156509 – Regression(r199360): assertion hit in Element::fastGetAttribute()

Bug 156509 - Regression(r199360): assertion hit in Element::fastGetAttribute()

Summary: Regression(r199360): assertion hit in Element::fastGetAttribute()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:

Depends on:
Blocks:	156474
	Show dependency tree / graph

Reported:	2016-04-12 11:40 PDT by Chris Dumez
Modified:	2016-04-12 11:44 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (2.05 KB, patch) 2016-04-12 11:42 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2016-04-12 11:40:20 PDT

Regression(r199360): assertion hit in Element::fastGetAttribute():
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010bc32da7 WTFCrash + 39
1   com.apple.WebCore             	0x00000001109a86d1 WebCore::Element::fastGetAttribute(WebCore::QualifiedName const&) const + 81 (Element.h:652)
2   com.apple.WebCore             	0x00000001111829ae WebCore::DOMTokenList::tokens() + 46 (DOMTokenList.cpp:231)
3   com.apple.WebCore             	0x00000001109c6805 WebCore::DOMTokenList::tokens() const + 21 (DOMTokenList.h:70)
4   com.apple.WebCore             	0x00000001109c0f35 WebCore::DOMTokenList::length() const + 21 (DOMTokenList.h:87)
5   com.apple.WebCore             	0x0000000111ad9719 WebCore::jsDOMTokenListLength(JSC::ExecState*, long long, JSC::PropertyName) + 153 (JSDOMTokenList.cpp:183)
6   com.apple.JavaScriptCore      	0x000000010ba012a5 JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const + 149
7   com.apple.JavaScriptCore      	0x000000010adaa374 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 132
8   com.apple.JavaScriptCore      	0x000000010adaed0b JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 91
9   com.apple.JavaScriptCore      	0x000000010b84bb03 llint_slow_path_get_by_id + 243
10  com.apple.JavaScriptCore      	0x000000010b858a38 llint_entry + 12020

Comment 1 Chris Dumez 2016-04-12 11:42:28 PDT

Created attachment 276252 [details]
Patch

Comment 2 Chris Dumez 2016-04-12 11:44:46 PDT

Comment on attachment 276252 [details]
Patch

Clearing flags on attachment: 276252

Committed r199378: <http://trac.webkit.org/changeset/199378>

Comment 3 Chris Dumez 2016-04-12 11:44:52 PDT

All reviewed patches have been landed.  Closing bug.