Steps to reproduce: open http://websocket.org/echo.html ASSERTION FAILED: !node || node->isElementNode() /Users/ap/Safari/OpenSource/Source/WebCore/dom/Element.h(413) : WebCore::Element* WebCore::toElement(WebCore::Node*) 1 WebCore::toElement(WebCore::Node*) 2 WebCore::HTMLElementStack::ElementRecord::element() const 3 WebCore::HTMLElementStack::top() const 4 WebCore::HTMLConstructionSite::currentElement() const 5 WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) 6 WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) 7 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 8 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) 9 WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString const&) 10 WebCore::HTMLDocumentParser::parseDocumentFragment(WTF::String const&, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission) 11 WebCore::DocumentFragment::parseHTML(WTF::String const&, WebCore::Element*, WebCore::FragmentScriptingPermission) 12 WebCore::createFragmentFromSource(WTF::String const&, WebCore::Element*, int&) 13 WebCore::HTMLElement::setInnerHTML(WTF::String const&, int&) 14 WebCore::setJSHTMLElementInnerHTML(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) 15 bool JSC::lookupPut<WebCore::JSHTMLElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*) 16 void JSC::lookupPut<WebCore::JSHTMLElement, WebCore::JSElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*, JSC::PutPropertySlot&) 17 WebCore::JSHTMLElement::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) 18 void JSC::lookupPut<WebCore::JSHTMLDivElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLDivElement*, JSC::PutPropertySlot&) 19 WebCore::JSHTMLDivElement::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) 20 JSC::JSValue::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) 21 cti_op_put_by_id 22 jscGeneratedNativeCode 23 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 24 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) 25 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) 26 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue) 27 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) 28 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) 29 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) 30 WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) 31 WebCore::HTMLScriptRunner::executeParsingBlockingScript()
Created attachment 84621 [details] Test case Attached a reduction. This happens when the root node of a fragment is foreign content. This is simple to fix.
Created attachment 84625 [details] Patch
Comment on attachment 84625 [details] Patch Thanks.
Comment on attachment 84625 [details] Patch Clearing flags on attachment: 84625 Committed r80320: <http://trac.webkit.org/changeset/80320>
All reviewed patches have been landed. Closing bug.