[Webkit-unassigned] [Bug 137959] New: Should never be reached assertion hit in WebCore::DocumentOrderedMap::get

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 22 07:59:19 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=137959

            Bug ID: 137959
           Summary: Should never be reached assertion hit in
                    WebCore::DocumentOrderedMap::get
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rhodovan.u-szeged at partner.samsung.com
                CC: cdumez at apple.com, ggaren at apple.com, rniwa at webkit.org
            Blocks: 116980

Created attachment 240274
  --> https://bugs.webkit.org/attachment.cgi?id=240274&action=review
Test case

The failing test case:

<!DOCTYPE html>
<a>
    <p>
        <b>
            <u id="test"/>
            <keygen form="test"/>
        </b>
</a>


The bug is also present in Blink and it's reported under crbug.com/426005.

Backtrace:

SHOULD NEVER BE REACHED
../../Source/WebCore/dom/DocumentOrderedMap.cpp(155) : WebCore::Element* WebCore::DocumentOrderedMap::get(const WTF::AtomicStringImpl&, const WebCore::TreeScope&) const [with bool (* keyMatches)(const WTF::AtomicStringImpl&, const WebCore::Element&) = WebCore::keyMatchesId]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff98c1f700 (LWP 20393)]
0x00007fffedae91b5 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321     *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fffedae91b5 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff307b3fc in WebCore::DocumentOrderedMap::get<&WebCore::keyMatchesId> (this=0x796f80, key=..., scope=...) at ../../Source/WebCore/dom/DocumentOrderedMap.cpp:155
#2  0x00007ffff307a655 in WebCore::DocumentOrderedMap::getElementById (this=0x796f80, key=..., scope=...) at ../../Source/WebCore/dom/DocumentOrderedMap.cpp:161
#3  0x00007ffff3134d70 in WebCore::TreeScope::getElementById (this=0x788d78, elementId=...) at ../../Source/WebCore/dom/TreeScope.cpp:107
#4  0x00007ffff3248d24 in WebCore::FormAssociatedElement::findAssociatedForm (element=0x798160, currentAssociatedForm=0x0) at ../../Source/WebCore/html/FormAssociatedElement.cpp:100
#5  0x00007ffff3248f77 in WebCore::FormAssociatedElement::resetFormOwner (this=0x7981c8) at ../../Source/WebCore/html/FormAssociatedElement.cpp:153
#6  0x00007ffff324943e in WebCore::FormAssociatedElement::formAttributeTargetChanged (this=0x7981c8) at ../../Source/WebCore/html/FormAssociatedElement.cpp:250
#7  0x00007ffff324952c in WebCore::FormAttributeTargetObserver::idTargetChanged (this=0x94d330) at ../../Source/WebCore/html/FormAssociatedElement.cpp:272
#8  0x00007ffff30b3d3b in WebCore::IdTargetObserverRegistry::notifyObserversInternal (this=0xa7bfa0, id=...) at ../../Source/WebCore/dom/IdTargetObserverRegistry.cpp:70
#9  0x00007ffff3136270 in WebCore::IdTargetObserverRegistry::notifyObservers (this=0xa7bfa0, id=...) at ../../Source/WebCore/dom/IdTargetObserverRegistry.h:73
#10 0x00007ffff3134f7d in WebCore::TreeScope::removeElementById (this=0x788d78, elementId=..., element=...) at ../../Source/WebCore/dom/TreeScope.cpp:143
#11 0x00007ffff3094242 in WebCore::Element::updateIdForTreeScope (this=0x85e0a0, scope=..., oldId=..., newId=...) at ../../Source/WebCore/dom/Element.cpp:2658
#12 0x00007ffff308f321 in WebCore::Element::removedFrom (this=0x85e0a0, insertionPoint=...) at ../../Source/WebCore/dom/Element.cpp:1391
#13 0x00007ffff300b6af in WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument (this=0x7fffffffce00, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:240
#14 0x00007ffff301085d in WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument (this=0x7fffffffce00, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:71
#15 0x00007ffff300b6dd in WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument (this=0x7fffffffce00, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:243
#16 0x00007ffff301085d in WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument (this=0x7fffffffce00, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:71
#17 0x00007ffff300b6dd in WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument (this=0x7fffffffce00, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:243
#18 0x00007ffff300b7cf in WebCore::ChildNodeRemovalNotifier::notify (this=0x7fffffffce00, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.h:258
#19 0x00007ffff30083e9 in WebCore::ContainerNode::parserRemoveChild (this=0xa7cab0, oldChild=...) at ../../Source/WebCore/dom/ContainerNode.cpp:627
#20 0x00007ffff338ba2d in WebCore::insert (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:93
#21 0x00007ffff338bcff in WebCore::executeInsertAlreadyParsedChildTask (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:127
#22 0x00007ffff338bdb6 in WebCore::executeTask (task=...) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:147
#23 0x00007ffff338c104 in WebCore::HTMLConstructionSite::executeQueuedTasks (this=0xa7c818) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:193
#24 0x00007ffff33bde90 in WebCore::HTMLTreeBuilder::constructTree (this=0xa7c800, token=0x7fffffffcf90) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:367
#25 0x00007ffff3395827 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x8562f0, rawToken=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:352
#26 0x00007ffff339545d in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x8562f0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:309
#27 0x00007ffff3394bf5 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x8562f0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:189
#28 0x00007ffff3395dbd in WebCore::HTMLDocumentParser::append (this=0x8562f0, inputSource=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:428
#29 0x00007ffff301f521 in WebCore::DecodedDataDocumentParser::flush (this=0x8562f0, writer=...) at ../../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60
#30 0x00007ffff35031d7 in WebCore::DocumentWriter::end (this=0x850b90) at ../../Source/WebCore/loader/DocumentWriter.cpp:243
#31 0x00007ffff34ee75b in WebCore::DocumentLoader::finishedLoading (this=0x850af0, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441
#32 0x00007ffff34ee4c4 in WebCore::DocumentLoader::notifyFinished (this=0x850af0, resource=0x84c560) at ../../Source/WebCore/loader/DocumentLoader.cpp:375
#33 0x00007ffff35a0a5a in WebCore::CachedResource::checkNotify (this=0x84c560) at ../../Source/WebCore/loader/cache/CachedResource.cpp:347
#34 0x00007ffff35a0b64 in WebCore::CachedResource::finishLoading (this=0x84c560) at ../../Source/WebCore/loader/cache/CachedResource.cpp:363
#35 0x00007ffff359d466 in WebCore::CachedRawResource::finishLoading (this=0x84c560, data=0xa7e1e0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:101
#36 0x00007ffff35518fa in WebCore::SubresourceLoader::didFinishLoading (this=0x84cad0, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:309
#37 0x00007ffff354d57d in WebCore::ResourceLoader::didFinishLoading (this=0x84cad0, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:512
#38 0x00007ffff3ef1333 in WebCore::readCallback (asyncResult=0xa7c1c0, data=0x85d170) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1306
#39 0x00007fffeb86c7d6 in async_ready_callback_wrapper (source_object=0x9c5ed0, res=0xa7c1c0, user_data=user_data at entry=0x85d170) at ginputstream.c:523
#40 0x00007fffeb8920d5 in g_task_return_now (task=0xa7c1c0) at gtask.c:1077
#41 0x00007fffeb8920f9 in complete_in_idle_cb (task=0xa7c1c0) at gtask.c:1086
#42 0x00007fffeaad1a2d in g_main_dispatch (context=0x6777f0) at gmain.c:3064
#43 g_main_context_dispatch (context=context at entry=0x6777f0) at gmain.c:3663
#44 0x00007fffeaad1d98 in g_main_context_iterate (context=0x6777f0, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at gmain.c:3734
#45 0x00007fffeaad205a in g_main_loop_run (loop=0xb00db0) at gmain.c:3928
#46 0x00007ffff457c386 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#47 0x00007ffff2ad6a46 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd8b8) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#48 0x00007ffff2ad68ab in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd8b8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73
#49 0x0000000000400871 in main (argc=2, argv=0x7fffffffd8b8) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141022/84a277f5/attachment-0002.html>

More information about the webkit-unassigned mailing list