RESOLVED FIXED300682
Crash in WebCore::addInvalidElementToAncestorFromInsertionPoint 
https://bugs.webkit.org/show_bug.cgi?id=300682
Summary Crash in WebCore::addInvalidElementToAncestorFromInsertionPoint
Ryosuke Niwa
Reported 2025-10-14 01:09:00 PDT
e.g. 0 WebCore 0x1a8faf194 WTF::RawPtrTraits<WTF::StringImpl>::unwrap(WTF::StringImpl* const&) + 0 [inlined] 1 WebCore 0x1a8faf194 WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>>::get() const + 0 [inlined] 2 WebCore 0x1a8faf194 WTF::String::impl() const + 0 [inlined] 3 WebCore 0x1a8faf194 WTF::AtomString::impl() const + 0 [inlined] 4 WebCore 0x1a8faf194 WTF::operator==(WTF::AtomString const&, WTF::AtomString const&) + 0 [inlined] 5 WebCore 0x1a8faf194 WebCore::Element::hasLocalName(WTF::AtomString const&) const + 4 [inlined] 6 WebCore 0x1a8faf194 WebCore::HTMLElement::hasTagName(WebCore::HTMLQualifiedName const&) const + 4 [inlined] 7 WebCore 0x1a8faf194 WebCore::Node::hasTagName(WebCore::HTMLQualifiedName const&) const + 8 [inlined] 8 WebCore 0x1a8faf194 WTF::TypeCastTraits<WebCore::HTMLFieldSetElement const, WebCore::Element const, false>::checkTagName(WebCore::Node const&) + 8 [inlined] 9 WebCore 0x1a8faf194 WTF::TypeCastTraits<WebCore::HTMLFieldSetElement const, WebCore::Element const, false>::isOfType(WebCore::Element const&) + 8 [inlined] 10 WebCore 0x1a8faf194 bool WTF::is<WebCore::HTMLFieldSetElement, WebCore::Element>(WebCore::Element const&) + 8 [inlined] 11 WebCore 0x1a8faf194 std::__1::conditional<std::is_const_v<WebCore::Element>, std::__1::add_const<WebCore::HTMLFieldSetElement>::type, __remove_const(WebCore::HTMLFieldSetElement)>::type* WTF::dynamicDowncast<WebCore::HTMLFieldSetElement, WebCore::Element>(WebCore::Element&) + 8 [inlined] 12 WebCore 0x1a8faf194 WebCore::HTMLFieldSetElement* WebCore::findElementAncestorOfType<WebCore::HTMLFieldSetElement>(WebCore::Node const&) + 28 [inlined] 13 WebCore 0x1a8faf194 WebCore::ElementAncestorRange<WebCore::HTMLFieldSetElement> WebCore::ancestorsOfType<WebCore::HTMLFieldSetElement>(WebCore::Node&) + 28 [inlined] 14 WebCore 0x1a8faf194 WebCore::ElementAncestorRange<WebCore::HTMLFieldSetElement> WebCore::lineageOfType<WebCore::HTMLFieldSetElement>(WebCore::Element&) + 56 [inlined] 15 WebCore 0x1a8faf194 WebCore::addInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLElement const&, WebCore::ContainerNode*) + 96 16 WebCore 0x1a8faefb0 WebCore::ValidatedFormListedElement::updateValidity() + 616 17 WebCore 0x1a8c57eb4 WebCore::RadioButtonGroup::updateValidityForAllButtons() + 244 18 WebCore 0x1a8c582a0 WebCore::RadioButtonGroup::remove(WebCore::HTMLInputElement&) + 852 19 WebCore 0x1a8c58e60 WebCore::RadioButtonGroups::removeButton(WebCore::HTMLInputElement&) + 128 20 WebCore 0x1a8e8f880 WebCore::HTMLInputElement::removeFromRadioButtonGroup() + 4 [inlined] 21 WebCore 0x1a8e8f880 WebCore::HTMLInputElement::willChangeForm() + 4 [inlined] 22 WebCore 0x1a8e8f880 non-virtual thunk to WebCore::HTMLInputElement::willChangeForm() + 264 23 WebCore 0x1a8e2f3e0 WebCore::FormListedElement::formWillBeDestroyed() + 92 24 WebCore 0x1a8fb0d64 WebCore::ValidatedFormListedElement::formWillBeDestroyed() + 36 25 WebCore 0x1a8e6f454 WebCore::HTMLFormElement::~HTMLFormElement() + 264 26 WebCore 0x1a8e6fae4 WebCore::HTMLFormElement::~HTMLFormElement() + 4 [inlined] <rdar://51548228>
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2025-10-14 01:22:42 PDT
Pull request: https://github.com/WebKit/WebKit/pull/52285
EWS
Comment 2 2025-10-14 05:13:06 PDT
Committed 301470@main (985b9fb1a2eb): <https://commits.webkit.org/301470@main> Reviewed commits have been landed. Closing PR #52285 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.