Bug 155748

Summary: ASSERTION FAILED: m_isValid == valid() in WebCore::HTMLFormControlElement::isValidFormControlElement
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: FormsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: annulen, darin, dbates, mmaxfield, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case none

Description Renata Hodovan 2016-03-22 07:05:34 PDT 
Created attachment 274649 [details]
Test case

Load the attached test with minibrowser:

<script>

o = document.createElement("input"),
o.required = !0, 
o.value = "hi", 
s = o.cloneNode().checkValidity()
    
</script>


OS: Mac OS X 10.11.1 (x86_64), x86_64
Checked build: ASAN debug
Checked version: 71f2ef4


Backtrace:

ASSERTION FAILED: m_isValid == valid()
/Users/reni/work/WebKit/Source/WebCore/html/HTMLFormControlElement.cpp(495) : bool WebCore::HTMLFormControlElement::isValidFormControlElement() const
1   0x10b0965f4 WTFCrash
2   0x110dbb83a WebCore::HTMLFormControlElement::isValidFormControlElement() const
3   0x110dacc41 WebCore::HTMLFormControlElement::checkValidity(WTF::Vector<WTF::RefPtr<WebCore::FormAssociatedElement>, 0ul, WTF::CrashOnOverflow, 16ul>*)
4   0x111fcd19f WebCore::jsHTMLInputElementPrototypeFunctionCheckValidity(JSC::ExecState*)
5   0x203d3d201028
6   0x10a78e29b llint_entry
7   0x10a7878de vmEntryToJavaScript
8   0x10a1ec1d0 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
9   0x10a0f66bf JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
10  0x108dee577 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
11  0x108deea27 JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
12  0x1141b20b1 WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
13  0x1141abd58 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*)
14  0x1141ac0bc WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*)
15  0x1141d4f33 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&)
16  0x1141d1e48 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)
17  0x110f497fe WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&)
18  0x110f4925f WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&)
19  0x110d2ec47 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()
20  0x110d2f090 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)
21  0x110d2d3d1 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
22  0x110d2cdb3 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
23  0x110d30b37 WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&)
24  0x10fd835d2 WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&)
25  0x1100bb46d WebCore::DocumentWriter::end()
26  0x11000daad WebCore::DocumentLoader::finishedLoading(double)
27  0x11000d5bb WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*)
28  0x10f3e5227 WebCore::CachedResource::checkNotify()
29  0x10f3e5414 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*)
30  0x10f3db78d WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*)
31  0x1149b4871 WebCore::SubresourceLoader::didFinishLoading(double)
ASAN:SIGSEGV
=================================================================
==23463==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010b09662c bp 0x7fff5dc7a910 sp 0x7fff5dc7a900 T0)
    #0 0x10b09662b in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b5f62b)
    #1 0x110dbb839 in WebCore::HTMLFormControlElement::isValidFormControlElement() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fef839)
    #2 0x110dacc40 in WebCore::HTMLFormControlElement::checkValidity(WTF::Vector<WTF::RefPtr<WebCore::FormAssociatedElement>, 0ul, WTF::CrashOnOverflow, 16ul>*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fe0c40)
    #3 0x111fcd19e in WebCore::jsHTMLInputElementPrototypeFunctionCheckValidity(JSC::ExecState*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x320119e)
    #4 0x203d3d201027  (<unknown module>)
    #5 0x10a78e29a in llint_entry (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x225729a)
    #6 0x10a7878dd in vmEntryToJavaScript (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x22508dd)
    #7 0x10a1ec1cf in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1cb51cf)
    #8 0x10a0f66be in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1bbf6be)
    #9 0x108dee576 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x8b7576)
    #10 0x108deea26 in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x8b7a26)
    #11 0x1141b20b0 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53e60b0)
    #12 0x1141abd57 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53dfd57)
    #13 0x1141ac0bb in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53e00bb)
    #14 0x1141d4f32 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5408f32)
    #15 0x1141d1e47 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5405e47)
    #16 0x110f497fd in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x217d7fd)
    #17 0x110f4925e in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x217d25e)
    #18 0x110d2ec46 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62c46)
    #19 0x110d2f08f in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6308f)
    #20 0x110d2d3d0 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f613d0)
    #21 0x110d2cdb2 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f60db2)
    #22 0x110d30b36 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f64b36)
    #23 0x10fd835d1 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb75d1)
    #24 0x1100bb46c in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12ef46c)
    #25 0x11000daac in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1241aac)
    #26 0x11000d5ba in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12415ba)
    #27 0x10f3e5226 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x619226)
    #28 0x10f3e5413 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x619413)
    #29 0x10f3db78c in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f78c)
    #30 0x1149b4870 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5be8870)
    #31 0x103aad89c in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1b89c)
    #32 0x103ac1c32 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2fc32)
    #33 0x103ac18b1 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2f8b1)
    #34 0x103abdc6e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2bc6e)
    #35 0x103abaced in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b28ced)
    #36 0x10282e782 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x89c782)
    #37 0x102166450 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4450)
    #38 0x10214d9b1 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb9b1)
    #39 0x102167240 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d5240)
    #40 0x10219698c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20498c)
    #41 0x10219695c in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20495c)
    #42 0x10219677b in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20477b)
    #43 0x109ecc95a in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x199595a)
    #44 0x10b172bfd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3bbfd)
    #45 0x10b173b69 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3cb69)
    #46 0x7fff8b2ff8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0)
    #47 0x7fff8b2df0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab)
    #48 0x7fff8b2de5ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce)
    #49 0x7fff8b2ddfc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
    #50 0x7fff88ff6d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54)
    #51 0x7fff88ff6b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e)
    #52 0x7fff88ff69ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce)
    #53 0x7fff9a67cd95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95)
    #54 0x7fff9a67c1c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4)
    #55 0x7fff9a670d27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27)
    #56 0x7fff9a639fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd)
    #57 0x7fff96b414f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1)
    #58 0x7fff96b3ff1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d)
    #59 0x101f7e1cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb)
    #60 0x7fff933665ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #61 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash
==23463==ABORTING
Comment 1 Daniel Bates 2016-04-14 14:55:51 PDT 
<rdar://problem/19890634>
Comment 2 Myles C. Maxfield 2016-04-14 16:13:36 PDT 
This is fixed in https://bugs.webkit.org/show_bug.cgi?id=156604

*** This bug has been marked as a duplicate of bug 156604 ***