155699 – ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary in WebCore::HTMLFieldSetElement::removeInvalidDescendant

Bug 155699 - ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary in WebCore::HTMLFieldSetElement::removeInvalidDescendant

Summary: ASSERTION FAILED: Updating the fieldset on validity change is not an efficien...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Forms (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2016-03-20 10:26 PDT by Renata Hodovan
Modified:	2016-08-05 09:45 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Test case for Mac (142 bytes, text/html) 2016-03-20 10:26 PDT, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2016-03-20 10:26:36 PDT

Created attachment 274542 [details]
Test case for Mac

Load the attached test with minibrowser:

<!DOCTYPE html>
<fieldset>
    <datalist>
        <select>
            <select>
                <select required></select>
            </select>
        </select>
    </datalist>
</fieldset>


OS: Mac OS X 10.11.1 (x86_64), x86_64
Checked build: ASAN debug
Checked version: d52551a


Backtrace:

ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary.
m_invalidDescendants.contains(&formControlElement)
/Users/reni/work/WebKit/Source/WebCore/html/HTMLFieldSetElement.cpp(222) : void WebCore::HTMLFieldSetElement::removeInvalidDescendant(const WebCore::HTMLFormControlElement &)
1   0x10a037ed4 WTFCrash
2   0x10fd35bc4 WebCore::HTMLFieldSetElement::removeInvalidDescendant(WebCore::HTMLFormControlElement const&)
3   0x10fd4d9cc WebCore::removeInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLFormControlElement const&, WebCore::ContainerNode*)
4   0x10fd4bf1f WebCore::HTMLFormControlElement::setNeedsWillValidateCheck()
5   0x10fd4cca1 WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&)
6   0x10fd61526 WebCore::HTMLFormControlElementWithState::insertedInto(WebCore::ContainerNode&)
7   0x10fefe2f4 WebCore::HTMLSelectElement::insertedInto(WebCore::ContainerNode&)
8   0x10e64e704 WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&)
9   0x10e64efbf WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&)
10  0x10e62faf5 WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource)
11  0x10e62dd59 WebCore::ContainerNode::parserAppendChild(WTF::Ref<WebCore::Node>&&)
12  0x10fc64b2f WebCore::insert(WebCore::HTMLConstructionSiteTask&)
13  0x10fc64346 WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&)
14  0x10fc5cc76 WebCore::executeTask(WebCore::HTMLConstructionSiteTask&)
15  0x10fc5cb44 WebCore::HTMLConstructionSite::executeQueuedTasks()
16  0x10ff7bc2e WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&)
17  0x10fcd20b1 WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&)
18  0x10fcd1e06 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)
19  0x10fccfb51 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
20  0x10fccf533 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
21  0x10fcd32b7 WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&)
22  0x10ed26f02 WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&)
23  0x10f05efdd WebCore::DocumentWriter::end()
24  0x10efb16dd WebCore::DocumentLoader::finishedLoading(double)
25  0x10efb11eb WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*)
26  0x10e388c77 WebCore::CachedResource::checkNotify()
27  0x10e388e64 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*)
28  0x10e37f1dd WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*)
29  0x113a46101 WebCore::SubresourceLoader::didFinishLoading(double)
30  0x102a4c94d WebKit::WebResourceLoader::didFinishResourceLoad(double)
31  0x102a60ce3 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>)
ASAN:SIGSEGV
=================================================================
==81499==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a037f0c bp 0x7fff5ecdb910 sp 0x7fff5ecdb900 T0)
    #0 0x10a037f0b in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b5df0b)
    #1 0x10fd35bc3 in WebCore::HTMLFieldSetElement::removeInvalidDescendant(WebCore::HTMLFormControlElement const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fc5bc3)
    #2 0x10fd4d9cb in WebCore::removeInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLFormControlElement const&, WebCore::ContainerNode*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdd9cb)
    #3 0x10fd4bf1e in WebCore::HTMLFormControlElement::setNeedsWillValidateCheck() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdbf1e)
    #4 0x10fd4cca0 in WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdcca0)
    #5 0x10fd61525 in WebCore::HTMLFormControlElementWithState::insertedInto(WebCore::ContainerNode&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ff1525)
    #6 0x10fefe2f3 in WebCore::HTMLSelectElement::insertedInto(WebCore::ContainerNode&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x218e2f3)
    #7 0x10e64e703 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8de703)
    #8 0x10e64efbe in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8defbe)
    #9 0x10e62faf4 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8bfaf4)
    #10 0x10e62dd58 in WebCore::ContainerNode::parserAppendChild(WTF::Ref<WebCore::Node>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8bdd58)
    #11 0x10fc64b2e in WebCore::insert(WebCore::HTMLConstructionSiteTask&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef4b2e)
    #12 0x10fc64345 in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef4345)
    #13 0x10fc5cc75 in WebCore::executeTask(WebCore::HTMLConstructionSiteTask&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eecc75)
    #14 0x10fc5cb43 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eecb43)
    #15 0x10ff7bc2d in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x220bc2d)
    #16 0x10fcd20b0 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f620b0)
    #17 0x10fcd1e05 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f61e05)
    #18 0x10fccfb50 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5fb50)
    #19 0x10fccf532 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5f532)
    #20 0x10fcd32b6 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f632b6)
    #21 0x10ed26f01 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb6f01)
    #22 0x10f05efdc in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12eefdc)
    #23 0x10efb16dc in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12416dc)
    #24 0x10efb11ea in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12411ea)
    #25 0x10e388c76 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618c76)
    #26 0x10e388e63 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618e63)
    #27 0x10e37f1dc in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f1dc)
    #28 0x113a46100 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cd6100)
    #29 0x102a4c94c in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1894c)
    #30 0x102a60ce2 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2cce2)
    #31 0x102a60961 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2c961)
    #32 0x102a5cd1e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b28d1e)
    #33 0x102a59d9d in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b25d9d)
    #34 0x1017d02e2 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x89c2e2)
    #35 0x1011081e0 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d41e0)
    #36 0x1010ef741 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb741)
    #37 0x101108fd0 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4fd0)
    #38 0x10113871c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20471c)
    #39 0x1011386ec in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2046ec)
    #40 0x10113850b in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20450b)
    #41 0x108e6e53a in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x199453a)
    #42 0x10a1144dd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3a4dd)
    #43 0x10a115449 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3b449)
    #44 0x7fff888498b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0)
    #45 0x7fff888290ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab)
    #46 0x7fff888285ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce)
    #47 0x7fff88827fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
    #48 0x7fff86540d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54)
    #49 0x7fff86540b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e)
    #50 0x7fff865409ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce)
    #51 0x7fff97bc6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95)
    #52 0x7fff97bc61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4)
    #53 0x7fff97bbad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27)
    #54 0x7fff97b83fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd)
    #55 0x7fff9408b4f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1)
    #56 0x7fff94089f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d)
    #57 0x100f201cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb)
    #58 0x7fff908b05ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #59 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash
==81499==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 81499)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy

Comment 1 Brent Fulgham 2016-08-05 09:45:25 PDT

This reproduces in r204037.

Comment 2 Radar WebKit Bug Importer 2016-08-05 09:45:39 PDT

<rdar://problem/27720683>