Bug 187802 - ASSERTION !data.customElementReactionQueue() when creating custom element inside an SVG document
Summary: ASSERTION !data.customElementReactionQueue() when creating custom element ins...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Frédéric Wang (:fredw)
URL: https://w3c-test.org/custom-elements/...
Keywords: InRadar
Depends on:
Blocks: 154907
  Show dependency treegraph
 
Reported: 2018-07-19 08:25 PDT by Frédéric Wang (:fredw)
Modified: 2018-08-15 14:26 PDT (History)
9 users (show)

See Also:

Attachments
Minimal crash test (289 bytes, image/svg+xml)
2018-07-19 08:25 PDT, Frédéric Wang (:fredw) 		no flags Details
Patch (6.24 KB, patch)
2018-07-23 04:26 PDT, Frédéric Wang (:fredw) 		no flags Details | Formatted Diff | Diff
Patch (9.86 KB, patch)
2018-07-30 10:34 PDT, Frédéric Wang (:fredw) 		no flags Details | Formatted Diff | Diff
Patch (9.87 KB, patch)
2018-07-30 11:01 PDT, Frédéric Wang (:fredw) 		no flags Details | Formatted Diff | Diff
Patch (3.36 KB, patch)
2018-08-05 22:35 PDT, Frédéric Wang (:fredw) 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Frédéric Wang (:fredw) 2018-07-19 08:25:35 PDT 
Created attachment 345347 [details]
Minimal crash test

See the attached testcase.

#0  0x00007fcdb471cacc in WTFCrash ()
    at ../../Source/WTF/wtf/Assertions.cpp:267
#1  0x00007fcdc015af34 in (anonymous namespace)::Element::enqueueToUpgrade (
    this=0x7fcd2e000068, elementInterface=...)
    at ../../Source/WebCore/dom/Element.cpp:2010
#2  0x00007fcdc00973c3 in (anonymous namespace)::CustomElementReactionQueue::enqueueElementUpgradeIfDefined (element=...)
    at ../../Source/WebCore/dom/CustomElementReactionQueue.cpp:139
#3  0x00007fcdc0159cd1 in (anonymous namespace)::Element::insertedIntoAncestor
    (this=0x7fcd2e000068, insertionType=..., parentOfInsertedTree=...)
    at ../../Source/WebCore/dom/Element.cpp:1751
#4  0x00007fcdc0095e14 in (anonymous namespace)::notifyNodeInsertedIntoDocument
    (parentOfInsertedTree=..., node=..., 
    treeScopeChange=(anonymous namespace)::TreeScopeChange::Changed, 
    postInsertionNotificationTargets=...)
    at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:48
#5  0x00007fcdc00962df in (anonymous namespace)::notifyChildNodeInserted (
    parentOfInsertedTree=..., node=...)
    at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:103
#6  0x00007fcdc0098b65 in (anonymous namespace)::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::parserAppendChild(WebCore::Node&)::<lambda()> >((anonymous namespace)::ContainerNode &, (anonymous namespace)::Node &, (anonymous namespace)::ContainerNode::ChildChangeSource, (anonymous namespace)::ReplacedAllChildren, (anonymous namespace)::ContainerNode::<lambda()>) (
    containerNode=..., child=..., 
    source=(anonymous namespace)::ContainerNode::ChildChangeSource::Parser, 
    replacedAllChildren=(anonymous namespace)::ReplacedAllChildren::No, 
    doNodeInsertion=...) at ../../Source/WebCore/dom/ContainerNode.cpp:186
#7  0x00007fcdc0094bf9 in (anonymous namespace)::ContainerNode::parserAppendChild (this=0x7fcd2e8001d0, newChild=...)
    at ../../Source/WebCore/dom/ContainerNode.cpp:723
#8  0x00007fcdc12e28b0 in (anonymous namespace)::XMLDocumentParser::startElementNs (this=0x7fcd30fd8b40, xmlLocalName=0x559de8bdce9a "my-element", 
    xmlPrefix=0x0, xmlURI=0x559de8bdce76 "http://www.w3.org/1999/xhtml", 
    numNamespaces=0, libxmlNamespaces=0x0, numAttributes=0, numDefaulted=0,
Comment 1 Frédéric Wang (:fredw) 2018-07-23 04:26:31 PDT 
Created attachment 345567 [details]
Patch
Comment 2 Frédéric Wang (:fredw) 2018-07-23 07:46:47 PDT 
Comment on attachment 345567 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=345567&action=review

> Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:787
> +    if (!m_parsingFragment)

Step 5 actually says it should happen if in addition the custom element definition is non-null (which is true in the repro case).
Comment 3 Frédéric Wang (:fredw) 2018-07-30 10:34:15 PDT 
Created attachment 346067 [details]
Patch
Comment 4 Frédéric Wang (:fredw) 2018-07-30 11:01:03 PDT 
Created attachment 346070 [details]
Patch
Comment 5 Frédéric Wang (:fredw) 2018-07-31 00:23:08 PDT 
Comment on attachment 346070 [details]
Patch

Will handle the custom element reaction stack push/pop in a separate bug.
Comment 6 Radar WebKit Bug Importer 2018-08-01 22:42:20 PDT 
<rdar://problem/42843015>
Comment 7 Frédéric Wang (:fredw) 2018-08-04 00:03:50 PDT 
ASSERTION has been removed in bug 188327 so I think we can just unskip the test now. However, the same logic as bug 188327 (special case for HTML fragment parsing) probably still needs to be implemented for the XML parser.
Comment 8 Frédéric Wang (:fredw) 2018-08-05 22:35:39 PDT 
Created attachment 346613 [details]
Patch
Comment 9 WebKit Commit Bot 2018-08-06 01:25:36 PDT 
Comment on attachment 346613 [details]
Patch

Clearing flags on attachment: 346613

Committed r234591: <https://trac.webkit.org/changeset/234591>
Comment 10 WebKit Commit Bot 2018-08-06 01:25:38 PDT 
All reviewed patches have been landed.  Closing bug.