Bug 225684 - REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor
Summary: REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via Compos...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks: 148695
  Show dependency treegraph
 
Reported: 2021-05-11 19:25 PDT by Ryosuke Niwa
Modified: 2021-06-02 12:22 PDT (History)
8 users (show)

See Also:

Attachments
Patch (4.99 KB, patch)
2021-05-11 20:11 PDT, Ryosuke Niwa 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2021-05-11 19:25:38 PDT 
e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001090fcdf3 WTFCrashWithInfo(int, char const*, char const*, int) + 19
1   com.apple.WebCore             	0x000000010a3df43a WebCore::SlotAssignment::assignedNodesForSlot(WebCore::HTMLSlotElement const&, WebCore::ShadowRoot&) + 426
2   com.apple.WebCore             	0x000000010a5e96d0 WebCore::HTMLSlotElement::assignedNodes() const + 64
3   com.apple.WebCore             	0x000000010a301f1e WebCore::ComposedTreeIterator::traverseNextInShadowTree() + 222
4   com.apple.WebCore             	0x000000010aeb019c WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 316
5   com.apple.WebCore             	0x000000010a3e3031 WebCore::SlotAssignment::didChangeSlot(WTF::AtomString const&, WebCore::ShadowRoot&) + 257
6   com.apple.WebCore             	0x000000010a36f4be WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) + 270
7   com.apple.WebCore             	0x000000010a3124fa WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 58
8   com.apple.WebCore             	0x000000010a312382 WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&) + 130
9   com.apple.WebCore             	0x000000010a306016 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 998
10  com.apple.WebCore             	0x000000010a3a812d WebCore::Node::appendChild(WebCore::Node&) + 93
11  com.apple.WebCore             	0x0000000109744a0f WebCore::jsNodePrototypeFunction_appendChild(JSC::JSGlobalObject*, JSC::CallFrame*) + 223

<rdar://77799319>
Comment 1 Ryosuke Niwa 2021-05-11 20:11:16 PDT 
Created attachment 428338 [details]
Patch
Comment 2 Darin Adler 2021-05-11 21:58:09 PDT 
Comment on attachment 428338 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=428338&action=review

> Source/WebCore/ChangeLog:14
> +        the shadow root is conncted to a document but HTMLSlotElement isn't since its connected flag has not been updated yet.

Typo in connected.
Comment 3 Ryosuke Niwa 2021-05-12 10:12:29 PDT 
(In reply to Darin Adler from comment #2)
> Comment on attachment 428338 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=428338&action=review
> 
> > Source/WebCore/ChangeLog:14
> > +        the shadow root is conncted to a document but HTMLSlotElement isn't since its connected flag has not been updated yet.
> 
> Typo in connected.

Fixed. Thanks for the review.
Comment 4 Ryosuke Niwa 2021-05-12 10:13:24 PDT 
Committed r277373 (237631@main): <https://commits.webkit.org/237631@main>