HTML5ScriptRunner can re-enter from event dispatch
HTML5ScriptRunner tries to only enter scripting when calling "executeScript" on the HTML5SriptRunnerHost, but I realize after writing it that it will also re-enter from events which will cause us to hit m_scriptNestingLevel ASSERTs and do the wrong thing. :)
I tried to write a test for this, but it doesn't quite work yet, and I have more important bugs to fix in the code before I get back to this one so recording it for posterity:
document.write("<script>document.write(" + number ")</scr" + "ipt><script>document.write(" + (number+1) ")</scr" + "ipt>")
Created attachment 59134 [details]
Cleaned up test case which reveals at least one ASSERT in ToT
The fix for the first assert:
ASSERTION FAILED: !haveParsingBlockingScript()
(/Projects/WebKit/WebCore/html/HTML5ScriptRunner.cpp:262 void WebCore::HTML5ScriptRunner::runScript(WebCore::Element*, int))
is to just re-order the setting of m_parsingBlockingScript until after the beforeLoad check, since the before load might cancel the script anyway!
The next assertions you hit, of close m_source, relate to the insertion point never getting set for some of these calls. Those need a bit more thought.
is probably caused by this issue.
As of http://trac.webkit.org/changeset/61610 we believe this issue to be completely resolved. Adam is also mailing the W3c about Minefield's behavior discrepancy.
were all related to this fix, btw.