[Webkit-unassigned] [Bug 191532] New: ASSERTION FAILED: !m_embeddedObjectsToUpdate->contains(nullptr) in WebCore::FrameView::updateEmbeddedObjects

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Nov 11 18:28:01 PST 2018 

https://bugs.webkit.org/show_bug.cgi?id=191532

            Bug ID: 191532
           Summary: ASSERTION FAILED:
                    !m_embeddedObjectsToUpdate->contains(nullptr) in
                    WebCore::FrameView::updateEmbeddedObjects
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Macintosh
                OS: macOS 10.14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: hodovan at inf.u-szeged.hu

Created attachment 354522

  --> https://bugs.webkit.org/attachment.cgi?id=354522&action=review

Test

Load the attached test with debug WebKitTestRunner / MiniBrowser:

<object>
    <object>
        <object>a</object>
    </object>
<object onbeforeload="event.target.parentNode.removeChild(event.target)"></object>


Checked revision: 2698c9fc7de
The issue can be reproduced both on Mac and GTK.

Backtrace:

ASSERTION FAILED: !m_embeddedObjectsToUpdate->contains(nullptr)
./page/FrameView.cpp(3198) : bool WebCore::FrameView::updateEmbeddedObjects()
1   0x58800fd39 WTFCrash
2   0x562b210b0 WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::Vector()
3   0x569bfa4f7 WebCore::FrameView::updateEmbeddedObjects()
4   0x569bc2858 WebCore::FrameView::updateEmbeddedObjectsTimerFired()
5   0x569bfac19 WebCore::FrameView::flushAnyPendingPostLayoutTasks()
6   0x5681c8008 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)
7   0x568da092c WebCore::HTMLObjectElement::renderWidgetLoadingPlugin() const
8   0x568de198f WebCore::HTMLPlugInElement::pluginWidget(WebCore::HTMLPlugInElement::PluginLoadingPolicy) const
9   0x56763ba00 WebCore::pluginScriptObjectFromPluginViewBase(WebCore::HTMLPlugInElement&, JSC::JSGlobalObject*)
10  0x56763b93b WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*)
11  0x56763be94 WebCore::pluginElementCustomGetOwnPropertySlot(WebCore::JSHTMLElement*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
12  0x564a80e26 WebCore::JSHTMLObjectElement::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
13  0x58902ce3c JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
14  0x58902a93f bool JSC::JSObject::getPropertySlot<false>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
15  0x58a94b205 JSC::JSValue::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
16  0x58a9002ec JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
17  0x58b5df82f llint_slow_path_get_by_id
18  0x588f99af2 llint_entry
19  0x588f92662 vmEntryToJavaScript
20  0x58b26a4d9 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
21  0x58b26b620 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
22  0x58ba764c7 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
23  0x58ba76a3d JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
24  0x58ba777d3 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
25  0x5675435c6 WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
26  0x5675fb435 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)
27  0x568416ffa WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase)
28  0x56840c64c WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)
29  0x568505c73 WebCore::Node::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)
30  0x5683cbebe WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const
31  0x568404fb3 WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181112/6c9493ed/attachment.html>

More information about the webkit-unassigned mailing list