RESOLVED FIXED 196895
ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element 
https://bugs.webkit.org/show_bug.cgi?id=196895
Summary ASSERT fires when removing a disallowed clone from the shadow tree without re...
Said Abou-Hallawa
Reported 2019-04-13 02:42:26 PDT
Created attachment 367382 [details] test case (will assert in debug) Open the attached file. The following assertion will fire: ASSERTION FAILED: listener.wasCreatedFromMarkup() svg/SVGElement.cpp(434) : virtual bool WebCore::SVGElement::removeEventListener(const WTF::AtomicString &, WebCore::EventListener &, const WebCore::EventTarget::ListenerOptions &) 1 0x129513c29 WTFCrash 2 0x1140327eb WTFCrashWithInfo(int, char const*, char const*, int) 3 0x117e697cc WebCore::SVGElement::removeEventListener(WTF::AtomicString const&, WebCore::EventListener&, WebCore::EventTarget::ListenerOptions const&) 4 0x1180c75ad WebCore::SVGTRefTargetEventListener::detach() 5 0x1180c89ae WebCore::SVGTRefElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) 6 0x116640bd7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) 7 0x116640ca7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) 8 0x116640ca7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) 9 0x116640a6f WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) 10 0x11663cead WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) 11 0x11663c6f0 WebCore::ContainerNode::removeChild(WebCore::Node&) 12 0x11663adca WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&) 13 0x11663a63a WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*) 14 0x1167fbdc9 WebCore::Node::after(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&) 15 0x114a76198 WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) 16 0x114a52c40 long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) 17 0x114a5292c WebCore::jsElementPrototypeFunctionAfter(JSC::ExecState*) 18 0x64000c21016b 19 0x129a2e64c llint_entry 20 0x129a2e4d3 llint_entry 21 0x129a1b122 vmEntryToJavaScript 22 0x12a6a5277 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 23 0x12a6a58ad JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 24 0x12a97be9c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 25 0x12a97bf8a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 26 0x12a97c27e JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 27 0x11611ea58 WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 28 0x11616929c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) 29 0x1167a3a5a WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) 30 0x1167a3502 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) 31 0x117178d0e WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)
Attachments
test case (will assert in debug) (632 bytes, text/html)
2019-04-13 02:42 PDT, Said Abou-Hallawa 		no flags
Details
Patch (5.11 KB, patch)
2019-04-13 03:14 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2019-04-13 03:14:53 PDT
Created attachment 367383 [details] Patch
Said Abou-Hallawa
Comment 2 2019-04-13 03:17:05 PDT
<rdar://problem/33951014>
Darin Adler
Comment 3 2019-04-13 07:52:48 PDT
Comment on attachment 367383 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=367383&action=review > Source/WebCore/svg/SVGUseElement.cpp:325 > for (auto& descendant : descendantsOfType<SVGElement>(*clone)) > descendant.setCorrespondingElement(nullptr); > + if (is<SVGElement>(clone)) > + downcast<SVGElement>(*clone).setCorrespondingElement(nullptr); Too bad there’s not a more elegant way to writing this. Just need a version of descendantsOfType that also includes the item itself if it has the right type.
WebKit Commit Bot
Comment 4 2019-04-15 11:54:28 PDT
Comment on attachment 367383 [details] Patch Clearing flags on attachment: 367383 Committed r244276: <https://trac.webkit.org/changeset/244276>
WebKit Commit Bot
Comment 5 2019-04-15 11:54:29 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.