Bug 55697 - Assertion failure in toElement(WebCore::Node*)
Summary: Assertion failure in toElement(WebCore::Node*)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.6
: P2 Major
Assignee: Andy Estes
URL: http://websocket.org/echo.html
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-03 12:10 PST by Alexey Proskuryakov
Modified: 2011-03-03 21:15 PST (History)
4 users (show)

See Also:


Attachments
Test case (63 bytes, text/html)
2011-03-03 14:03 PST, Andy Estes
no flags Details
Patch (3.52 KB, patch)
2011-03-03 14:13 PST, Andy Estes
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2011-03-03 12:10:38 PST
Steps to reproduce: open http://websocket.org/echo.html

ASSERTION FAILED: !node || node->isElementNode()
/Users/ap/Safari/OpenSource/Source/WebCore/dom/Element.h(413) : WebCore::Element* WebCore::toElement(WebCore::Node*)
1   WebCore::toElement(WebCore::Node*)
2   WebCore::HTMLElementStack::ElementRecord::element() const
3   WebCore::HTMLElementStack::top() const
4   WebCore::HTMLConstructionSite::currentElement() const
5   WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&)
6   WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&)
7   WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
8   WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
9   WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString const&)
10  WebCore::HTMLDocumentParser::parseDocumentFragment(WTF::String const&, WebCore::DocumentFragment*, WebCore::Element*, WebCore::FragmentScriptingPermission)
11  WebCore::DocumentFragment::parseHTML(WTF::String const&, WebCore::Element*, WebCore::FragmentScriptingPermission)
12  WebCore::createFragmentFromSource(WTF::String const&, WebCore::Element*, int&)
13  WebCore::HTMLElement::setInnerHTML(WTF::String const&, int&)
14  WebCore::setJSHTMLElementInnerHTML(JSC::ExecState*, JSC::JSObject*, JSC::JSValue)
15  bool JSC::lookupPut<WebCore::JSHTMLElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*)
16  void JSC::lookupPut<WebCore::JSHTMLElement, WebCore::JSElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*, JSC::PutPropertySlot&)
17  WebCore::JSHTMLElement::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&)
18  void JSC::lookupPut<WebCore::JSHTMLDivElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLDivElement*, JSC::PutPropertySlot&)
19  WebCore::JSHTMLDivElement::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&)
20  JSC::JSValue::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&)
21  cti_op_put_by_id
22  jscGeneratedNativeCode
23  JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
24  JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*)
25  JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue)
26  WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue)
27  WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*)
28  WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&)
29  WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&)
30  WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&)
31  WebCore::HTMLScriptRunner::executeParsingBlockingScript()
Comment 1 Andy Estes 2011-03-03 14:03:03 PST
Created attachment 84621 [details]
Test case

Attached a reduction. This happens when the root node of a fragment is foreign content. This is simple to fix.
Comment 2 Andy Estes 2011-03-03 14:13:31 PST
Created attachment 84625 [details]
Patch
Comment 3 Eric Seidel (no email) 2011-03-03 14:16:59 PST
Comment on attachment 84625 [details]
Patch

Thanks.
Comment 4 WebKit Commit Bot 2011-03-03 21:15:20 PST
Comment on attachment 84625 [details]
Patch

Clearing flags on attachment: 84625

Committed r80320: <http://trac.webkit.org/changeset/80320>
Comment 5 WebKit Commit Bot 2011-03-03 21:15:25 PST
All reviewed patches have been landed.  Closing bug.