[Webkit-unassigned] [Bug 279834] New: REGRESSION(282648 at main): RELEASE_ASSERT fires when inserting an element with dir=auto into the shadowRoot of a detached element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 17 11:28:21 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=279834

            Bug ID: 279834
           Summary: REGRESSION(282648 at main): RELEASE_ASSERT fires when
                    inserting an element with  dir=auto into the
                    shadowRoot of a detached element
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com

Open the attached text case

Result: WebKit crashes because the following RELEASE_ASSERT fires:

ASSERTION FAILED: slot
/Volumes/Data/WebKit/OpenSource/Source/WebCore/dom/SlotAssignment.cpp(358) : virtual const Vector<WeakPtr<Node, WeakPtrImplWithEventTargetData>> *WebCore::NamedSlotAssignment::assignedNodesForSlot(const HTMLSlotElement &, ShadowRoot &)
1   0x304c17550 WebCore::NamedSlotAssignment::assignedNodesForSlot(WebCore::HTMLSlotElement const&, WebCore::ShadowRoot&)
2   0x304bff0c4 WebCore::ShadowRoot::assignedNodesForSlot(WebCore::HTMLSlotElement const&)
3   0x30505a814 WebCore::HTMLSlotElement::assignedNodes() const
4   0x304a8f520 WebCore::computeTextDirectionOfSlotElement(WebCore::HTMLSlotElement const&)
5   0x304a8f004 WebCore::computeAutoDirectionality(WebCore::Element const&)
6   0x304a8f77c WebCore::computeTextDirection(WebCore::Element const&, WebCore::TextDirectionState)
7   0x304a8f938 WebCore::updateEffectiveTextDirectionState(WebCore::Element&, WebCore::TextDirectionState, WebCore::Element*)
8   0x304a26d6c WebCore::Element::updateEffectiveTextDirection()
9   0x304a27ee4 WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&)
10  0x304f3da80 WebCore::HTMLElement::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&)
11  0x30505a444 WebCore::HTMLSlotElement::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&)
12  0x30489adfc WebCore::notifyNodeInsertedIntoTree(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange)
13  0x30489a8fc WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node>>, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)
14  0x3048809ec void WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_0>(WebCore::ContainerNode&, WebCore::Node&, WebCore::Node*, WebCore::ContainerNode::ChildChange::Source, WebCore::ReplacedAllChildren, WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_0)
15  0x30487dac0 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)
16  0x3048808c4 WebCore::ContainerNode::appendChild(WebCore::Node&)
17  0x304e25824 WebCore::replaceChildrenWithFragment(WebCore::ContainerNode&, WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment>, WTF::DefaultRefDerefTraits<WebCore::DocumentFragment>>&&)
18  0x304bfe014 WebCore::ShadowRoot::replaceChildrenWithMarkup(WTF::String const&, WTF::OptionSet<WebCore::ParserContentPolicy>)
19  0x304bfe410 WebCore::ShadowRoot::setInnerHTML(std::__1::variant<WTF::RefPtr<WebCore::TrustedHTML, WTF::RawPtrTraits<WebCore::TrustedHTML>, WTF::DefaultRefDerefTraits<WebCore::TrustedHTML>>, WTF::String>&&)
20  0x3022d8650 WebCore::setJSShadowRoot_innerHTMLSetter(JSC::JSGlobalObject&, WebCore::JSShadowRoot&, JSC::JSValue)::'lambda'()::operator()() const
21  0x3022d85a8 void WebCore::invokeFunctorPropagatingExceptionIfNecessary<WebCore::setJSShadowRoot_innerHTMLSetter(JSC::JSGlobalObject&, WebCore::JSShadowRoot&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSShadowRoot_innerHTMLSetter(JSC::JSGlobalObject&, WebCore::JSShadowRoot&, JSC::JSValue)::'lambda'()&&)
22  0x3022d8508 WebCore::setJSShadowRoot_innerHTMLSetter(JSC::JSGlobalObject&, WebCore::JSShadowRoot&, JSC::JSValue)
23  0x30222112c bool WebCore::IDLAttribute<WebCore::JSShadowRoot>::set<&WebCore::setJSShadowRoot_innerHTMLSetter(JSC::JSGlobalObject&, WebCore::JSShadowRoot&, JSC::JSValue), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, JSC::PropertyName)
24  0x302220ff8 WebCore::setJSShadowRoot_innerHTML(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName)
25  0x12e0060f4 WTF::FunctionPtr<(WTF::PtrTag)28258, bool (JSC::JSGlobalObject*, long long, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName) const
26  0x12e109918 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
27  0x12d670840 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
28  0x12d6704e8 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
29  0x12d673400 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
30  0x12dce215c llint_slow_path_put_by_id
31  0x12ebd7c28 jsc_llint_llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__opPutByIdSlow
com.apple.WebKit.WebContent.Development terminated (pid 35834) for reason: crash

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240917/8ade0a3c/attachment-0001.htm>

More information about the webkit-unassigned mailing list