RESOLVED FIXED 213611
ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove 
https://bugs.webkit.org/show_bug.cgi?id=213611
Summary ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove
Jack
Reported 2020-06-25 11:23:47 PDT
0 com.apple.JavaScriptCore 0x0000000115e611be WTFCrash + 14 (Assertions.cpp:293) 1 com.apple.JavaScriptCore 0x0000000115e611ce WTFCrashWithSecurityImplication + 14 2 com.apple.WebCore 0x000000013cb07316 WebCore::TreeScopeOrderedMap::remove(WTF::AtomStringImpl const&, WebCore::Element&) + 694 (TreeScopeOrderedMap.cpp:81) 3 com.apple.WebCore 0x000000013d06ff1e WebCore::HTMLDocument::removeDocumentNamedItem(WTF::AtomStringImpl const&, WebCore::Element&) + 46 (HTMLDocument.cpp:171) 4 com.apple.WebCore 0x000000013c77fe2f WebCore::Element::updateIdForDocument(WebCore::HTMLDocument&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::HTMLDocumentNamedItemMapsUpdatingCondition) + 687 (Element.cpp:4079) 5 com.apple.WebCore 0x000000013c780946 WebCore::Element::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) + 1430 (Element.cpp:2208) 6 com.apple.WebCore 0x000000013d1050e8 WebCore::HTMLImageElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) + 1160 (HTMLImageElement.cpp:463) 7 com.apple.WebCore 0x000000013c4e97f4 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) + 1076 (ContainerNodeAlgorithms.cpp:116) 8 com.apple.WebCore 0x000000013c4e92ed WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) + 445 (ContainerNodeAlgorithms.cpp:161) 9 com.apple.WebCore 0x000000013c4def8d WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) + 1533 (ContainerNode.cpp:169) 10 com.apple.WebCore 0x000000013c4ddd89 WebCore::ContainerNode::removeChild(WebCore::Node&) + 681 (ContainerNode.cpp:577) 11 com.apple.WebCore 0x000000013c950873 WebCore::Node::remove() + 115 (Node.cpp:629) 12 com.apple.WebCore 0x0000000137478fd0 WebCore::jsElementPrototypeFunctionRemoveBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*, JSC::ThrowScope&) + 448 (JSElement.cpp:4742)
Attachments
Patch (3.82 KB, patch)
2020-06-25 13:06 PDT, Jack 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jack
Comment 1 2020-06-25 11:25:33 PDT
<rdar::/64493506>
Jack
Comment 2 2020-06-25 11:25:48 PDT
<rdar://64493506>
Jack
Comment 3 2020-06-25 12:40:37 PDT
Test case: <body><image id=img name=""></image> <script> img.name = "new name"; img.remove(); </script> Cause of the crash: 1. Initially image element has an empty name so image's ID is not added to document's named item hash map. This is a behavior change after https://bugs.webkit.org/show_bug.cgi?id=212473. 2. Next we change image's name attribute in the script and add image's name to document's named item hash map. However, image's ID is still not added[1]. 3. When we remove the image element, we try to remove image's ID from named item hash map because its name attribute is not empty. Since the ID was never added, it triggers the assertion in TreeScopeOrderedMap::remove(). Note: [1] The reason we do not add image's ID in step #2: Function HTMLImageElement::parseAttribute() is called multiple times in the test to check for valid name attribute and to add image's ID to document's named item. Once a valid name attribute is found, the function does not attempt to add ID anymore. However, this part of code was not changed in bug 212473. We still consider empty name a valid attribute. Therefore, the first time HTMLImageElement::parseAttribute() is called when image has an empty name attribute, the function set a flag that denotes a valid name is found, and therefore ignore subsequent name changes. Although the empty name is considered valid, image's ID was still not added to named item the first time, since another condition was not matched -- the node was not inserted when parseAttribute() is called at the first time.
Jack
Comment 4 2020-06-25 13:06:05 PDT
Created attachment 402798 [details] Patch
Geoffrey Garen
Comment 5 2020-06-25 13:21:11 PDT
Comment on attachment 402798 [details] Patch r=me
EWS
Comment 6 2020-06-26 09:44:36 PDT
Committed r263564: <https://trac.webkit.org/changeset/263564> All reviewed patches have been landed. Closing bug and clearing flags on attachment 402798 [details].
Note You need to log in before you can comment on or make changes to this bug.