39891 2010-05-28 11:37:15 -0700 HTML5ScriptRunner can re-enter from event dispatch 2010-06-22 01:45:29 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 39259 1 eric webkit-unassigned abarth tonyg oldest_to_newest 231827 0 eric 2010-05-28 11:37:15 -0700 HTML5ScriptRunner can re-enter from event dispatch HTML5ScriptRunner tries to only enter scripting when calling "executeScript" on the HTML5SriptRunnerHost, but I realize after writing it that it will also re-enter from events which will cause us to hit m_scriptNestingLevel ASSERTs and do the wrong thing. :) I tried to write a test for this, but it doesn't quite work yet, and I have more important bugs to fix in the code before I get back to this one so recording it for posterity: 1 <script> function doubleWrite(number) { document.write("<script>document.write(" + number ")</scr" + "ipt><script>document.write(" + (number+1) ")</scr" + "ipt>") } </script> 2 <script onbeforeload="doubleWrite(3)" onload="doubleWrite(5)" src="data:text/plain,doubleWrite(7)" ></script> 9 240032 1 59134 eric 2010-06-18 10:53:39 -0700 Created attachment 59134 Cleaned up test case which reveals at least one ASSERT in ToT The fix for the first assert: ASSERTION FAILED: !haveParsingBlockingScript() (/Projects/WebKit/WebCore/html/HTML5ScriptRunner.cpp:262 void WebCore::HTML5ScriptRunner::runScript(WebCore::Element*, int)) is to just re-order the setting of m_parsingBlockingScript until after the beforeLoad check, since the before load might cancel the script anyway! The next assertions you hit, of close m_source, relate to the insertion point never getting set for some of these calls. Those need a bit more thought. 240886 2 eric 2010-06-21 14:17:50 -0700 http://code.google.com/p/chromium/issues/detail?id=47080 is probably caused by this issue. 241188 3 eric 2010-06-22 01:44:49 -0700 As of http://trac.webkit.org/changeset/61610 we believe this issue to be completely resolved. Adam is also mailing the W3c about Minefield's behavior discrepancy. 241189 4 eric 2010-06-22 01:45:29 -0700 http://trac.webkit.org/changeset/61606 http://trac.webkit.org/changeset/61607 http://trac.webkit.org/changeset/61608 were all related to this fix, btw. 59134 2010-06-18 10:53:39 -0700 2010-06-18 10:53:39 -0700 Cleaned up test case which reveals at least one ASSERT in ToT docwrite.html text/html 300 eric MQo8c2NyaXB0PgpmdW5jdGlvbiBkb3VibGVXcml0ZShudW1iZXIpCnsKICAgIGRvY3VtZW50Lndy aXRlKCI8c2NyaXB0PmRvY3VtZW50LndyaXRlKCIgKyBudW1iZXIgKyAiKTwvc2NyIiArICJpcHQ+ PHNjcmlwdD5kb2N1bWVudC53cml0ZSgiICsgKG51bWJlcisxKSArICIpPC9zY3IiICsgImlwdD4i KTsKfQo8L3NjcmlwdD4KMgo8c2NyaXB0Cm9uYmVmb3JlbG9hZD0iZG91YmxlV3JpdGUoMykiCm9u bG9hZD0iZG91YmxlV3JpdGUoNSkiCnNyYz0iZGF0YTp0ZXh0L3BsYWluLGRvdWJsZVdyaXRlKDcp Igo+PC9zY3JpcHQ+CjkK