Panic in html/webappapis/dynamic-markup-insertion/opening-the-input-stream/quirks.window.js ("HierarchyRequest")

jdm commented 3 months ago

To reproduce: ./mach test-wpt tests/wpt/tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/quirks.window.js

Backtrace:

0:02.63 pid:14276 called `Result::unwrap()` on an `Err` value: HierarchyRequest (thread Script(1,1), at components/script/dom/servoparser/mod.rs:1039)
 0:04.46 pid:14276   12: core::result::unwrap_failed
 0:04.46 pid:14276              at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/result.rs:1654:5
 0:04.48 pid:14276   13: core::result::Result<T,E>::unwrap
 0:04.48 pid:14276              at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/result.rs:1077:23
 0:04.48 pid:14276       script::dom::servoparser::insert
 0:04.48 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/mod.rs:1039:13
 0:04.48 pid:14276   14: <script::dom::servoparser::Sink as markup5ever::interface::tree_builder::TreeSink>::append
 0:04.48 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/mod.rs:1206:9
 0:04.52 pid:14276   15: html5ever::tree_builder::TreeBuilder<Handle,Sink>::create_root
 0:04.52 pid:14276              at /Users/jdm/.cargo/registry/src/index.crates.io-6f17d22bba15001f/html5ever-0.27.0/src/tree_builder/mod.rs:1270:9
 0:04.52 pid:14276   16: html5ever::tree_builder::TreeBuilder<Handle,Sink>::step
 0:04.52 pid:14276              at /Users/jdm/src/servo/target/debug/build/html5ever-f04c04a792ea7401/out/rules.rs:44:1
 0:04.52 pid:14276   17: html5ever::tree_builder::TreeBuilder<Handle,Sink>::process_to_completion
 0:04.52 pid:14276              at /Users/jdm/.cargo/registry/src/index.crates.io-6f17d22bba15001f/html5ever-0.27.0/src/tree_builder/mod.rs:335:17
 0:04.52 pid:14276   18: <html5ever::tree_builder::TreeBuilder<Handle,Sink> as html5ever::tokenizer::interface::TokenSink>::process_token
 0:04.52 pid:14276              at /Users/jdm/.cargo/registry/src/index.crates.io-6f17d22bba15001f/html5ever-0.27.0/src/tree_builder/mod.rs:522:9
 0:04.54 pid:14276   19: html5ever::tokenizer::Tokenizer<Sink>::process_token
 0:04.54 pid:14276              at /Users/jdm/.cargo/registry/src/index.crates.io-6f17d22bba15001f/html5ever-0.27.0/src/tokenizer/mod.rs:237:13
 0:04.54 pid:14276   20: html5ever::tokenizer::Tokenizer<Sink>::process_token_and_continue
 0:04.54 pid:14276              at /Users/jdm/.cargo/registry/src/index.crates.io-6f17d22bba15001f/html5ever-0.27.0/src/tokenizer/mod.rs:243:13
 0:04.54 pid:14276   21: html5ever::tokenizer::Tokenizer<Sink>::emit_eof
 0:04.54 pid:14276              at /Users/jdm/.cargo/registry/src/index.crates.io-6f17d22bba15001f/html5ever-0.27.0/src/tokenizer/mod.rs:559:9
 0:04.54 pid:14276   22: html5ever::tokenizer::Tokenizer<Sink>::eof_step
 0:04.54 pid:14276              at /Users/jdm/.cargo/registry/src/index.crates.io-6f17d22bba15001f/html5ever-0.27.0/src/tokenizer/mod.rs:1491:36
 0:04.54 pid:14276   23: html5ever::tokenizer::Tokenizer<Sink>::end
 0:04.54 pid:14276              at /Users/jdm/.cargo/registry/src/index.crates.io-6f17d22bba15001f/html5ever-0.27.0/src/tokenizer/mod.rs:1451:19
 0:04.57 pid:14276   24: script::dom::servoparser::html::Tokenizer::end
 0:04.57 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/html.rs:91:9
 0:04.57 pid:14276   25: script::dom::servoparser::Tokenizer::end
 0:04.57 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/mod.rs:711:51
 0:04.57 pid:14276   26: script::dom::servoparser::ServoParser::finish
 0:04.57 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/mod.rs:653:9
 0:04.57 pid:14276   27: script::dom::servoparser::ServoParser::do_parse_sync
 0:04.57 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/mod.rs:577:13
 0:04.60 pid:14276   28: script::dom::servoparser::ServoParser::parse_sync::{{closure}}
 0:04.60 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/mod.rs:550:16
 0:04.63 pid:14276   29: profile_traits::time::profile
 0:04.63 pid:14276              at /Users/jdm/src/servo/components/shared/profile/time.rs:147:15
 0:04.63 pid:14276   30: script::dom::servoparser::ServoParser::parse_sync
 0:04.63 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/mod.rs:542:9
 0:04.63 pid:14276   31: script::dom::servoparser::ServoParser::close
 0:04.63 pid:14276              at /Users/jdm/src/servo/components/script/dom/servoparser/mod.rs:393:9
 0:04.66 pid:14276   32: <script::dom::document::Document as script::dom::bindings::codegen::Bindings::DocumentBinding::Document_Binding::DocumentMethods>::Close
 0:04.66 pid:14276              at /Users/jdm/src/servo/components/script/dom/document.rs:5362:9
 0:04.69 pid:14276   33: script::dom::bindings::codegen::Bindings::DocumentBinding::Document_Binding::close::{{closure}}::{{closure}}
 0:04.69 pid:14276              at /Users/jdm/src/servo/target/debug/build/script-84e8aed3a23eae36/out/Bindings/DocumentBinding.rs:3052:41
 0:04.69 pid:14276   34: script::dom::bindings::codegen::Bindings::DocumentBinding::Document_Binding::close::{{closure}}
 0:04.69 pid:14276              at /Users/jdm/src/servo/target/debug/build/script-84e8aed3a23eae36/out/Bindings/DocumentBinding.rs:3045:33
 0:04.69 pid:14276   35: core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &mut F>::call_once
 0:04.69 pid:14276              at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/ops/function.rs:305:13
 0:04.70 pid:14276   36: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
 0:04.70 pid:14276              at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/panic/unwind_safe.rs:272:9
 0:04.70 pid:14276   37: std::panicking::try::do_call
 0:04.70 pid:14276              at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/std/src/panicking.rs:552:40
 0:04.70 pid:14276   38: ___rust_try
 0:04.70 pid:14276   39: std::panicking::try
 0:04.70 pid:14276              at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/std/src/panicking.rs:516:19
 0:04.70 pid:14276   40: std::panic::catch_unwind
 0:04.71 pid:14276              at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/std/src/panic.rs:146:14
 0:04.71 pid:14276   41: mozjs::panic::wrap_panic
 0:04.71 pid:14276              at /Users/jdm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/fb8225e/mozjs/src/panic.rs:22:11
 0:04.73 pid:14276   42: script::dom::bindings::codegen::Bindings::DocumentBinding::Document_Binding::close
 0:04.73 pid:14276              at /Users/jdm/src/servo/target/debug/build/script-84e8aed3a23eae36/out/Bindings/DocumentBinding.rs:3045:5
 0:04.75 pid:14276   43: CallJitMethodOp
 0:04.75 pid:14276              at /Users/runner/work/mozjs/mozjs/mozjs-sys/src/jsglue.cpp:616:10
 0:04.78 pid:14276   44: script::dom::bindings::utils::generic_call
 0:04.78 pid:14276              at /Users/jdm/src/servo/components/script/dom/bindings/utils.rs:520:5
 0:04.78 pid:14276   45: script::dom::bindings::utils::generic_method
 0:04.78 pid:14276              at /Users/jdm/src/servo/components/script/dom/bindings/utils.rs:536:5
 0:04.78 pid:14276   46: __ZN2js23InternalCallOrConstructEP9JSContextRKN2JS8CallArgsENS_14MaybeConstructENS_10CallReasonE
 0:04.78 pid:14276   47: __ZN2js9InterpretEP9JSContextRNS_8RunStateE
 0:04.78 pid:14276   48: __ZN2js9RunScriptEP9JSContextRNS_8RunStateE
 0:04.78 pid:14276   49: __ZN2js23InternalCallOrConstructEP9JSContextRKN2JS8CallArgsENS_14MaybeConstructENS_10CallReasonE
 0:04.78 pid:14276   50: __ZN2js4CallEP9JSContextN2JS6HandleINS2_5ValueEEES5_RKNS_13AnyInvokeArgsENS2_13MutableHandleIS4_EENS_10CallReasonE
 0:04.78 pid:14276   51: __ZN2js3jit14InvokeFunctionEP9JSContextN2JS6HandleIP8JSObjectEEbbjPNS3_5ValueENS3_13MutableHandleIS8_EE
 0:04.78 pid:14276   52: __ZN2js3jit25InvokeFromInterpreterStubEP9JSContextPNS0_30InterpreterStubExitFrameLayoutE

jdm commented 3 months ago

This specifically comes from:

creating an iframe
calling document.open on the iframe's content document
appending a <html> element to the iframe's content document
calling document.close on the iframe's content document

<iframe></iframe>
<script>
let i = document.querySelector('iframe');
i.contentDocument.open();
i.contentDocument.appendChild(i.contentDocument.createElement("html"));
i.contentDocument.close();
</script>

jdm commented 3 months ago

The same panic occurs in css/css-transitions/dynamic-root-element.html.

Taym95 commented 2 months ago

It looks like this is caused by: https://github.com/servo/servo/blob/d44c0f7e5dd9952506dfc491975cc84d7dac111a/components/script/dom/servoparser/mod.rs#L1015

but only when you try to appendChild and html element:


// quirks.window.js
const html = frame.contentDocument.appendChild(frame.contentDocument.createElement("html"));

// dynamic-root-element.html.
let root = doc.createElement("html");
doc.appendChild(root);
``

jdm commented 2 months ago

I don't know if the kind of element matters, but appending to the document root when there's already a root element is the trigger.

servo / servo

Panic in html/webappapis/dynamic-markup-insertion/opening-the-input-stream/quirks.window.js ("HierarchyRequest") #32975