[Webkit-unassigned] [Bug 225684] New: REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 11 19:25:38 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=225684

            Bug ID: 225684
           Summary: REGRESSION: Release assert in
                    SlotAssignment::assignedNodesForSlot via
                    ComposedTreeIterator::traverseNextInShadowTree in
                    Element::insertedIntoAncestor
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rniwa at webkit.org

e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00000001090fcdf3 WTFCrashWithInfo(int, char const*, char const*, int) + 19
1   com.apple.WebCore                   0x000000010a3df43a WebCore::SlotAssignment::assignedNodesForSlot(WebCore::HTMLSlotElement const&, WebCore::ShadowRoot&) + 426
2   com.apple.WebCore                   0x000000010a5e96d0 WebCore::HTMLSlotElement::assignedNodes() const + 64
3   com.apple.WebCore                   0x000000010a301f1e WebCore::ComposedTreeIterator::traverseNextInShadowTree() + 222
4   com.apple.WebCore                   0x000000010aeb019c WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 316
5   com.apple.WebCore                   0x000000010a3e3031 WebCore::SlotAssignment::didChangeSlot(WTF::AtomString const&, WebCore::ShadowRoot&) + 257
6   com.apple.WebCore                   0x000000010a36f4be WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) + 270
7   com.apple.WebCore                   0x000000010a3124fa WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 58
8   com.apple.WebCore                   0x000000010a312382 WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&) + 130
9   com.apple.WebCore                   0x000000010a306016 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 998
10  com.apple.WebCore                   0x000000010a3a812d WebCore::Node::appendChild(WebCore::Node&) + 93
11  com.apple.WebCore                   0x0000000109744a0f WebCore::jsNodePrototypeFunction_appendChild(JSC::JSGlobalObject*, JSC::CallFrame*) + 223

<rdar://77799319>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210512/72997fb8/attachment-0001.htm>

More information about the webkit-unassigned mailing list