Created attachment 215651 [details] Test case The assertion check above fails on the following test case: <script> function runTest() { document.createElement('keygen'); } window.onload = runTest; document.addEventListener("DOMSubtreeModified", runTest, false); </script> The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5d23529 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff111cbe1 in WebCore::TreeShared<WebCore::Node>::ref (this=0x122ed10) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/TreeShared.h:65 #2 0x00007ffff1452c76 in WebCore::Node::refEventTarget (this=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:692 #3 0x00007ffff1076e4d in WebCore::EventTarget::ref (this=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.h:113 #4 0x00007ffff107a66c in WTF::refIfNotNull<WebCore::EventTarget> (ptr=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/PassRefPtr.h:33 #5 0x00007ffff1078c73 in WTF::PassRefPtr<WebCore::EventTarget>::PassRefPtr (this=0x7fffffffb640, ptr=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/PassRefPtr.h:45 #6 0x00007ffff14236a2 in WebCore::EventDispatcher::dispatchScopedEvent (node=..., event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:209 #7 0x00007ffff1457ebc in WebCore::Node::dispatchScopedEvent (this=0x122ed00, event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2032 #8 0x00007ffff145808e in WebCore::Node::dispatchSubtreeModifiedEvent (this=0x122ed00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2054 #9 0x00007ffff14153ef in WebCore::Element::didAddAttribute (this=0x122ed00, name=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:2946 #10 0x00007ffff1411631 in WebCore::Element::addAttributeInternal (this=0x122ed00, name=..., value=..., inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1903 #11 0x00007ffff1419b65 in WebCore::Element::setAttributeInternal (this=0x122ed00, index=4294967295, name=..., newValue=..., inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1062 #12 0x00007ffff140e7bc in WebCore::Element::setAttribute (this=0x122ed00, name=..., value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1044 #13 0x00007ffff1412724 in WebCore::Element::setPseudo (this=0x122ed00, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:2125 #14 0x00007ffff15d49b9 in WebCore::KeygenSelectElement::KeygenSelectElement (this=0x122ed00, document=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLKeygenElement.cpp:57 #15 0x00007ffff15d4780 in WebCore::KeygenSelectElement::create (document=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLKeygenElement.cpp:49 #16 0x00007ffff15d4b09 in WebCore::HTMLKeygenElement::HTMLKeygenElement (this=0x11d2c70, tagName=..., document=..., form=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLKeygenElement.cpp:76 #17 0x00007ffff15d4305 in WebCore::HTMLKeygenElement::create (tagName=..., document=..., form=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLKeygenElement.cpp:88 #18 0x00007ffff25b7788 in WebCore::keygenConstructor (tagName=..., document=..., formElement=0x0) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/HTMLElementFactory.cpp:327 #19 0x00007ffff25b863d in WebCore::HTMLElementFactory::createElement (name=..., document=..., formElement=0x0, createdByParser=false) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/HTMLElementFactory.cpp:698 #20 0x00007ffff15b1ebd in WebCore::HTMLDocument::createElement (this=0x11f1110, name=..., ec=@0x7fffffffbbcc: 0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLDocument.cpp:296 #21 0x00007ffff21bd30e in WebCore::jsDocumentPrototypeFunctionCreateElement (exec=0x7fff945edf50) at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:2295 #22 0x00007fff9e53d105 in ?? () #23 0x00007fffffffbc30 in ?? () #24 0x00007ffff5d2255b in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.0 #25 0x00007fff9e53d960 in ?? () #26 0x0000000001175968 in ?? () #27 0x000000000117ee70 in ?? () #28 0x00007fffee3779a0 in thread_context_stack () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0 #29 0x0000000000614470 in ?? () #30 0x00007ffff1852ac6 in WebCore::ResourceLoader::didReceiveBuffer (this=0x7fffffffbc30, buffer=..., encodedDataLength=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:483 #31 0x00007fffffffbc80 in ?? () #32 0x00007ffff5b143be in JSC::JITCode::execute (this=0x48ff5b670be8c789, stack=0x48e0458d48d4ff41, callFrame=0xc78948da89480000, vm=0x1b9c8458b48e0) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.cpp:46 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
I am not able to reproduce this issue using above mentioned test case. on the latest webkit code.. some one please confirm same..
I cannot repro it either.