Bug 213611

Summary: ASSERTION FAILED: (it != m_map.end()) in TreeScopeOrderedMap::remove
Product: WebKit Reporter: Jack <shihchieh_lee>
Component: ImagesAssignee: Jack <shihchieh_lee>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, changseok, esprehn+autocc, ews-watchlist, ggaren, gyuyoung.kim, mjs, rwlbuis
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Description Jack 2020-06-25 11:23:47 PDT 
0   com.apple.JavaScriptCore      	0x0000000115e611be WTFCrash + 14 (Assertions.cpp:293)
1   com.apple.JavaScriptCore      	0x0000000115e611ce WTFCrashWithSecurityImplication + 14
2   com.apple.WebCore             	0x000000013cb07316 WebCore::TreeScopeOrderedMap::remove(WTF::AtomStringImpl const&, WebCore::Element&) + 694 (TreeScopeOrderedMap.cpp:81)
3   com.apple.WebCore             	0x000000013d06ff1e WebCore::HTMLDocument::removeDocumentNamedItem(WTF::AtomStringImpl const&, WebCore::Element&) + 46 (HTMLDocument.cpp:171)
4   com.apple.WebCore             	0x000000013c77fe2f WebCore::Element::updateIdForDocument(WebCore::HTMLDocument&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::HTMLDocumentNamedItemMapsUpdatingCondition) + 687 (Element.cpp:4079)
5   com.apple.WebCore             	0x000000013c780946 WebCore::Element::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) + 1430 (Element.cpp:2208)
6   com.apple.WebCore             	0x000000013d1050e8 WebCore::HTMLImageElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) + 1160 (HTMLImageElement.cpp:463)
7   com.apple.WebCore             	0x000000013c4e97f4 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) + 1076 (ContainerNodeAlgorithms.cpp:116)
8   com.apple.WebCore             	0x000000013c4e92ed WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) + 445 (ContainerNodeAlgorithms.cpp:161)
9   com.apple.WebCore             	0x000000013c4def8d WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) + 1533 (ContainerNode.cpp:169)
10  com.apple.WebCore             	0x000000013c4ddd89 WebCore::ContainerNode::removeChild(WebCore::Node&) + 681 (ContainerNode.cpp:577)
11  com.apple.WebCore             	0x000000013c950873 WebCore::Node::remove() + 115 (Node.cpp:629)
12  com.apple.WebCore             	0x0000000137478fd0 WebCore::jsElementPrototypeFunctionRemoveBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*, JSC::ThrowScope&) + 448 (JSElement.cpp:4742)
Comment 1 Jack 2020-06-25 11:25:33 PDT 
<rdar::/64493506>
Comment 2 Jack 2020-06-25 11:25:48 PDT 
<rdar://64493506>
Comment 3 Jack 2020-06-25 12:40:37 PDT 
Test case:
<body><image id=img name=""></image>
<script>
    img.name = "new name";
    img.remove();
</script>

Cause of the crash:
1. Initially image element has an empty name so image's ID is not added to document's named item hash map. This is a behavior change after https://bugs.webkit.org/show_bug.cgi?id=212473.
2. Next we change image's name attribute in the script and add image's name to document's named item hash map. However, image's ID is still not added[1].
3. When we remove the image element, we try to remove image's ID from named item hash map because its name attribute is not empty. Since the ID was never added, it triggers the assertion in TreeScopeOrderedMap::remove().

Note:
[1] The reason we do not add image's ID in step #2:
Function HTMLImageElement::parseAttribute() is called multiple times in the test to check for valid name attribute and to add image's ID to document's named item. Once a valid name attribute is found, the function does not attempt to add ID anymore.

However, this part of code was not changed in bug 212473. We still consider empty name a valid attribute. Therefore, the first time HTMLImageElement::parseAttribute() is called when image has an empty name attribute, the function set a flag that denotes a valid name is found, and therefore ignore subsequent name changes.

Although the empty name is considered valid, image's ID was still not added to named item the first time, since another condition was not matched -- the node was not inserted when parseAttribute() is called at the first time.
Comment 4 Jack 2020-06-25 13:06:05 PDT 
Created attachment 402798 [details]
Patch
Comment 5 Geoffrey Garen 2020-06-25 13:21:11 PDT 
Comment on attachment 402798 [details]
Patch

r=me
Comment 6 EWS 2020-06-26 09:44:36 PDT 
Committed r263564: <https://trac.webkit.org/changeset/263564>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 402798 [details].