[Webkit-unassigned] [Bug 196895] New: ASSERT fires when removing disallowed clones from the shadow tree without reseting its corresponding element
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Apr 13 02:42:26 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196895
Bug ID: 196895
Summary: ASSERT fires when removing disallowed clones from the
shadow tree without reseting its corresponding element
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: SVG
Assignee: webkit-unassigned at lists.webkit.org
Reporter: sabouhallawa at apple.com
CC: zimmermann at kde.org
Created attachment 367382
--> https://bugs.webkit.org/attachment.cgi?id=367382&action=review
test case (will assert in debug)
Open the attached file. The following assertion will fire:
ASSERTION FAILED: listener.wasCreatedFromMarkup()
svg/SVGElement.cpp(434) : virtual bool WebCore::SVGElement::removeEventListener(const WTF::AtomicString &, WebCore::EventListener &, const WebCore::EventTarget::ListenerOptions &)
1 0x129513c29 WTFCrash
2 0x1140327eb WTFCrashWithInfo(int, char const*, char const*, int)
3 0x117e697cc WebCore::SVGElement::removeEventListener(WTF::AtomicString const&, WebCore::EventListener&, WebCore::EventTarget::ListenerOptions const&)
4 0x1180c75ad WebCore::SVGTRefTargetEventListener::detach()
5 0x1180c89ae WebCore::SVGTRefElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&)
6 0x116640bd7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
7 0x116640ca7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
8 0x116640ca7 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&)
9 0x116640a6f WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&)
10 0x11663cead WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource)
11 0x11663c6f0 WebCore::ContainerNode::removeChild(WebCore::Node&)
12 0x11663adca WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&)
13 0x11663a63a WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*)
14 0x1167fbdc9 WebCore::Node::after(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&)
15 0x114a76198 WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)
16 0x114a52c40 long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*)
17 0x114a5292c WebCore::jsElementPrototypeFunctionAfter(JSC::ExecState*)
18 0x64000c21016b
19 0x129a2e64c llint_entry
20 0x129a2e4d3 llint_entry
21 0x129a1b122 vmEntryToJavaScript
22 0x12a6a5277 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
23 0x12a6a58ad JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
24 0x12a97be9c JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
25 0x12a97bf8a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
26 0x12a97c27e JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
27 0x11611ea58 WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
28 0x11616929c WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)
29 0x1167a3a5a WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase)
30 0x1167a3502 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)
31 0x117178d0e WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190413/2d4eb4d7/attachment.html>
More information about the webkit-unassigned
mailing list