Created attachment 345347 [details] Minimal crash test See the attached testcase. #0 0x00007fcdb471cacc in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:267 #1 0x00007fcdc015af34 in (anonymous namespace)::Element::enqueueToUpgrade ( this=0x7fcd2e000068, elementInterface=...) at ../../Source/WebCore/dom/Element.cpp:2010 #2 0x00007fcdc00973c3 in (anonymous namespace)::CustomElementReactionQueue::enqueueElementUpgradeIfDefined (element=...) at ../../Source/WebCore/dom/CustomElementReactionQueue.cpp:139 #3 0x00007fcdc0159cd1 in (anonymous namespace)::Element::insertedIntoAncestor (this=0x7fcd2e000068, insertionType=..., parentOfInsertedTree=...) at ../../Source/WebCore/dom/Element.cpp:1751 #4 0x00007fcdc0095e14 in (anonymous namespace)::notifyNodeInsertedIntoDocument (parentOfInsertedTree=..., node=..., treeScopeChange=(anonymous namespace)::TreeScopeChange::Changed, postInsertionNotificationTargets=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:48 #5 0x00007fcdc00962df in (anonymous namespace)::notifyChildNodeInserted ( parentOfInsertedTree=..., node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:103 #6 0x00007fcdc0098b65 in (anonymous namespace)::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::parserAppendChild(WebCore::Node&)::<lambda()> >((anonymous namespace)::ContainerNode &, (anonymous namespace)::Node &, (anonymous namespace)::ContainerNode::ChildChangeSource, (anonymous namespace)::ReplacedAllChildren, (anonymous namespace)::ContainerNode::<lambda()>) ( containerNode=..., child=..., source=(anonymous namespace)::ContainerNode::ChildChangeSource::Parser, replacedAllChildren=(anonymous namespace)::ReplacedAllChildren::No, doNodeInsertion=...) at ../../Source/WebCore/dom/ContainerNode.cpp:186 #7 0x00007fcdc0094bf9 in (anonymous namespace)::ContainerNode::parserAppendChild (this=0x7fcd2e8001d0, newChild=...) at ../../Source/WebCore/dom/ContainerNode.cpp:723 #8 0x00007fcdc12e28b0 in (anonymous namespace)::XMLDocumentParser::startElementNs (this=0x7fcd30fd8b40, xmlLocalName=0x559de8bdce9a "my-element", xmlPrefix=0x0, xmlURI=0x559de8bdce76 "http://www.w3.org/1999/xhtml", numNamespaces=0, libxmlNamespaces=0x0, numAttributes=0, numDefaulted=0,
Created attachment 345567 [details] Patch
Comment on attachment 345567 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=345567&action=review > Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:787 > + if (!m_parsingFragment) Step 5 actually says it should happen if in addition the custom element definition is non-null (which is true in the repro case).
Created attachment 346067 [details] Patch
Created attachment 346070 [details] Patch
Comment on attachment 346070 [details] Patch Will handle the custom element reaction stack push/pop in a separate bug.
<rdar://problem/42843015>
ASSERTION has been removed in bug 188327 so I think we can just unskip the test now. However, the same logic as bug 188327 (special case for HTML fragment parsing) probably still needs to be implemented for the XML parser.
Created attachment 346613 [details] Patch
Comment on attachment 346613 [details] Patch Clearing flags on attachment: 346613 Committed r234591: <https://trac.webkit.org/changeset/234591>
All reviewed patches have been landed. Closing bug.