LibWeb: Crash loading youtube.com in document.importNode

[ADKaster]

Full backtrace https://gist.github.com/ADKaster/28ac590d1e2833a17254e84f51c4fd1b

Truncated backtrace:

VERIFICATION FAILED: !_temporary_result.is_error() at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:829
/home/andrew/serenity/Build/lagom/lib/liblagom-ak.so.0(ak_verification_failed+0xef) [0x74a686d7f27f]
/home/andrew/serenity/Build/lagom/lib/liblagom-web.so.0(+0x902bf9) [0x74a687702bf9]
/home/andrew/serenity/Build/lagom/lib/liblagom-web.so.0(+0x8d3e5e) [0x74a6876d3e5e]
/home/andrew/serenity/Build/lagom/lib/liblagom-web.so.0 Web::DOM::Element::for_each_attribute(AK::Function<void (Web::DOM::Attr const&)>) const 0x97) [0x74a6876d2b77]
/home/andrew/serenity/Build/lagom/lib/liblagom-web.so.0 Web::DOM::Element::for_each_attribute(AK::Function<void (AK::FlyString const&, AK::String const&)>) const 0x57) [0x74a6876d2c27]
/home/andrew/serenity/Build/lagom/lib/liblagom-web.so.0 Web::DOM::Node::clone_node(Web::DOM::Document*, bool) 0x1df) [0x74a6876fdedf]
/home/andrew/serenity/Build/lagom/lib/liblagom-web.so.0 Web::DOM::Node::clone_node(Web::DOM::Document*, bool) 0x670) [0x74a6876fe370]
/home/andrew/serenity/Build/lagom/lib/liblagom-web.so.0 Web::DOM::Document::import_node(JS::NonnullGCPtr<Web::DOM::Node>, bool) 0xd1) [0x74a6876a8061]
/home/andrew/serenity/Build/lagom/lib/liblagom-web.so.0 Web::Bindings::DocumentPrototype::import_node(JS::VM&) 0x497) [0x74a687c1d907]

Truncated backtrace, now with symbols! (from gdb)

Program received signal SIGILL, Illegal instruction.
ak_verification_failed (message=0x74a6872f3d7b "!_temporary_result.is_error() at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:829") at /home/andrew/serenity/AK/Assertions.cpp:108
108	    __builtin_trap();
(gdb) bt
#0  ak_verification_failed (message=0x74a6872f3d7b "!_temporary_result.is_error() at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:829")
    at /home/andrew/serenity/AK/Assertions.cpp:108
#1  0x000074a687702bf9 in Web::DOM::Node::clone_node(Web::DOM::Document*, bool)::$_0::operator()<AK::FlyString const, AK::String const>(AK::FlyString const&, AK::String const&) const (this=<optimized out>, name=..., value=...) at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:829
#2  AK::Function<void (AK::FlyString const&, AK::String const&)>::CallableWrapper<Web::DOM::Node::clone_node(Web::DOM::Document*, bool)::$_0>::call(AK::FlyString const&, AK::String const&) (this=<optimized out>, in=..., in=...) at /home/andrew/serenity/Meta/Lagom/../../AK/Function.h:192
#3  0x000074a6876d3e5e in AK::Function<void (AK::FlyString const&, AK::String const&)>::operator()(AK::FlyString const&, AK::String const&) const (
    this=0x7ffda1e11de0, in=..., in=...) at /home/andrew/serenity/Meta/Lagom/../../AK/Function.h:125
#4  Web::DOM::Element::for_each_attribute(AK::Function<void (AK::FlyString const&, AK::String const&)>) const::$_0::operator()(Web::DOM::Attr const&) const (
    this=<optimized out>, attr=...) at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Element.cpp:2063
#5  AK::Function<void (Web::DOM::Attr const&)>::CallableWrapper<Web::DOM::Element::for_each_attribute(AK::Function<void (AK::FlyString const&, AK::String const&)>) const::$_0>::call(Web::DOM::Attr const&) (this=<optimized out>, in=...) at /home/andrew/serenity/Meta/Lagom/../../AK/Function.h:192
#6  0x000074a6876d2b77 in AK::Function<void (Web::DOM::Attr const&)>::operator()(Web::DOM::Attr const&) const (this=0x7ffda1e11d30, in=...)
    at /home/andrew/serenity/Meta/Lagom/../../AK/Function.h:125
#7  Web::DOM::Element::for_each_attribute(AK::Function<void (Web::DOM::Attr const&)>) const (this=0x74a678cad5b0, callback=...)
    at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Element.cpp:2057
#8  0x000074a6876d2c27 in Web::DOM::Element::for_each_attribute(AK::Function<void (AK::FlyString const&, AK::String const&)>) const (this=0x5806d9a12480, 
    callback=...) at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Element.cpp:2062
#9  0x000074a6876fdedf in Web::DOM::Node::clone_node (this=this@entry=0x74a678cad5b0, document=<optimized out>, document@entry=0x74a67b81f720, 
    clone_children=true) at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:826
#10 0x000074a6876fe370 in Web::DOM::Node::clone_node(Web::DOM::Document*, bool)::$_1::operator()<Web::DOM::Node>(Web::DOM::Node&) const (child=..., 
    this=<optimized out>) at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:898
#11 Web::DOM::Node::for_each_child<Web::DOM::Node::clone_node(Web::DOM::Document*, bool)::$_1>(Web::DOM::Node::clone_node(Web::DOM::Document*, bool)::$_1) (
    this=<optimized out>, callback=...) at /home/andrew/serenity/Meta/Lagom/../../Userland/Libraries/LibWeb/DOM/Node.h:562
#12 Web::DOM::Node::clone_node (this=<optimized out>, document=<optimized out>, clone_children=<optimized out>)
    at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:897
#13 0x000074a6876a8061 in Web::DOM::Document::import_node (this=0x74a67b81f720, node=..., deep=true)
    at /home/andrew/serenity/Userland/Libraries/LibWeb/DOM/Document.cpp:1736
#14 0x000074a687c1d907 in Web::Bindings::DocumentPrototype::import_node(JS::VM&)::$_0::operator()() const (this=<optimized out>)
    at Userland/Libraries/LibWeb/Bindings/DocumentPrototype.cpp:4895
#15 Web::Bindings::throw_dom_exception_if_needed<Web::Bindings::DocumentPrototype::import_node(JS::VM&)::$_0, Web::WebIDL::ExceptionOr<JS::NonnullGCPtr<Web::DOM::Node> >, JS::NonnullGCPtr<Web::DOM::Node> >(JS::VM&, Web::Bindings::DocumentPrototype::import_node(JS::VM&)::$_0&&) (vm=..., fn=...)
    at /home/andrew/serenity/Meta/Lagom/../../Userland/Libraries/LibWeb/Bindings/ExceptionOrUtils.h:97
#16 Web::Bindings::DocumentPrototype::import_node (vm=...) at Userland/Libraries/LibWeb/Bindings/DocumentPrototype.cpp:4895

[shannonbooth]

Confirmed that this was fixed by #24060 (doesn't crash now, crashes when reverting that change)