RESOLVED FIXED 193351
Release assert when removing element with a map element in the shadow tree 
https://bugs.webkit.org/show_bug.cgi?id=193351
Summary Release assert when removing element with a map element in the shadow tree
Antti Koivisto
Reported 2019-01-11 07:10:37 PST
(lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0) * frame #0: 0x000000010b242cb3 WebCore`WTFCrashWithInfo((null)=81, (null)="./dom/TreeScopeOrderedMap.cpp", (null)="void WebCore::TreeScopeOrderedMap::remove(const WTF::AtomicStringImpl &, WebCore::Element &)", (null)=139) at Assertions.h:559 [opt] frame #1: 0x000000010bf8465e WebCore`WebCore::TreeScopeOrderedMap::remove(this=0x00000001de412fe0, key=<unavailable>, element=0x00000001de9abf90) at TreeScopeOrderedMap.cpp:81 [opt] frame #2: 0x000000010c0c3dc3 WebCore`WebCore::HTMLMapElement::removedFromAncestor(this=0x00000001de9abf90, removalType=(disconnectedFromDocument = true, treeScopeChanged = false), oldParentOfRemovedTree=0x00000001de3befa0) at HTMLMapElement.cpp:129 [opt] frame #3: 0x000000010bebbf85 WebCore`WebCore::notifyNodeRemovedFromDocument(oldParentOfRemovedTree=0x00000001de3befa0, treeScopeChange=DidNotChange, node=0x00000001de9abf90) at ContainerNodeAlgorithms.cpp:114 [opt] frame #4: 0x000000010bebbfc6 WebCore`WebCore::notifyNodeRemovedFromDocument(oldParentOfRemovedTree=0x00000001de3befa0, treeScopeChange=DidNotChange, node=0x00000001de95bf40) at ContainerNodeAlgorithms.cpp:121 [opt] frame #5: 0x000000010bebc032 WebCore`WebCore::notifyNodeRemovedFromDocument(oldParentOfRemovedTree=0x00000001de3befa0, treeScopeChange=Changed, node=0x00000001de438fa0) at ContainerNodeAlgorithms.cpp:129 [opt] frame #6: 0x000000010beb8788 WebCore`WebCore::ContainerNode::removeChild(WebCore::Node&) [inlined] WebCore::notifyChildNodeRemoved(oldParentOfRemovedTree=<unavailable>, child=<unavailable>) at ContainerNodeAlgorithms.cpp:161 [opt] frame #7: 0x000000010beb875e WebCore`WebCore::ContainerNode::removeChild(WebCore::Node&) at ContainerNode.cpp:168 [opt] frame #8: 0x000000010beb8704 WebCore`WebCore::ContainerNode::removeChild(this=0x00000001de3befa0, oldChild=0x00000001de438fa0) at ContainerNode.cpp:571 [opt] frame #9: 0x000000010bf418c0 WebCore`WebCore::Node::remove(this=<unavailable>) at Node.cpp:625 [opt]
Attachments
patch (3.78 KB, patch)
2019-01-11 07:22 PST, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2019-01-11 07:11:01 PST
<rdar://problem/47208807>
Antti Koivisto
Comment 2 2019-01-11 07:22:01 PST
Created attachment 358894 [details] patch
WebKit Commit Bot
Comment 3 2019-01-11 14:38:31 PST
Comment on attachment 358894 [details] patch Clearing flags on attachment: 358894 Committed r239877: <https://trac.webkit.org/changeset/239877>
WebKit Commit Bot
Comment 4 2019-01-11 14:38:32 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.