[Webkit-unassigned] [Bug 196895] New: ASSERT fires when removing disallowed clones from the shadow tree without reseting its corresponding element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Apr 13 02:42:26 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=196895

            Bug ID: 196895
           Summary: ASSERT fires when removing disallowed clones from the
                    shadow tree without reseting its corresponding element
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Created attachment 367382

  --> https://bugs.webkit.org/attachment.cgi?id=367382&action=review

test case (will assert in debug)

Open the attached file. The following assertion will fire:

ASSERTION FAILED: listener.wasCreatedFromMarkup()
svg/SVGElement.cpp(434) : virtual bool WebCore::SVGElement::removeEventListener(const WTF::AtomicString &, WebCore::EventListener &, const WebCore::EventTarget::ListenerOptions &)
1   0x129513c29 WTFCrash
2   0x1140327eb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x117e697cc WebCore::SVGElement::removeEventListener(WTF::AtomicString const&, WebCore::EventListener&, WebCore::EventTarget::ListenerOptions const&)
4   0x1180c75ad WebCore::SVGTRefTargetEventListener::detach()
5   0x1180c89ae WebCore::SVGTRefElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&)
6   0x116640bd7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
7   0x116640ca7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
8   0x116640ca7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
9   0x116640a6f WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&)
10  0x11663cead WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource)
11  0x11663c6f0 WebCore::ContainerNode::removeChild(WebCore::Node&)
12  0x11663adca WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&)
13  0x11663a63a WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*)
14  0x1167fbdc9 WebCore::Node::after(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&)
15  0x114a76198 WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)
16  0x114a52c40 long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*)
17  0x114a5292c WebCore::jsElementPrototypeFunctionAfter(JSC::ExecState*)
18  0x64000c21016b
19  0x129a2e64c llint_entry
20  0x129a2e4d3 llint_entry
21  0x129a1b122 vmEntryToJavaScript
22  0x12a6a5277 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
23  0x12a6a58ad JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
24  0x12a97be9c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
25  0x12a97bf8a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
26  0x12a97c27e JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
27  0x11611ea58 WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
28  0x11616929c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)
29  0x1167a3a5a WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase)
30  0x1167a3502 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)
31  0x117178d0e WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190413/2d4eb4d7/attachment.html>

More information about the webkit-unassigned mailing list