[Webkit-unassigned] [Bug 224408] New: Crash in WebCore::SlotAssignment::assignedNodesForSlot loading https://redhat.com

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Apr 10 17:17:07 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=224408

            Bug ID: 224408
           Summary: Crash in WebCore::SlotAssignment::assignedNodesForSlot
                    loading https://redhat.com
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org

Created attachment 425692

  --> https://bugs.webkit.org/attachment.cgi?id=425692&action=review

bt full

WebKitGTK 2.32.0 is unable to load redhat.com, which somehow I didn't notice until now. I will attach a full backtrace, but looks like something bad happening in shadow DOM code:

#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fa1b8da7855 in __GI_abort () at abort.c:79
#2  0x00007fa1ba9711bf in CRASH_WITH_INFO(...) ()
    at DerivedSources/ForwardingHeaders/wtf/Assertions.h:713
#3  WebCore::SlotAssignment::assignedNodesForSlot(WebCore::HTMLSlotElement const&, WebCore::ShadowRoot&) (this=0x7f87ceef4360, slotElement=..., shadowRoot=...)
    at ../Source/WebCore/dom/SlotAssignment.cpp:319
#4  0x00007fa1ba971318 in WebCore::ShadowRoot::assignedNodesForSlot(WebCore::HTMLSlotElement const&) (this=this at entry=0x7fa13031ec68, slot=...)
    at ../Source/WebCore/dom/ShadowRoot.cpp:260
#5  0x00007fa1bab469ca in WebCore::HTMLSlotElement::assignedNodes() const
    (this=0x7fa0ec7645a0) at ../Source/WebCore/html/HTMLSlotElement.cpp:104
#6  0x00007fa1ba8836e5 in WebCore::ComposedTreeIterator::traverseNextInShadowTree() (this=0x7fff3e601020) at ../Source/WebCore/dom/ComposedTreeIterator.cpp:164
#7  0x00007fa1bb3cc578 in WebCore::ComposedTreeIterator::traverseNext()
    (this=this at entry=0x7fff3e601020)
    at ../Source/WebCore/dom/ComposedTreeIterator.h:101
#8  0x00007fa1bb3c6473 in WebCore::ComposedTreeIterator::operator++()
    (this=0x7fff3e601020) at ../Source/WebCore/dom/ComposedTreeIterator.h:49
#9  WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)
    (root=..., teardownType=<optimized out>, builder=...)
    at ../Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:601
#10 0x00007fa1bb3c661e in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) (root=...)
    at ../Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:533
#11 0x00007fa1ba8f31fe in WebCore::ShadowRoot::hostChildElementDidChange(WebCore::Element const&)
    (childElement=..., this=0x7fa13031ee38) at ../Source/WebCore/dom/SlotAssignment.h:137
#12 WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&)
    (this=0x7fa0ec774930, insertionType=..., parentOfInsertedTree=...) at ../Source/WebCore/dom/Element.cpp:2166
#13 0x00007fa1ba88f0cb in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::OptionSet<WebCore::Node::AncestorState>, WebCore::NodeVector&)
    (parentOfInsertedTree=..., node=..., treeScopeChange=WebCore::TreeScopeChange::Changed, ancestorStates=..., postInsertionNotificationTargets=...) at ../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:48
#14 0x00007fa1ba88fa85 in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&)
    (parentOfInsertedTree=..., node=...) at ../Source/WebCore/dom/Node.h:914
#15 0x00007fa1ba87e1a8 in WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::<lambda()> >
    (doNodeInsertion=..., replacedAllChildren=WebCore::ReplacedAllChildren::No, source=WebCore::ContainerNode::ChildChange::Source::API, child=..., containerNode=...) at ../Source/WebCore/dom/Document.h:885
#16 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)
    (this=this at entry=0x7fa0ec7742a0, newChild=...) at ../Source/WebCore/dom/ContainerNode.cpp:764
#17 0x00007fa1ba87e81e in WebCore::ContainerNode::appendChild(WebCore::Node&) (this=0x7fa0ec7742a0, newChild=...)
    at ../Source/WebCore/dom/ContainerNode.cpp:730
#18 0x00007fa1ba933925 in WebCore::Node::appendChild(WebCore::Node&) (this=this at entry=0x7fa0ec7742a0, newChild=...)
    at ../Source/WebCore/dom/Node.cpp:511
#19 0x00007fa1b9fe20e8 in WebCore::jsNodePrototypeFunction_appendChildBody
    (castedThis=<optimized out>, callFrame=<optimized out>, lexicalGlobalObject=0x7fa130491068)
    at DerivedSources/WebCore/JSNode.cpp:873
#20 WebCore::IDLOperation<WebCore::JSNode>::call<WebCore::jsNodePrototypeFunction_appendChildBody>
    (operationName=0x7fa1bb9a6b9c "appendChild", callFrame=..., lexicalGlobalObject=...)
    at ../Source/WebCore/bindings/js/JSDOMOperation.h:53
#21 WebCore::jsNodePrototypeFunction_appendChild(JSC::JSGlobalObject*, JSC::CallFrame*)
    (lexicalGlobalObject=0x7fa130491068, callFrame=<optimized out>) at DerivedSources/WebCore/JSNode.cpp:879
#22 0x00007fa163fff1d8 in  ()
#23 0x00007fff3e603a90 in  ()
#24 0x00007fa1b750dae7 in llint_op_call ()
    at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1093
#25 0x0000000000000000 in  ()

Good news: it's 100% reproducible. Sadly the most useful variables seem to be optimized out. I can try doing a debug build if desired.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210411/5ff06a73/attachment-0001.htm>

More information about the webkit-unassigned mailing list