HTML TreeBuilder hits ASSERT in fragment case with insertAdjacentHTML and colgroup ASSERTION FAILED: isEmpty() (/Projects/WebKit/WebCore/html/HTMLTreeBuilder.cpp:299 WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer::~ExternalCharacterTokenBuffer()) Test case: <div id="test"></div> <script> testZone = document.getElementById('test'); var colgroup = document.createElement("colgroup"); testZone.appendChild(colgroup); colgroup.insertAdjacentHTML("beforeBegin", "HTML"); </script> Not sure why yet.
OK, the bug is that HTMLElement::insertAdjacentHTML is passing the wrong contextElement. It's passing the colgroup (this) instead of the div. It's possible that insertAdjacentHTML("afterBegin", "HTML") would hit this ASSERT too, but we need to fix the context element bug first. This bug has been around for forever, since the xml parser was always passed the wrong context. The design is wrong, because we can't create the DocumentFragment before we know where we're inserting it.
Ok, I've found and fixed one bug, but this still hits the ASSERT: var colgroup = document.createElement("colgroup"); shouldBeUndefined("colgroup.insertAdjacentHTML('afterBegin', 'text')");
It appears the spec wants to drop character tokens on the floor: http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#parsing-main-incolgroup Anything else Act as if an end tag with the tag name "colgroup" had been seen, and then, if that token wasn't ignored, reprocess the current token. The fake end tag token here can only be ignored in the fragment case. We don't have any way to "ignore" character tokens currently. We could make one. But this may also be a spec bug. The reduced test case to ASSERT is: document.createElement("colgroup").innerHTML = "foo";
I'd like to link to the spec bug you filed, but I can't seem to find it.
Created attachment 64167 [details] Patch
Comment on attachment 64167 [details] Patch I have not filed a bug about the colgroup issue, no.
Comment on attachment 64167 [details] Patch We need to fix the createContextualFragment nonsense.
Comment on attachment 64167 [details] Patch Clearing flags on attachment: 64167 Committed r65213: <http://trac.webkit.org/changeset/65213>
All reviewed patches have been landed. Closing bug.