Bug 155720 - validity assertion fails after removing a child of an <optgroup> element
Summary: validity assertion fails after removing a child of an <optgroup> element
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Darin Adler
URL:
Keywords: InRadar
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2016-03-21 08:51 PDT by Renata Hodovan
Modified: 2016-08-05 12:39 PDT (History)
6 users (show)

See Also:


Attachments
Test case (368 bytes, text/html)
2016-03-21 08:51 PDT, Renata Hodovan
no flags Details
Patch (5.58 KB, patch)
2016-08-05 11:00 PDT, Brent Fulgham
no flags Details | Formatted Diff | Diff
Patch for landing (5.83 KB, patch)
2016-08-05 11:30 PDT, Brent Fulgham
bfulgham: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2016-03-21 08:51:16 PDT
Created attachment 274598 [details]
Test case

Load the attached test with minibrowser:

<script>
window.onload = function() {
    var parent = document.getElementById('id_1');
    parent.removeChild(parent.childNodes[0]);
    parent.removeChild(parent.childNodes[0]);
    document.getElementById('id_0').appendChild(document.activeElement);
}
</script>
<template id="id_0"></template>
<select required>
    <optgroup id="id_1">
        <option></option>
    </optgroup>
</select>



OS: Mac OS X 10.11.1 (x86_64), x86_64
Checked build: ASAN debug
Checked version: d52551a


Backtrace:

ASSERTION FAILED: m_isValid == valid()
/Users/reni/work/WebKit/Source/WebCore/html/HTMLFormControlElement.cpp(495) : bool WebCore::HTMLFormControlElement::isValidFormControlElement() const
1   0x10cb7bed4 WTFCrash
2   0x11289cfca WebCore::HTMLFormControlElement::isValidFormControlElement() const
3   0x11288c4e9 WebCore::HTMLFormControlElement::removedFrom(WebCore::ContainerNode&)
4   0x1128a05be WebCore::HTMLFormControlElementWithState::removedFrom(WebCore::ContainerNode&)
5   0x11118e28a WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::Node&)
6   0x11118e339 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::Node&)
7   0x11118e8d9 WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&)
8   0x11116f06e WebCore::ContainerNode::notifyChildRemoved(WebCore::Node&, WebCore::Node*, WebCore::Node*, WebCore::ContainerNode::ChildChangeSource)
9   0x11117070b WebCore::ContainerNode::removeChild(WebCore::Node&, int&)
10  0x11116e01e WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&, int&)
11  0x11116dcd3 WebCore::ContainerNode::appendChild(WTF::Ref<WebCore::Node>&&, int&)
12  0x114dc1353 WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, int&)
13  0x113dd3679 WebCore::JSNode::appendChild(JSC::ExecState&)
14  0x113dcaf2e WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState*)
15  0x2b4fd4a01028
16  0x10c273d7b llint_entry
17  0x10c26d3be vmEntryToJavaScript
18  0x10bcd1db0 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
19  0x10bbdd29d JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
20  0x10a6dc215 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
21  0x10a6dc68a JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
22  0x10a6dd0e8 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
23  0x11332f956 WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
24  0x113887f84 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
25  0x111f84051 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&)
26  0x111f83148 WebCore::EventTarget::fireEventListeners(WebCore::Event&)
27  0x111d6c56f WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)
28  0x111d82cae WebCore::DOMWindow::dispatchLoadEvent()
29  0x1119c8452 WebCore::Document::dispatchWindowLoadEvent()
30  0x1119bef16 WebCore::Document::implicitClose()
31  0x1123ddf99 WebCore::FrameLoader::checkCallImplicitClose()
ASAN:SIGSEGV
=================================================================
==44859==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010cb7bf0c bp 0x7fff5c1a3a30 sp 0x7fff5c1a3a20 T0)
    #0 0x10cb7bf0b in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b5df0b)
    #1 0x11289cfc9 in WebCore::HTMLFormControlElement::isValidFormControlElement() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fedfc9)
    #2 0x11288c4e8 in WebCore::HTMLFormControlElement::removedFrom(WebCore::ContainerNode&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdd4e8)
    #3 0x1128a05bd in WebCore::HTMLFormControlElementWithState::removedFrom(WebCore::ContainerNode&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ff15bd)
    #4 0x11118e289 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::Node&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8df289)
    #5 0x11118e338 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::Node&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8df338)
    #6 0x11118e8d8 in WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8df8d8)
    #7 0x11116f06d in WebCore::ContainerNode::notifyChildRemoved(WebCore::Node&, WebCore::Node*, WebCore::Node*, WebCore::ContainerNode::ChildChangeSource) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8c006d)
    #8 0x11117070a in WebCore::ContainerNode::removeChild(WebCore::Node&, int&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8c170a)
    #9 0x11116e01d in WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&, int&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8bf01d)
    #10 0x11116dcd2 in WebCore::ContainerNode::appendChild(WTF::Ref<WebCore::Node>&&, int&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8becd2)
    #11 0x114dc1352 in WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, int&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4512352)
    #12 0x113dd3678 in WebCore::JSNode::appendChild(JSC::ExecState&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x3524678)
    #13 0x113dcaf2d in WebCore::jsNodePrototypeFunctionAppendChild(JSC::ExecState*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x351bf2d)
    #14 0x2b4fd4a01027  (<unknown module>)
    #15 0x10c273d7a in llint_entry (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2255d7a)
    #16 0x10c26d3bd in vmEntryToJavaScript (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x224f3bd)
    #17 0x10bcd1daf in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1cb3daf)
    #18 0x10bbdd29c in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1bbf29c)
    #19 0x10a6dc214 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6be214)
    #20 0x10a6dc689 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6be689)
    #21 0x10a6dd0e7 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6bf0e7)
    #22 0x11332f955 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2a80955)
    #23 0x113887f83 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2fd8f83)
    #24 0x111f84050 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x16d5050)
    #25 0x111f83147 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x16d4147)
    #26 0x111d6c56e in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x14bd56e)
    #27 0x111d82cad in WebCore::DOMWindow::dispatchLoadEvent() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x14d3cad)
    #28 0x1119c8451 in WebCore::Document::dispatchWindowLoadEvent() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1119451)
    #29 0x1119bef15 in WebCore::Document::implicitClose() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x110ff15)
    #30 0x1123ddf98 in WebCore::FrameLoader::checkCallImplicitClose() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b2ef98)
    #31 0x1123dda7b in WebCore::FrameLoader::checkCompleted() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b2ea7b)
    #32 0x1123da047 in WebCore::FrameLoader::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b2b047)
    #33 0x1119e2679 in WebCore::Document::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1133679)
    #34 0x11279d7a5 in WebCore::HTMLConstructionSite::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eee7a5)
    #35 0x112acdd1b in WebCore::HTMLTreeBuilder::finished() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x221ed1b)
    #36 0x11281249b in WebCore::HTMLDocumentParser::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6349b)
    #37 0x11280e6a9 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5f6a9)
    #38 0x11280e318 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5f318)
    #39 0x11281253d in WebCore::HTMLDocumentParser::attemptToEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6353d)
    #40 0x112812597 in WebCore::HTMLDocumentParser::finish() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f63597)
    #41 0x111b9e08f in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12ef08f)
    #42 0x111af06dc in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12416dc)
    #43 0x111af01ea in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12411ea)
    #44 0x110ec7c76 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618c76)
    #45 0x110ec7e63 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618e63)
    #46 0x110ebe1dc in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f1dc)
    #47 0x116585100 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cd6100)
    #48 0x10558994c in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1894c)
    #49 0x10559dce2 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2cce2)
    #50 0x10559d961 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2c961)
    #51 0x105599d1e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b28d1e)
    #52 0x105596d9d in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b25d9d)
    #53 0x10430d2e2 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x89c2e2)
    #54 0x103c451e0 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d41e0)
    #55 0x103c2c741 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb741)
    #56 0x103c45fd0 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4fd0)
    #57 0x103c7571c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20471c)
    #58 0x103c756ec in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2046ec)
    #59 0x103c7550b in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20450b)
    #60 0x10b9b253a in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x199453a)
    #61 0x10cc584dd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3a4dd)
    #62 0x10cc59449 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3b449)
    #63 0x7fff888498b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0)
    #64 0x7fff888290ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab)
    #65 0x7fff888285ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce)
    #66 0x7fff88827fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
    #67 0x7fff86540d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54)
    #68 0x7fff86540b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e)
    #69 0x7fff865409ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce)
    #70 0x7fff97bc6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95)
    #71 0x7fff97bc61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4)
    #72 0x7fff97bbad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27)
    #73 0x7fff97b83fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd)
    #74 0x7fff9408b4f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1)
    #75 0x7fff94089f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d)
    #76 0x103a561cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb)
    #77 0x7fff908b05ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #78 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash
==44859==ABORTING
Comment 1 Darin Adler 2016-03-22 21:58:14 PDT
The bug here is that all calls to setRecalcListItems also need to call updateValidity and the one in HTMLOptGroupElement::recalcSelectOptions does not. Easy to fix.
Comment 2 Brent Fulgham 2016-08-05 09:48:28 PDT
This reproduces in r204037.
Comment 3 Radar WebKit Bug Importer 2016-08-05 09:48:52 PDT
<rdar://problem/27720746>
Comment 4 Brent Fulgham 2016-08-05 11:00:00 PDT
Created attachment 285435 [details]
Patch
Comment 5 Brent Fulgham 2016-08-05 11:01:53 PDT
I'm a little unhappy with the test case, because I cannot get it to cleanly dump as pure text output. This is because the assertion only fires when an HTML snippet is used, not if I structure it as a proper HTML document where 'dumpAsText' is able to see the simple text message.

The assertion seems to only fire when the file is treated as though it's entirely in the <head> element.
Comment 6 Darin Adler 2016-08-05 11:12:34 PDT
Comment on attachment 285435 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=285435&action=review

Three fixes, but only one test case. Seems like we need more test cases to cover all the things fixed here.

> Source/WebCore/html/HTMLOptGroupElement.cpp:91
>      ContainerNode* select = parentNode();
>      while (select && !is<HTMLSelectElement>(*select))
>          select = select->parentNode();
> -    if (select)
> -        downcast<HTMLSelectElement>(*select).setRecalcListItems();
> +    if (select) {

I think there’s a new better way to write this:

    If (auto* selectElement = ancestorsOfType<HTMLSelectElement>(*this).first())

Maybe not for this patch. Also maybe a helper function here like the ownerSelectElement function in HTMLOptionElement?

> Source/WebCore/html/HTMLOptGroupElement.cpp:94
> +        selectElement.setRecalcListItems();
> +        selectElement.updateValidity();

Annoying that these are two different functions rather than having one to call that does both. Annoying that the names are so different when both have the same semantic (mark something invalid to be recomputed later). Something to come back to and improve later.
Comment 7 Brent Fulgham 2016-08-05 11:29:12 PDT
Comment on attachment 285435 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=285435&action=review

>> Source/WebCore/html/HTMLOptGroupElement.cpp:91
>> +    if (select) {
> 
> I think there’s a new better way to write this:
> 
>     If (auto* selectElement = ancestorsOfType<HTMLSelectElement>(*this).first())
> 
> Maybe not for this patch. Also maybe a helper function here like the ownerSelectElement function in HTMLOptionElement?

Oh! That's much cleaner. I'll switch to that.

>> Source/WebCore/html/HTMLOptGroupElement.cpp:94
>> +        selectElement.updateValidity();
> 
> Annoying that these are two different functions rather than having one to call that does both. Annoying that the names are so different when both have the same semantic (mark something invalid to be recomputed later). Something to come back to and improve later.

Agreed!
Comment 8 Brent Fulgham 2016-08-05 11:30:03 PDT
Created attachment 285437 [details]
Patch for landing
Comment 9 Brent Fulgham 2016-08-05 11:30:38 PDT
Comment on attachment 285437 [details]
Patch for landing

Marking r+ based on darin's review.
Comment 10 Brent Fulgham 2016-08-05 12:39:40 PDT
Committed r204186: <http://trac.webkit.org/changeset/204186>