[Webkit-unassigned] [Bug 187805] New: Crash when throwing exceptions in custom element reactions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 19 09:13:04 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=187805

            Bug ID: 187805
           Summary: Crash when throwing exceptions in custom element
                    reactions
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
               URL: https://html.spec.whatwg.org/multipage/custom-elements
                    .html#cereactions
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fred.wang at free.fr
                CC: cdumez at apple.com, rniwa at webkit.org, rwlbuis at gmail.com
            Blocks: 154907

Crash test: https://w3c-test.org/custom-elements/reactions/with-exceptions.html

#0  0x00007fdcc8648acc in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:267
#1  0x00007fdcd32f104a in JSC::ExceptionScope::assertNoException (this=0x7ffc0c172fa0)
    at DerivedSources/ForwardingHeaders/JavaScriptCore/ExceptionScope.h:46
#2  0x00007fdcc801517d in JSC::Interpreter::executeCall (this=0x7fdcb26ff7a8, callFrame=0x7fdc606ddfa8, 
    function=0x7fdc4566a8b0, callType=<incomplete type>, callData=..., thisValue=..., args=...)
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:973
#3  0x00007fdcc824763e in JSC::call (exec=0x7fdc606ddfa8, functionObject=..., callType=<incomplete type>, callData=..., 
    thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:41
#4  0x00007fdcc82476fb in JSC::call (exec=0x7fdc606ddfa8, functionObject=..., callType=<incomplete type>, callData=..., 
    thisValue=..., args=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:48
#5  0x00007fdcd3c737d8 in (anonymous namespace)::JSMainThreadExecState::call (exec=0x7fdc606ddfa8, functionObject=..., 
    callType=<incomplete type>, callData=..., thisValue=..., args=..., returnedException=...)
    at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:54
#6  0x00007fdcd3c6fc67 in (anonymous namespace)::JSCustomElementInterface::invokeCallback((anonymous namespace)::Element &, JSC::JSObject *, const WTF::Function<void(JSC::ExecState*, WebCore::JSDOMGlobalObject*, JSC::MarkedArgumentBuffer&)> &) (
    this=0x7fdc542a1630, element=..., callback=0x7fdc4566a8b0, addArguments=...)
    at ../../Source/WebCore/bindings/js/JSCustomElementInterface.cpp:254
#7  0x00007fdcd3c6fe6e in (anonymous namespace)::JSCustomElementInterface::invokeDisconnectedCallback (this=0x7fdc542a1630, 
    element=...) at ../../Source/WebCore/bindings/js/JSCustomElementInterface.cpp:279
#8  0x00007fdcd3fc79c6 in (anonymous namespace)::CustomElementReactionQueueItem::invoke (this=0x7fdcb2660380, element=..., 
    elementInterface=...) at ../../Source/WebCore/dom/CustomElementReactionQueue.cpp:82
#9  0x00007fdcd3fc3b25 in (anonymous namespace)::CustomElementReactionQueue::invokeAll (this=0x55d0007d83e0, element=...)
    at ../../Source/WebCore/dom/CustomElementReactionQueue.cpp:209
#10 0x00007fdcd3fc7c88 in (anonymous namespace)::CustomElementReactionStack::ElementQueue::invokeAll (this=0x55d000863a40)
    at ../../Source/WebCore/dom/CustomElementReactionQueue.cpp:230
#11 0x00007fdcd3fc3c6c in (anonymous namespace)::CustomElementReactionStack::processQueue (this=0x7ffc0c173500)
    at ../../Source/WebCore/dom/CustomElementReactionQueue.cpp:256
#12 0x00007fdcd2e232f3 in (anonymous namespace)::CustomElementReactionStack::~CustomElementReactionStack (this=0x7ffc0c173500, 
    __in_chrg=<optimized out>) at ../../Source/WebCore/dom/CustomElementReactionQueue.h:74
#13 0x00007fdcd541da20 in (anonymous namespace)::jsCharacterDataPrototypeFunctionBeforeBody (state=0x7ffc0c173600, 
    castedThis=0x7fdc60663c20, throwScope=...) at DerivedSources/WebCore/JSCharacterData.cpp:384
#14 0x00007fdcd5423818 in (anonymous namespace)::IDLOperation<WebCore::JSCharacterData>::call<WebCore::jsCharacterDataPrototypeFunctionBeforeBody> (state=..., operationName=0x7fdcd803d533 "before") at ../../Source/WebCore/bindings/js/JSDOMOperation.h:53
#15 0x00007fdcd541da49 in (anonymous namespace)::jsCharacterDataPrototypeFunctionBefore (state=0x7ffc0c173600)
    at DerivedSources/WebCore/JSCharacterData.cpp:394


Referenced Bugs:

https://bugs.webkit.org/show_bug.cgi?id=154907
[Bug 154907] Implement custom elements API
-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180719/3f6b2a3d/attachment-0001.html>

More information about the webkit-unassigned mailing list