/viewvc/blink?revision=158620&view=revision
Comment 3 Darin Adler 2013-10-09 19:15:53 PDT 
Comment on attachment 213778 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=213778&action=review

> Source/WebCore/ChangeLog:8
> +        Remove a bogus assert in Document::setTitle().

This is an incorrect description of what this patch does. The patch removes a bad cast.

> Source/WebCore/svg/SVGTitleElement.cpp:46
> +    // FIXME: It's possible to register SVGTitleElement to an HTMLDocument.

Sorry, I don’t understand what “register to an HTMLDocument” means, nor do I understand what we need to fix.
Comment 4 Renata Hodovan 2013-11-05 05:25:16 PST 
Comment on attachment 213778 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=213778&action=review

>> Source/WebCore/ChangeLog:8
>> +        Remove a bogus assert in Document::setTitle().
> 
> This is an incorrect description of what this patch does. The patch removes a bad cast.

What? I don't really understand this thing about casting... I only removed the assert check (since m_titleElement could be SVGTitleElement too) and I combined the two conditions.

>> Source/WebCore/svg/SVGTitleElement.cpp:46
>> +    // FIXME: It's possible to register SVGTitleElement to an HTMLDocument.
> 
> Sorry, I don’t understand what “register to an HTMLDocument” means, nor do I understand what we need to fix.

I guess document() can return with an HTMLDocument, not just SVGDocument and perhaps we should handle it differently. But I just backported the patch, so I'm not sure.
Comment 5 WebKit Commit Bot 2013-11-05 11:14:43 PST 
Comment on attachment 213778 [details]
Proposed patch

Clearing flags on attachment: 213778

Committed r158682: <http://trac.webkit.org/changeset/158682>
Comment 6 WebKit Commit Bot 2013-11-05 11:14:47 PST 
All reviewed patches have been landed.  Closing bug.
Comment 7 Ryosuke Niwa 2013-11-05 19:46:10 PST 
*** Bug 123856 has been marked as a duplicate of this bug. ***