Bug 155748

Summary: ASSERTION FAILED: m_isValid == valid() in WebCore::HTMLFormControlElement::isValidFormControlElement
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: FormsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: annulen, darin, dbates, mmaxfield, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case none

Renata Hodovan
Reported 2016-03-22 07:05:34 PDT
Created attachment 274649 [details] Test case Load the attached test with minibrowser: <script> o = document.createElement("input"), o.required = !0, o.value = "hi", s = o.cloneNode().checkValidity() </script> OS: Mac OS X 10.11.1 (x86_64), x86_64 Checked build: ASAN debug Checked version: 71f2ef4 Backtrace: ASSERTION FAILED: m_isValid == valid() /Users/reni/work/WebKit/Source/WebCore/html/HTMLFormControlElement.cpp(495) : bool WebCore::HTMLFormControlElement::isValidFormControlElement() const 1 0x10b0965f4 WTFCrash 2 0x110dbb83a WebCore::HTMLFormControlElement::isValidFormControlElement() const 3 0x110dacc41 WebCore::HTMLFormControlElement::checkValidity(WTF::Vector<WTF::RefPtr<WebCore::FormAssociatedElement>, 0ul, WTF::CrashOnOverflow, 16ul>*) 4 0x111fcd19f WebCore::jsHTMLInputElementPrototypeFunctionCheckValidity(JSC::ExecState*) 5 0x203d3d201028 6 0x10a78e29b llint_entry 7 0x10a7878de vmEntryToJavaScript 8 0x10a1ec1d0 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 9 0x10a0f66bf JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 10 0x108dee577 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 11 0x108deea27 JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 12 0x1141b20b1 WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 13 0x1141abd58 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) 14 0x1141ac0bc WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) 15 0x1141d4f33 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) 16 0x1141d1e48 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) 17 0x110f497fe WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) 18 0x110f4925f WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) 19 0x110d2ec47 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() 20 0x110d2f090 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) 21 0x110d2d3d1 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 22 0x110d2cdb3 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) 23 0x110d30b37 WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) 24 0x10fd835d2 WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) 25 0x1100bb46d WebCore::DocumentWriter::end() 26 0x11000daad WebCore::DocumentLoader::finishedLoading(double) 27 0x11000d5bb WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) 28 0x10f3e5227 WebCore::CachedResource::checkNotify() 29 0x10f3e5414 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) 30 0x10f3db78d WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) 31 0x1149b4871 WebCore::SubresourceLoader::didFinishLoading(double) ASAN:SIGSEGV ================================================================= ==23463==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010b09662c bp 0x7fff5dc7a910 sp 0x7fff5dc7a900 T0) #0 0x10b09662b in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b5f62b) #1 0x110dbb839 in WebCore::HTMLFormControlElement::isValidFormControlElement() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fef839) #2 0x110dacc40 in WebCore::HTMLFormControlElement::checkValidity(WTF::Vector<WTF::RefPtr<WebCore::FormAssociatedElement>, 0ul, WTF::CrashOnOverflow, 16ul>*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fe0c40) #3 0x111fcd19e in WebCore::jsHTMLInputElementPrototypeFunctionCheckValidity(JSC::ExecState*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x320119e) #4 0x203d3d201027 (<unknown module>) #5 0x10a78e29a in llint_entry (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x225729a) #6 0x10a7878dd in vmEntryToJavaScript (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x22508dd) #7 0x10a1ec1cf in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1cb51cf) #8 0x10a0f66be in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1bbf6be) #9 0x108dee576 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x8b7576) #10 0x108deea26 in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x8b7a26) #11 0x1141b20b0 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53e60b0) #12 0x1141abd57 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53dfd57) #13 0x1141ac0bb in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53e00bb) #14 0x1141d4f32 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5408f32) #15 0x1141d1e47 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5405e47) #16 0x110f497fd in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x217d7fd) #17 0x110f4925e in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x217d25e) #18 0x110d2ec46 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62c46) #19 0x110d2f08f in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6308f) #20 0x110d2d3d0 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f613d0) #21 0x110d2cdb2 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f60db2) #22 0x110d30b36 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f64b36) #23 0x10fd835d1 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb75d1) #24 0x1100bb46c in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12ef46c) #25 0x11000daac in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1241aac) #26 0x11000d5ba in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12415ba) #27 0x10f3e5226 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x619226) #28 0x10f3e5413 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x619413) #29 0x10f3db78c in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f78c) #30 0x1149b4870 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5be8870) #31 0x103aad89c in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1b89c) #32 0x103ac1c32 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2fc32) #33 0x103ac18b1 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2f8b1) #34 0x103abdc6e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2bc6e) #35 0x103abaced in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b28ced) #36 0x10282e782 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x89c782) #37 0x102166450 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4450) #38 0x10214d9b1 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb9b1) #39 0x102167240 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d5240) #40 0x10219698c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20498c) #41 0x10219695c in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20495c) #42 0x10219677b in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20477b) #43 0x109ecc95a in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x199595a) #44 0x10b172bfd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3bbfd) #45 0x10b173b69 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3cb69) #46 0x7fff8b2ff8b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #47 0x7fff8b2df0ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #48 0x7fff8b2de5ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #49 0x7fff8b2ddfc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #50 0x7fff88ff6d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54) #51 0x7fff88ff6b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e) #52 0x7fff88ff69ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce) #53 0x7fff9a67cd95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95) #54 0x7fff9a67c1c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4) #55 0x7fff9a670d27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27) #56 0x7fff9a639fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd) #57 0x7fff96b414f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1) #58 0x7fff96b3ff1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d) #59 0x101f7e1cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb) #60 0x7fff933665ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #61 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash ==23463==ABORTING
Attachments
Test case (138 bytes, text/html)
2016-03-22 07:05 PDT, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-04-14 14:55:51 PDT
<rdar://problem/19890634>
Myles C. Maxfield
Comment 2 2016-04-14 16:13:36 PDT
This is fixed in https://bugs.webkit.org/show_bug.cgi?id=156604 *** This bug has been marked as a duplicate of bug 156604 ***
Note You need to log in before you can comment on or make changes to this bug.