WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WORKSFORME
123569
ASSERTION FAILED: !m_adoptionIsRequired in WebCore::TreeShared<NodeType>::ref()
https://bugs.webkit.org/show_bug.cgi?id=123569
Summary
ASSERTION FAILED: !m_adoptionIsRequired in WebCore::TreeShared<NodeType>::ref()
Renata Hodovan
Reported
2013-10-31 07:28:38 PDT
Created
attachment 215651
[details]
Test case The assertion check above fails on the following test case: <script> function runTest() { document.createElement('keygen'); } window.onload = runTest; document.addEventListener("DOMSubtreeModified", runTest, false); </script> The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff111cbe1 in WebCore::TreeShared<WebCore::Node>::ref (this=0x122ed10) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/TreeShared.h:65 #2 0x00007ffff1452c76 in WebCore::Node::refEventTarget (this=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:692 #3 0x00007ffff1076e4d in WebCore::EventTarget::ref (this=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.h:113 #4 0x00007ffff107a66c in WTF::refIfNotNull<WebCore::EventTarget> (ptr=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/PassRefPtr.h:33 #5 0x00007ffff1078c73 in WTF::PassRefPtr<WebCore::EventTarget>::PassRefPtr (this=0x7fffffffb640, ptr=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/PassRefPtr.h:45 #6 0x00007ffff14236a2 in WebCore::EventDispatcher::dispatchScopedEvent (node=..., event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:209 #7 0x00007ffff1457ebc in WebCore::Node::dispatchScopedEvent (this=0x122ed00, event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2032 #8 0x00007ffff145808e in WebCore::Node::dispatchSubtreeModifiedEvent (this=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2054 #9 0x00007ffff14153ef in WebCore::Element::didAddAttribute (this=0x122ed00, name=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:2946 #10 0x00007ffff1411631 in WebCore::Element::addAttributeInternal (this=0x122ed00, name=..., value=..., inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1903 #11 0x00007ffff1419b65 in WebCore::Element::setAttributeInternal (this=0x122ed00, index=4294967295, name=..., newValue=..., inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1062 #12 0x00007ffff140e7bc in WebCore::Element::setAttribute (this=0x122ed00, name=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1044 #13 0x00007ffff1412724 in WebCore::Element::setPseudo (this=0x122ed00, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:2125 #14 0x00007ffff15d49b9 in WebCore::KeygenSelectElement::KeygenSelectElement (this=0x122ed00, document=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLKeygenElement.cpp:57 #15 0x00007ffff15d4780 in WebCore::KeygenSelectElement::create (document=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLKeygenElement.cpp:49 #16 0x00007ffff15d4b09 in WebCore::HTMLKeygenElement::HTMLKeygenElement (this=0x11d2c70, tagName=..., document=..., form=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLKeygenElement.cpp:76 #17 0x00007ffff15d4305 in WebCore::HTMLKeygenElement::create (tagName=..., document=..., form=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLKeygenElement.cpp:88 #18 0x00007ffff25b7788 in WebCore::keygenConstructor (tagName=..., document=..., formElement=0x0) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/HTMLElementFactory.cpp:327 #19 0x00007ffff25b863d in WebCore::HTMLElementFactory::createElement (name=..., document=..., formElement=0x0, createdByParser=false) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/HTMLElementFactory.cpp:698 #20 0x00007ffff15b1ebd in WebCore::HTMLDocument::createElement (this=0x11f1110, name=..., ec=@0x7fffffffbbcc: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLDocument.cpp:296 #21 0x00007ffff21bd30e in WebCore::jsDocumentPrototypeFunctionCreateElement (exec=0x7fff945edf50) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:2295 #22 0x00007fff9e53d105 in ?? () #23 0x00007fffffffbc30 in ?? () #24 0x00007ffff5d2255b in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #25 0x00007fff9e53d960 in ?? () #26 0x0000000001175968 in ?? () #27 0x000000000117ee70 in ?? () #28 0x00007fffee3779a0 in thread_context_stack () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #29 0x0000000000614470 in ?? () #30 0x00007ffff1852ac6 in WebCore::ResourceLoader::didReceiveBuffer (this=0x7fffffffbc30, buffer=..., encodedDataLength=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:483 #31 0x00007fffffffbc80 in ?? () #32 0x00007ffff5b143be in JSC::JITCode::execute (this=0x48ff5b670be8c789, stack=0x48e0458d48d4ff41, callFrame=0xc78948da89480000, vm=0x1b9c8458b48e0) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Attachments
Test case
(188 bytes, text/html)
2013-10-31 07:28 PDT
,
Renata Hodovan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Deepak Mittal
Comment 1
2014-02-01 03:43:16 PST
I am not able to reproduce this issue using above mentioned test case. on the latest webkit code.. some one please confirm same..
Renata Hodovan
Comment 2
2015-01-29 08:52:02 PST
I cannot repro it either.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug