Bug 166818 - ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary. m_invalidDescendants.contains(&formControlElement) in WebCore::HTMLFieldSetElement::removeInvalidDescendant
Summary: ASSERTION FAILED: Updating the fieldset on validity change is not an efficien...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2017-01-08 10:43 PST by Renata Hodovan
Modified: 2017-01-09 13:58 PST (History)
2 users (show)

See Also:

Attachments
Test (39 bytes, application/octet-stream)
2017-01-08 10:43 PST, Renata Hodovan 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2017-01-08 10:43:51 PST 
Load the attached test with debug WebKitTestRunner:

Checked version: 217d599
OS: Darwin-15.6.0-x86_64-i386-64bit

<datalist><fieldset><textarea required>

Backtrace:

ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary.
m_invalidDescendants.contains(&formControlElement)
WebKit/Source/WebCore/html/HTMLFieldSetElement.cpp(223) : void WebCore::HTMLFieldSetElement::removeInvalidDescendant(const WebCore::HTMLFormControlElement &)
1   0x11471cc71 WTFCrash
2   0x11acbe259 WebCore::HTMLFieldSetElement::removeInvalidDescendant(WebCore::HTMLFormControlElement const&)
3   0x11acd5b7f WebCore::removeInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLFormControlElement const&, WebCore::ContainerNode*)
4   0x11acd40ab WebCore::HTMLFormControlElement::setNeedsWillValidateCheck()
5   0x11acd4e71 WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&)
6   0x11acdf194 WebCore::HTMLFormControlElementWithState::insertedInto(WebCore::ContainerNode&)
7   0x11aebf087 WebCore::HTMLTextFormControlElement::insertedInto(WebCore::ContainerNode&)
8   0x1195ace94 WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&)
9   0x1195ad754 WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&)
10  0x11958734a WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource)
11  0x1195851dc WebCore::ContainerNode::parserAppendChild(WebCore::Node&)
12  0x11abef5d3 WebCore::insert(WebCore::HTMLConstructionSiteTask&)
13  0x11abef07f WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&)
14  0x11abe7802 WebCore::executeTask(WebCore::HTMLConstructionSiteTask&)
15  0x11abe76d9 WebCore::HTMLConstructionSite::executeQueuedTasks()
16  0x11aef2253 WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&)
17  0x11ac61cb8 WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&)
18  0x11ac61a03 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)
19  0x11ac5f5e3 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
20  0x11ac5efa0 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
21  0x11ac631dc WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&)
22  0x119db674c WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long)
23  0x11a0e0ab2 WebCore::DocumentWriter::addData(char const*, unsigned long)
24  0x11a027ff6 WebCore::DocumentLoader::commitData(char const*, unsigned long)
25  0x10bad9e9e WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int)
26  0x11a02d187 WebCore::DocumentLoader::commitLoad(char const*, int)
27  0x11a02cecb WebCore::DocumentLoader::dataReceived(char const*, int)
28  0x11a02d569 WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&, char const*, int)
29  0x1192dcf72 WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int)
30  0x1192dcc21 WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&)
31  0x11f3e914b WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType)
ASAN:DEADLYSIGNAL
=================================================================
==40990==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00011471cca9 bp 0x7fff55264610 sp 0x7fff55264600 T0)
    #0 0x11471cca8 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2f81ca8)
    #1 0x11acbe258 in WebCore::HTMLFieldSetElement::removeInvalidDescendant(WebCore::HTMLFormControlElement const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fc9258)
    #2 0x11acd5b7e in WebCore::removeInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLFormControlElement const&, WebCore::ContainerNode*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fe0b7e)
    #3 0x11acd40aa in WebCore::HTMLFormControlElement::setNeedsWillValidateCheck() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdf0aa)
    #4 0x11acd4e70 in WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdfe70)
    #5 0x11acdf193 in WebCore::HTMLFormControlElementWithState::insertedInto(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fea193)
    #6 0x11aebf086 in WebCore::HTMLTextFormControlElement::insertedInto(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x21ca086)
    #7 0x1195ace93 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8b7e93)
    #8 0x1195ad753 in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8b8753)
    #9 0x119587349 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x892349)
    #10 0x1195851db in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8901db)
    #11 0x11abef5d2 in WebCore::insert(WebCore::HTMLConstructionSiteTask&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1efa5d2)
    #12 0x11abef07e in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1efa07e)
    #13 0x11abe7801 in WebCore::executeTask(WebCore::HTMLConstructionSiteTask&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef2801)
    #14 0x11abe76d8 in WebCore::HTMLConstructionSite::executeQueuedTasks() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef26d8)
    #15 0x11aef2252 in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x21fd252)
    #16 0x11ac61cb7 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6ccb7)
    #17 0x11ac61a02 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6ca02)
    #18 0x11ac5f5e2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6a5e2)
    #19 0x11ac5ef9f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f69f9f)
    #20 0x11ac631db in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6e1db)
    #21 0x119db674b in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10c174b)
    #22 0x11a0e0ab1 in WebCore::DocumentWriter::addData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x13ebab1)
    #23 0x11a027ff5 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1332ff5)
    #24 0x10bad9e9d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x112be9d)
    #25 0x11a02d186 in WebCore::DocumentLoader::commitLoad(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1338186)
    #26 0x11a02ceca in WebCore::DocumentLoader::dataReceived(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1337eca)
    #27 0x11a02d568 in WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&, char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1338568)
    #28 0x1192dcf71 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e7f71)
    #29 0x1192dcc20 in WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e7c20)
    #30 0x11f3e914a in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x66f414a)
    #31 0x11f3e8a80 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x66f3a80)
    #32 0x10c4c9b3a in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1bb3a)
    #33 0x10c4d7ae3 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b29ae3)
    #34 0x10c4d75e4 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<IPC::DataReference, long long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b295e4)
    #35 0x10c4d4cf1 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b26cf1)
    #36 0x10c4d3280 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b25280)
    #37 0x10b173629 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c5629)
    #38 0x10ab8730a in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d930a)
    #39 0x10ab71184 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c3184)
    #40 0x10ab87ff5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d9ff5)
    #41 0x10ab985ac in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1ea5ac)
    #42 0x10ab984d8 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1ea4d8)
    #43 0x1147a2b60 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3007b60)
    #44 0x1147e55b6 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x304a5b6)
    #45 0x1147e6781 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x304b781)
    #46 0x7fff94efd7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
    #47 0x7fff94edcf1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
    #48 0x7fff94edc43e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
    #49 0x7fff94edbe37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
    #50 0x7fff93297934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #51 0x7fff9329776e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #52 0x7fff932975ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #53 0x7fff98137df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #54 0x7fff98137225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #55 0x7fff9812bd7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #56 0x7fff980f5367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #57 0x7fff8beec193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #58 0x7fff8beeabbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #59 0x10a996f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
    #60 0x7fff9ecd85ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #61 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2f81ca8) in WTFCrash
==40990==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 40990)
Comment 1 Renata Hodovan 2017-01-08 10:43:53 PST 
Created attachment 298308 [details]
Test