New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 632515 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Aug 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment

Crash when appending V1 Custom Element to a non-main document

Project Member Reported by kschaaf@chromium.org, Jul 28 2016

Issue description

Version: 54.0.2810.2 canary (64-bit)
OS: OSX 10.11.5 (15F34)

What steps will reproduce the problem?

Run following snippit in browser:

customElements.define('x-foo', class extends HTMLElement {
  constructor() {
    super();
    console.log('created', this.localName);
  }
  connectedCallback() {
    console.log('connected', this.localName);
    this.attachShadow({mode:'open'}).
      appendChild(document.createElement('div'));
    this.shadowRoot.firstChild.innerHTML = 'Hi in shadow';
  }
});
var foo = document.createElement('x-foo');
var doc = document.implementation.createHTMLDocument();
doc.body.appendChild(foo); // << Crashes
console.assert(Boolean(doc.body.firstChild.shadowRoot));


What is the expected output?

No crash, assert passes

What do you see instead?

Tab crashes
 
Cc: davaajav@google.com
Owner: davaajav@google.com
Status: Started (was: Untriaged)
Thanks for filing this.

Crash ID from chrome://crashes , if you have it, would be useful.

I guess this is because CustomElement::definitionForElement does element->(new) document->window (null, oops) when we move the element to the new document.

Davaa is working on fixing this for the adopted callback right now.
Crash ID d389ef11-e8d5-47f7-98c1-9535c71ce858 (Server ID: 8f7420be00000000
Yep, this is dereferencing a null CustomElementDefinition. Thanks for filing this.
Issue 632571 has been merged into this issue.
Labels: -Pri-3 Pri-1
Status: Fixed (was: Started)
This should be fixed by davaajav in r409759.

Sign in to add a comment