RESOLVED FIXED247412
Assertion failure in TreeScopeOrderedMap::add by TreeScope::addElementByName 
https://bugs.webkit.org/show_bug.cgi?id=247412
Summary Assertion failure in TreeScopeOrderedMap::add by TreeScope::addElementByName
Ryosuke Niwa
Reported 2022-11-03 00:00:35 PDT
e.g. ASSERTION FAILED: !entry.registeredElements.contains(&element) dom/TreeScopeOrderedMap.cpp(63) : void WebCore::TreeScopeOrderedMap::add(const WTF::AtomStringImpl &, WebCore::Element &, const WebCore::TreeScope &) 1 0x4e264cde9 WTFCrash 2 0x4e264ce09 WTFCrashWithSecurityImplication 3 0x4fbe3aff1 WebCore::TreeScopeOrderedMap::add(WTF::AtomStringImpl const&, WebCore::Element&, WebCore::TreeScope const&) 4 0x4fbe3b4a1 WebCore::TreeScope::addElementByName(WTF::AtomStringImpl const&, WebCore::Element&) 5 0x4fbc9d1ea WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) 6 0x4fc090ad4 WebCore::HTMLElement::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) 7 0x4fbb7eb21 WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) 8 0x4fbb7e908 WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) 9 0x4fbb65966 void WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(WebCore::ContainerNode&, WebCore::Node&, WebCore::Node*, WebCore::ContainerNode::ChildChange::Source, WebCore::ReplacedAllChildren, WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4) 10 0x4fbb62e88 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) 11 0x4fbb6278a WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*) 12 0x4fbd6e33e WebCore::Node::after(WTF::FixedVector<std::__1::variant<WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >, WTF::String> >&&) 13 0x4f91c507f WebCore::jsElementPrototypeFunction_afterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()::operator()() const 14 0x4f91c4fb1 JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsElementPrototypeFunction_afterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsElementPrototypeFunction_afterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()&&) 15 0x4f91c4f3f WebCore::jsElementPrototypeFunction_afterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*) 16 0x4f91c4cfe long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunction_afterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 17 0x4f91b4064 WebCore::jsElementPrototypeFunction_after(JSC::JSGlobalObject*, JSC::CallFrame*)
Attachments
Test (334 bytes, text/html)
2022-11-03 00:03 PDT, Ryosuke Niwa 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-11-03 00:00:50 PDT
<rdar://problem/101898183>
Ryosuke Niwa
Comment 2 2022-11-03 00:01:41 PDT
<rdar://101897430>
Ryosuke Niwa
Comment 3 2022-11-03 00:03:44 PDT
Created attachment 463377 [details] Test
Ryosuke Niwa
Comment 4 2022-11-03 00:10:53 PDT
Luckily, there is no security implication here despite of the assertion since CachedHTMLCollection<HTMLCollectionClass, traversalType>::namedItem returns early when the input string is empty.
Ryosuke Niwa
Comment 5 2022-11-03 00:23:31 PDT
Pull request: https://github.com/WebKit/WebKit/pull/6077
EWS
Comment 6 2022-11-03 12:35:24 PDT
Committed 256286@main (6231b9849576): <https://commits.webkit.org/256286@main> Reviewed commits have been landed. Closing PR #6077 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.