RESOLVED FIXED 122092
ASSERTION FAILED: isHTMLTitleElement(m_titleElement.get()) in WebCore::Document::setTitle 
https://bugs.webkit.org/show_bug.cgi?id=122092
Summary ASSERTION FAILED: isHTMLTitleElement(m_titleElement.get()) in WebCore::Docume...
Renata Hodovan
Reported 2013-09-30 02:22:33 PDT
The failing test: <html> <svg> <title>title</title> </svg> <script> document.write("<title>"); document.title = "Property"; document.write("Written</title>");</script> </html> The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56134c6 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff4095653 in WebCore::Document::setTitle (this=0x89da80, title=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:1560 #2 0x00007ffff4dc9c4f in WebCore::setJSDocumentTitle (exec=0x7fff967c1fa0, thisObject=0x7fff8df1feb0, value=...) at generated/JSDocument.cpp:1653 #3 0x00007ffff4dd3c70 in JSC::putEntry<WebCore::JSDocument> (exec=0x7fff967c1fa0, entry=0x8ff750, propertyName=..., value=..., thisObj=0x7fff8df1feb0, shouldThrow=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Lookup.h:301 #4 0x00007ffff4dd3980 in JSC::lookupPut<WebCore::JSDocument> (exec=0x7fff967c1fa0, propertyName=..., value=..., table=..., thisObj=0x7fff8df1feb0, shouldThrow=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Lookup.h:319 #5 0x00007ffff4dd31ba in JSC::lookupPut<WebCore::JSDocument, WebCore::JSNode> (exec=0x7fff967c1fa0, propertyName=..., value=..., table=..., thisObj=0x7fff8df1feb0, slot=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Lookup.h:332 #6 0x00007ffff4dc9aa5 in WebCore::JSDocument::put (cell=0x7fff8df1feb0, exec=0x7fff967c1fa0, propertyName=..., value=..., slot=...) at generated/JSDocument.cpp:1614 #7 0x00007ffff4ebbcd6 in JSC::lookupPut<WebCore::JSHTMLDocument, WebCore::JSDocument> (exec=0x7fff967c1fa0, propertyName=..., value=..., table=..., thisObj=0x7fff8df1feb0, slot=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Lookup.h:333 #8 0x00007ffff4ebaa35 in WebCore::JSHTMLDocument::put (cell=0x7fff8df1feb0, exec=0x7fff967c1fa0, propertyName=..., value=..., slot=...) at generated/JSHTMLDocument.cpp:320 #9 0x00007ffff536e48d in JSC::JSValue::put (this=0x7fffffffaf70, exec=0x7fff967c1fa0, propertyName=..., value=..., slot=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703 #10 0x00007ffff5473aa6 in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7fff967c1fa0, pc=0x8fd550) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:583 #11 0x00007ffff67453f1 in llint_op_put_by_id () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5 #12 0x00007fff967c1fa0 in ?? () #13 0x0000000000761f28 in ?? () #14 0x00007fffffffb080 in ?? () #15 0x00007ffff541de2f in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:214 #16 0x00007ffff54311e2 in JSC::JITCode::execute (this=0x8d0f60, stack=0x761f28, callFrame=0x7fff967c1fa0, vm=0x80f5c0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46 #17 0x00007ffff541a654 in JSC::Interpreter::execute (this=0x761f10, program=0x7fff8df5fef0, callFrame=0x7fff8e03f9b0, thisObj=0x7fff8e07ffd8) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:888 #18 0x00007ffff5513275 in JSC::evaluate (exec=0x7fff8e03f9b0, source=..., thisValue=..., returnedException=0x7fffffffc6a0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:83 #19 0x00007ffff3e563ef in WebCore::JSMainThreadExecState::evaluate (exec=0x7fff8e03f9b0, source=..., thisValue=..., exception=0x7fffffffc6a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:62 #20 0x00007ffff3e75d0a in WebCore::ScriptController::evaluateInWorld (this=0x769180, sourceCode=..., world=0x7a5480) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScriptController.cpp:142 #21 0x00007ffff3e75e18 in WebCore::ScriptController::evaluate (this=0x769180, sourceCode=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/ScriptController.cpp:158 #22 0x00007ffff415e2d1 in WebCore::ScriptElement::executeScript (this=0x8d92b8, sourceCode=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ScriptElement.cpp:315 #23 0x00007ffff415dafa in WebCore::ScriptElement::prepareScript (this=0x8d92b8, scriptStartPosition=..., supportLegacyTypes=WebCore::ScriptElement::DisallowLegacyTypeInTypeAttribute) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ScriptElement.cpp:246 #24 0x00007ffff431777e in WebCore::HTMLScriptRunner::runScript (this=0x7605a0, script=0x8d9250, scriptStartPosition=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLScriptRunner.cpp:312 #25 0x00007ffff4316ef4 in WebCore::HTMLScriptRunner::execute (this=0x7605a0, scriptElement=..., scriptStartPosition=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLScriptRunner.cpp:181 #26 0x00007ffff43036cb in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0x76d8f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:272 #27 0x00007ffff43037b6 in WebCore::HTMLDocumentParser::canTakeNextToken (this=0x76d8f0, mode=WebCore::HTMLDocumentParser::AllowYield, session=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:291 #28 0x00007ffff4303da9 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x76d8f0, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:536 ---Type <return> to continue, or q <return> to quit--- #29 0x00007ffff4303539 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x76d8f0, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:236 #30 0x00007ffff430461f in WebCore::HTMLDocumentParser::append (this=0x76d8f0, inputSource=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:742 #31 0x00007ffff408be6a in WebCore::DecodedDataDocumentParser::flush (this=0x76d8f0, writer=0x6e1fb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #32 0x00007ffff44a075f in WebCore::DocumentWriter::end (this=0x6e1fb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:242 #33 0x00007ffff4492d46 in WebCore::DocumentLoader::finishedLoading (this=0x6e1f10, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408 #34 0x00007ffff4492ab4 in WebCore::DocumentLoader::notifyFinished (this=0x6e1f10, resource=0x7422a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345 #35 0x00007ffff4479bcc in WebCore::CachedResource::checkNotify (this=0x7422a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #36 0x00007ffff4479ca6 in WebCore::CachedResource::finishLoading (this=0x7422a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #37 0x00007ffff4476360 in WebCore::CachedRawResource::finishLoading (this=0x7422a0, data=0x791110) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #38 0x00007ffff44dcc2d in WebCore::SubresourceLoader::didFinishLoading (this=0x774690, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:283 #39 0x00007ffff44d34e7 in WebCore::ResourceLoader::didFinishLoading (this=0x774690, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:489 #40 0x00007ffff49954b5 in WebCore::QNetworkReplyHandler::finish (this=0x777fe0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #41 0x00007ffff49940dd in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x778018) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #42 0x00007ffff4993ddb in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x778018, method= (void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff49952fa <WebCore::QNetworkReplyHandler::finish()>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216 #43 0x00007ffff4994da8 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x756d40) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #44 0x00007ffff4997728 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x756d40, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffd240) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:175 #45 0x00007ffff1d9ed71 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #46 0x00007ffff1da033e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #47 0x00007ffff2c6ea24 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5 #48 0x00007ffff2c71eb6 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Widgets.so.5 #49 0x00007ffff1d778f4 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #50 0x00007ffff1d7a1a9 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #51 0x00007ffff1dc19c3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #52 0x00007fffeeb88d53 in g_main_dispatch (context=0x656e00) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:2539 #53 g_main_context_dispatch (context=0x656e00) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3075 #54 0x00007fffeeb890a0 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x656e00, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3146 #55 g_main_context_iterate (context=0x656e00, block=<optimized out>, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3083 #56 0x00007fffeeb89164 in g_main_context_iteration (context=0x656e00, may_block=1) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3207 #57 0x00007ffff1dc1e04 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #58 0x00007ffff1d7668b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #59 0x00007ffff1d7a6de in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.1.1/lib/libQt5Core.so.5 #60 0x0000000000420da0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:50 #61 0x0000000000422880 in main (argc=2, argv=0x7fffffffdf18) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:319
Attachments
Test case (163 bytes, text/html)
2013-09-30 02:24 PDT, Renata Hodovan 		no flags
Details
Proposed patch (4.99 KB, patch)
2013-10-09 07:57 PDT, Renata Hodovan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2013-09-30 02:24:19 PDT
Created attachment 212964 [details] Test case
Renata Hodovan
Comment 2 2013-10-09 07:57:36 PDT
Created attachment 213778 [details] Proposed patch The problem was that m_titleElement element could be both HTMLTitleElement and SVGTitleElement. This way the assertion was wrong. The patch is backported from Blink: https://src.chromium.org/viewvc/blink?revision=158620&view=revision
Darin Adler
Comment 3 2013-10-09 19:15:53 PDT
Comment on attachment 213778 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=213778&action=review > Source/WebCore/ChangeLog:8 > + Remove a bogus assert in Document::setTitle(). This is an incorrect description of what this patch does. The patch removes a bad cast. > Source/WebCore/svg/SVGTitleElement.cpp:46 > + // FIXME: It's possible to register SVGTitleElement to an HTMLDocument. Sorry, I don’t understand what “register to an HTMLDocument” means, nor do I understand what we need to fix.
Renata Hodovan
Comment 4 2013-11-05 05:25:16 PST
Comment on attachment 213778 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=213778&action=review >> Source/WebCore/ChangeLog:8 >> + Remove a bogus assert in Document::setTitle(). > > This is an incorrect description of what this patch does. The patch removes a bad cast. What? I don't really understand this thing about casting... I only removed the assert check (since m_titleElement could be SVGTitleElement too) and I combined the two conditions. >> Source/WebCore/svg/SVGTitleElement.cpp:46 >> + // FIXME: It's possible to register SVGTitleElement to an HTMLDocument. > > Sorry, I don’t understand what “register to an HTMLDocument” means, nor do I understand what we need to fix. I guess document() can return with an HTMLDocument, not just SVGDocument and perhaps we should handle it differently. But I just backported the patch, so I'm not sure.
WebKit Commit Bot
Comment 5 2013-11-05 11:14:43 PST
Comment on attachment 213778 [details] Proposed patch Clearing flags on attachment: 213778 Committed r158682: <http://trac.webkit.org/changeset/158682>
WebKit Commit Bot
Comment 6 2013-11-05 11:14:47 PST
All reviewed patches have been landed. Closing bug.
Ryosuke Niwa
Comment 7 2013-11-05 19:46:10 PST
*** Bug 123856 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.