187802 – ASSERTION !data.customElementReactionQueue() when creating custom element inside an SVG document

RESOLVED FIXED 187802

ASSERTION !data.customElementReactionQueue() when creating custom element inside an SVG document

https://bugs.webkit.org/show_bug.cgi?id=187802

Summary ASSERTION !data.customElementReactionQueue() when creating custom element ins...

Frédéric Wang (:fredw)

Reported 2018-07-19 08:25:35 PDT

Created attachment 345347 [details] Minimal crash test See the attached testcase. #0 0x00007fcdb471cacc in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:267 #1 0x00007fcdc015af34 in (anonymous namespace)::Element::enqueueToUpgrade ( this=0x7fcd2e000068, elementInterface=...) at ../../Source/WebCore/dom/Element.cpp:2010 #2 0x00007fcdc00973c3 in (anonymous namespace)::CustomElementReactionQueue::enqueueElementUpgradeIfDefined (element=...) at ../../Source/WebCore/dom/CustomElementReactionQueue.cpp:139 #3 0x00007fcdc0159cd1 in (anonymous namespace)::Element::insertedIntoAncestor (this=0x7fcd2e000068, insertionType=..., parentOfInsertedTree=...) at ../../Source/WebCore/dom/Element.cpp:1751 #4 0x00007fcdc0095e14 in (anonymous namespace)::notifyNodeInsertedIntoDocument (parentOfInsertedTree=..., node=..., treeScopeChange=(anonymous namespace)::TreeScopeChange::Changed, postInsertionNotificationTargets=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:48 #5 0x00007fcdc00962df in (anonymous namespace)::notifyChildNodeInserted ( parentOfInsertedTree=..., node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:103 #6 0x00007fcdc0098b65 in (anonymous namespace)::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::parserAppendChild(WebCore::Node&)::<lambda()> >((anonymous namespace)::ContainerNode &, (anonymous namespace)::Node &, (anonymous namespace)::ContainerNode::ChildChangeSource, (anonymous namespace)::ReplacedAllChildren, (anonymous namespace)::ContainerNode::<lambda()>) ( containerNode=..., child=..., source=(anonymous namespace)::ContainerNode::ChildChangeSource::Parser, replacedAllChildren=(anonymous namespace)::ReplacedAllChildren::No, doNodeInsertion=...) at ../../Source/WebCore/dom/ContainerNode.cpp:186 #7 0x00007fcdc0094bf9 in (anonymous namespace)::ContainerNode::parserAppendChild (this=0x7fcd2e8001d0, newChild=...) at ../../Source/WebCore/dom/ContainerNode.cpp:723 #8 0x00007fcdc12e28b0 in (anonymous namespace)::XMLDocumentParser::startElementNs (this=0x7fcd30fd8b40, xmlLocalName=0x559de8bdce9a "my-element", xmlPrefix=0x0, xmlURI=0x559de8bdce76 "http://www.w3.org/1999/xhtml", numNamespaces=0, libxmlNamespaces=0x0, numAttributes=0, numDefaulted=0,

Attachments
Minimal crash test (289 bytes, image/svg+xml) 2018-07-19 08:25 PDT, Frédéric Wang (:fredw)	no flags	Details
Patch (6.24 KB, patch) 2018-07-23 04:26 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
Patch (9.86 KB, patch) 2018-07-30 10:34 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
Patch (9.87 KB, patch) 2018-07-30 11:01 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
Patch (3.36 KB, patch) 2018-08-05 22:35 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Frédéric Wang (:fredw)

Comment 1 2018-07-23 04:26:31 PDT

Created attachment 345567 [details] Patch

Frédéric Wang (:fredw)

Comment 2 2018-07-23 07:46:47 PDT

Comment on attachment 345567 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=345567&action=review > Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:787 > + if (!m_parsingFragment) Step 5 actually says it should happen if in addition the custom element definition is non-null (which is true in the repro case).

Frédéric Wang (:fredw)

Comment 3 2018-07-30 10:34:15 PDT

Created attachment 346067 [details] Patch

Frédéric Wang (:fredw)

Comment 4 2018-07-30 11:01:03 PDT

Created attachment 346070 [details] Patch

Frédéric Wang (:fredw)

Comment 5 2018-07-31 00:23:08 PDT

Comment on attachment 346070 [details] Patch Will handle the custom element reaction stack push/pop in a separate bug.

Radar WebKit Bug Importer

Comment 6 2018-08-01 22:42:20 PDT

<rdar://problem/42843015>

Frédéric Wang (:fredw)

Comment 7 2018-08-04 00:03:50 PDT

ASSERTION has been removed in bug 188327 so I think we can just unskip the test now. However, the same logic as bug 188327 (special case for HTML fragment parsing) probably still needs to be implemented for the XML parser.

Frédéric Wang (:fredw)

Comment 8 2018-08-05 22:35:39 PDT

Created attachment 346613 [details] Patch

WebKit Commit Bot

Comment 9 2018-08-06 01:25:36 PDT

Comment on attachment 346613 [details] Patch Clearing flags on attachment: 346613 Committed r234591: <https://trac.webkit.org/changeset/234591>

WebKit Commit Bot

Comment 10 2018-08-06 01:25:38 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component DOM

Assignee

Frédéric Wang (:fredw)

Reported

2018-07-19 08:25 PDT

Modified

2018-08-15 14:26 PDT History

CC List

9 users Show

URL

https://w3c-test.org/custom-elements/parser/parser-uses-create-an-element-for-a-token-svg.svg

Keywords InRadar

Depends on

Blocks

154907

Dependencies

tree graph