RESOLVED WORKSFORME 127035
ASSERTION FAILED: !m_beforePseudoElement || !pseudoElement in WebCore::ElementRareData::setBeforePseudoElement 
https://bugs.webkit.org/show_bug.cgi?id=127035
Summary ASSERTION FAILED: !m_beforePseudoElement || !pseudoElement in WebCore::Elemen...
Renata Hodovan
Reported 2014-01-15 01:37:01 PST
Created attachment 221242 [details] Test case Test case to reproduce the assertion failure: <u> <div> <div> <style></style> <link rel="stylesheet" href="foo"> <q> <script src="foo"></script> </q> </u> Backtrace: ASSERTION FAILED: !m_beforePseudoElement || !pseudoElement /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ElementRareData.h(206) : void WebCore::ElementRareData::setBeforePseudoElement(WTF::PassRefPtr<WebCore::PseudoElement>) 1 0x7ffff5c35e44 WTFCrash 2 0x7ffff0f72772 WebCore::ElementRareData::setBeforePseudoElement(WTF::PassRefPtr<WebCore::PseudoElement>) 3 0x7ffff0f6d3c2 WebCore::Element::setBeforePseudoElement(WTF::PassRefPtr<WebCore::PseudoElement>) 4 0x7ffff1a1d1a9 5 0x7ffff1a1d3ad 6 0x7ffff1a1d4f2 7 0x7ffff1a1d038 8 0x7ffff1a1d564 9 0x7ffff1a1dc7d 10 0x7ffff1a1e241 11 0x7ffff1a1e3f4 12 0x7ffff1a1e3f4 13 0x7ffff1a1e3f4 14 0x7ffff1a1e6c9 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) 15 0x7ffff0f12551 WebCore::Document::recalcStyle(WebCore::Style::Change) 16 0x7ffff0f17411 WebCore::Document::styleResolverChanged(WebCore::StyleResolverUpdateFlag) 17 0x7ffff0f15c35 WebCore::Document::didRemoveAllPendingStylesheet() 18 0x7ffff0ef7741 WebCore::Document::notifyRemovePendingSheetIfNeeded() 19 0x7ffff0ef80d1 WebCore::ChildNodeRemovalNotifier::notify(WebCore::Node&) 20 0x7ffff0efc478 WebCore::Private::NodeRemovalDispatcher<WebCore::Node, WebCore::ContainerNode, true>::dispatch(WebCore::Node&, WebCore::ContainerNode&) 21 0x7ffff0efb575 void WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode>(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) 22 0x7ffff0ef9474 void WebCore::removeDetachedChildrenInContainer<WebCore::Node, WebCore::ContainerNode>(WebCore::ContainerNode&) 23 0x7ffff0ef2b1d WebCore::ContainerNode::removeDetachedChildren() 24 0x7ffff0ef2cc7 WebCore::ContainerNode::takeAllChildrenFrom(WebCore::ContainerNode*) 25 0x7ffff1247195 WebCore::HTMLTreeBuilder::callTheAdoptionAgency(WebCore::AtomicHTMLToken*) 26 0x7ffff124917e WebCore::HTMLTreeBuilder::processEndTagForInBody(WebCore::AtomicHTMLToken*) 27 0x7ffff1249dd2 WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken*) 28 0x7ffff1240b68 WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken*) 29 0x7ffff124097a WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken*) 30 0x7ffff121b228 WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLToken&) 31 0x7ffff121ae93 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff0f72772 in WebCore::ElementRareData::setBeforePseudoElement (this=0x11aff70, pseudoElement=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ElementRareData.h:206 #2 0x00007ffff0f6d3c2 in WebCore::Element::setBeforePseudoElement (this=0x11ffb70, element=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:2335 #3 0x00007ffff1a1d1a9 in WebCore::Style::setBeforeOrAfterPseudoElement (current=..., pseudoElement=..., pseudoId=WebCore::BEFORE) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:498 #4 0x00007ffff1a1d3ad in WebCore::Style::attachBeforeOrAfterPseudoElementIfNeeded (current=..., pseudoId=WebCore::BEFORE) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:532 #5 0x00007ffff1a1d4f2 in WebCore::Style::attachRenderTree (current=..., resolvedStyle=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:549 #6 0x00007ffff1a1d038 in WebCore::Style::attachChildren (current=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:469 #7 0x00007ffff1a1d564 in WebCore::Style::attachRenderTree (current=..., resolvedStyle=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:560 #8 0x00007ffff1a1dc7d in WebCore::Style::resolveLocal (current=..., inheritedChange=WebCore::Style::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:684 #9 0x00007ffff1a1e241 in WebCore::Style::resolveTree (current=..., change=WebCore::Style::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:838 #10 0x00007ffff1a1e3f4 in WebCore::Style::resolveTree (current=..., change=WebCore::Style::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:870 #11 0x00007ffff1a1e3f4 in WebCore::Style::resolveTree (current=..., change=WebCore::Style::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:870 #12 0x00007ffff1a1e3f4 in WebCore::Style::resolveTree (current=..., change=WebCore::Style::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:870 #13 0x00007ffff1a1e6c9 in WebCore::Style::resolveTree (document=..., change=WebCore::Style::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/style/StyleResolveTree.cpp:912 #14 0x00007ffff0f12551 in WebCore::Document::recalcStyle (this=0x11c8040, change=WebCore::Style::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:1750 #15 0x00007ffff0f17411 in WebCore::Document::styleResolverChanged (this=0x11c8040, updateFlag=WebCore::RecalcStyleIfNeeded) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:3241 #16 0x00007ffff0f15c35 in WebCore::Document::didRemoveAllPendingStylesheet (this=0x11c8040) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2794 #17 0x00007ffff0ef7741 in WebCore::Document::notifyRemovePendingSheetIfNeeded (this=0x11c8040) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.h:1651 #18 0x00007ffff0ef80d1 in WebCore::ChildNodeRemovalNotifier::notify (this=0x7fffffffbd70, node=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:260 #19 0x00007ffff0efc478 in WebCore::Private::NodeRemovalDispatcher<WebCore::Node, WebCore::ContainerNode, true>::dispatch (node=..., container=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:145 #20 0x00007ffff0efb575 in WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode> (head=@0x7fffffffbdf0: 0x0, tail=@0x7fffffffbdf8: 0x0, container=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:188 #21 0x00007ffff0ef9474 in WebCore::removeDetachedChildrenInContainer<WebCore::Node, WebCore::ContainerNode> (container=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:90 #22 0x00007ffff0ef2b1d in WebCore::ContainerNode::removeDetachedChildren (this=0x7f8cf0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:104 #23 0x00007ffff0ef2cc7 in WebCore::ContainerNode::takeAllChildrenFrom (this=0x11b1150, oldParent=0x7f8cf0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:134 #24 0x00007ffff1247195 in WebCore::HTMLTreeBuilder::callTheAdoptionAgency (this=0x8c1410, token=0x7fffffffc2f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:1629 #25 0x00007ffff124917e in WebCore::HTMLTreeBuilder::processEndTagForInBody (this=0x8c1410, token=0x7fffffffc2f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:1951 #26 0x00007ffff1249dd2 in WebCore::HTMLTreeBuilder::processEndTag (this=0x8c1410, token=0x7fffffffc2f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2101 #27 0x00007ffff1240b68 in WebCore::HTMLTreeBuilder::processToken (this=0x8c1410, token=0x7fffffffc2f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:405 ---Type <return> to continue, or q <return> to quit--- #28 0x00007ffff124097a in WebCore::HTMLTreeBuilder::constructTree (this=0x8c1410, token=0x7fffffffc2f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:373 #29 0x00007ffff121b228 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x6a8a80, rawToken=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:586 #30 0x00007ffff121ae93 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x6a8a80, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:543 #31 0x00007ffff121a683 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x6a8a80, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:227 #32 0x00007ffff121bc29 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0x6a8a80) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:879 #33 0x00007ffff121beaf in WebCore::HTMLDocumentParser::notifyFinished (this=0x6a8a80, cachedResource=0x11fe160) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:919 #34 0x00007ffff142849c in WebCore::CachedResource::checkNotify (this=0x11fe160) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:336 #35 0x00007ffff1428613 in WebCore::CachedResource::error (this=0x11fe160, status=WebCore::CachedResource::LoadError) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:362 #36 0x00007ffff13e11b1 in WebCore::SubresourceLoader::didFail (this=0x1208070, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:337 #37 0x00007ffff13dd2a3 in WebCore::ResourceLoader::didFail (this=0x1208070, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:524 #38 0x00007ffff215b679 in WebCore::sendRequestCallback (result=0x1151b60, data=0x11ace50) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:663 #39 0x00007fffe810accb in g_task_return_now (task=0x1151b60) at gtask.c:1105 #40 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114 #41 0x00007fffed805473 in g_main_dispatch (context=0x11511f0) at gmain.c:3054 #42 g_main_context_dispatch (context=0x11511f0) at gmain.c:3630 #43 0x00007ffff758aaee in _ecore_glib_select__locked (ecore_timeout=0x11511f0, efds=<optimized out>, wfds=<optimized out>, rfds=<optimized out>, ecore_fds=1, ctx=<optimized out>) at ecore_glib.c:171 #44 _ecore_glib_select (ecore_fds=1, rfds=<optimized out>, wfds=<optimized out>, efds=<optimized out>, ecore_timeout=0x11511f0) at ecore_glib.c:205 #45 0x00007ffff7584cb9 in _ecore_main_select (timeout=<optimized out>) at ecore_main.c:1466 #46 0x00007ffff7585845 in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1894 #47 0x00007ffff7585b47 in ecore_main_loop_begin () at ecore_main.c:956 #48 0x0000000000406d21 in main (argc=2, argv=0x7fffffffdd48) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1032
Attachments
Test case (117 bytes, text/html)
2014-01-15 01:37 PST, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2016-08-03 13:35:25 PDT
This issue no longer occurs under GuardMalloc or ASAN as of r204037. If you believe there is still a bug, please reopen this issue with a revised test case.
Note You need to log in before you can comment on or make changes to this bug.