Bug 198216 - Asssertion failure in dispatchSubtreeModifiedEvent due to TextFieldInputType updating UA shadow tree inside Element::removedFromAncestor
Summary: Asssertion failure in dispatchSubtreeModifiedEvent due to TextFieldInputType ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-05-23 23:05 PDT by Ryosuke Niwa
Modified: 2019-05-24 14:25 PDT (History)
5 users (show)

See Also:


Attachments
Fixes the bug (6.41 KB, patch)
2019-05-23 23:13 PDT, Ryosuke Niwa
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2019-05-23 23:05:22 PDT
We hit the assertion in Node::dispatchSubtreeModifiedEvent
when a datalist element is removed right after the input element's type is changed.

<rdar://problem/50021640>
Comment 1 Ryosuke Niwa 2019-05-23 23:13:46 PDT
Created attachment 370565 [details]
Fixes the bug
Comment 2 Brent Fulgham 2019-05-24 09:03:55 PDT
Comment on attachment 370565 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=370565&action=review

r=me

> Source/WebCore/html/shadow/DataListButtonElement.cpp:-52
> -    setPseudo(AtomicString("-webkit-list-button", AtomicString::ConstructFromLiteral));

Why do we prefer to call 'setPseudo' on the result of this constructed object, rather than during construction here? It seems like it would be easy to forget to do this work, wouldn't it?
Comment 3 WebKit Commit Bot 2019-05-24 09:34:04 PDT
Comment on attachment 370565 [details]
Fixes the bug

Clearing flags on attachment: 370565

Committed r245746: <https://trac.webkit.org/changeset/245746>
Comment 4 WebKit Commit Bot 2019-05-24 09:34:05 PDT
All reviewed patches have been landed.  Closing bug.
Comment 5 Radar WebKit Bug Importer 2019-05-24 09:35:18 PDT
<rdar://problem/51109894>
Comment 6 Ryosuke Niwa 2019-05-24 14:25:11 PDT
(In reply to Brent Fulgham from comment #2)
> Comment on attachment 370565 [details]
> Fixes the bug
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=370565&action=review
> 
> r=me
> 
> > Source/WebCore/html/shadow/DataListButtonElement.cpp:-52
> > -    setPseudo(AtomicString("-webkit-list-button", AtomicString::ConstructFromLiteral));
> 
> Why do we prefer to call 'setPseudo' on the result of this constructed
> object, rather than during construction here? It seems like it would be easy
> to forget to do this work, wouldn't it?

In general, it's a bad practice to add an attribute in an element constructor. A content attribute should be something the users of an element should be specifying, not the element itself.

In this particular case, setting the content attribute triggers DOMSubtreeModifiedEvent and which ends up hitting the same assertion because the disabling of the assertion will only take effect after this element had been inserted into the shadow tree.