Bug 34520 - Assertion failure in CheckedRadioButtons::removeButton when using jQuery 1.4.1
Summary: Assertion failure in CheckedRadioButtons::removeButton when using jQuery 1.4.1
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Alexey Proskuryakov
URL: http://meneame.net
Depends on:
Reported: 2010-02-03 04:29 PST by Xan Lopez
Modified: 2010-04-30 09:39 PDT (History)
2 users (show)

See Also:

proposed fix (7.08 KB, patch)
2010-02-04 13:41 PST, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff
Simplified Test Case (309 bytes, text/html)
2010-04-20 00:18 PDT, Steven Lai
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Xan Lopez 2010-02-03 04:29:30 PST
Happens every time, debug build r54266:

Program received signal SIGSEGV, Segmentation fault.
0x00ebd897 in WebCore::CheckedRadioButtons::removeButton (this=0x8c17efc, element=0x8b4ba10)
    at ../../WebCore/dom/CheckedRadioButtons.cpp:82
82	    ASSERT(inputElement->isChecked());
(gdb) bt
#0  0x00ebd897 in WebCore::CheckedRadioButtons::removeButton (this=0x8c17efc, element=0x8b4ba10)
    at ../../WebCore/dom/CheckedRadioButtons.cpp:82
#1  0x0101babe in WebCore::HTMLInputElement::~HTMLInputElement (this=0x8b4ba10, __in_chrg=<value optimized out>)
    at ../../WebCore/html/HTMLInputElement.cpp:114
#2  0x0101bb67 in WebCore::HTMLInputElement::~HTMLInputElement (this=0x8b4ba10, __in_chrg=<value optimized out>)
    at ../../WebCore/html/HTMLInputElement.cpp:119
#3  0x00ebb843 in WebCore::TreeShared<WebCore::Node>::removedLastRef (this=0x8b4ba14) at ../../WebCore/platform/TreeShared.h:108
#4  0x00d4180c in WebCore::TreeShared<WebCore::Node>::deref (this=0x8b4ba14) at ../../WebCore/platform/TreeShared.h:69
#5  0x00d41850 in WTF::RefPtr<WebCore::Node>::~RefPtr (this=0xb6ab8b6c, __in_chrg=<value optimized out>)
    at ../../JavaScriptCore/wtf/RefPtr.h:53
#6  0x01737ea9 in WebCore::JSNode::~JSNode (this=0xb6ab8b40, __in_chrg=<value optimized out>) at DerivedSources/JSNode.cpp:225
#7  0x00d76177 in WebCore::JSElement::~JSElement (this=0xb6ab8b40, __in_chrg=<value optimized out>) at ./DerivedSources/JSElement.h:33
#8  0x0176072d in WebCore::JSHTMLElement::~JSHTMLElement (this=0xb6ab8b40, __in_chrg=<value optimized out>)
    at DerivedSources/JSHTMLElement.h:31
#9  0x0178d7e1 in WebCore::JSHTMLInputElement::~JSHTMLInputElement (this=0xb6ab8b40, __in_chrg=<value optimized out>)
    at DerivedSources/JSHTMLInputElement.h:30
#10 0x016846b4 in JSC::Heap::sweep (this=0x88f5da0) at ../../JavaScriptCore/runtime/Collector.cpp:1084
#11 0x01684e23 in JSC::Heap::collectAllGarbage (this=0x88f5da0) at ../../JavaScriptCore/runtime/Collector.cpp:1264
#12 0x00d69160 in WebCore::collect () at ../../WebCore/bindings/js/GCController.cpp:46
#13 0x00d69296 in WebCore::GCController::gcTimerFired (this=0x89762f0) at ../../WebCore/bindings/js/GCController.cpp:69
#14 0x00d69470 in WebCore::Timer<WebCore::GCController>::fired (this=0x89762f4) at ../../WebCore/platform/Timer.h:98
#15 0x011a2bc3 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x84096f0) at ../../WebCore/platform/ThreadTimers.cpp:112
#16 0x011a2b0b in WebCore::ThreadTimers::sharedTimerFired () at ../../WebCore/platform/ThreadTimers.cpp:90
#17 0x014eea6d in WebCore::timeout_cb () at ../../WebCore/platform/gtk/SharedTimerGtk.cpp:48
#18 0x026f7681 in g_idle_dispatch (source=<value optimized out>, callback=<value optimized out>, user_data=<value optimized out>)
    at gmain.c:4065
#19 0x026f9645 in g_main_dispatch (context=<value optimized out>) at gmain.c:1960
#20 IA__g_main_context_dispatch (context=<value optimized out>) at gmain.c:2513
#21 0x026fd340 in g_main_context_iterate (context=<value optimized out>, block=<value optimized out>, dispatch=<value optimized out>, 
    self=<value optimized out>) at gmain.c:2591
#22 0x026fd88f in IA__g_main_loop_run (loop=<value optimized out>) at gmain.c:2799
#23 0x044e8332 in IA__gtk_main () at gtkmain.c:1219
#24 0x0806e70e in main (argc=1, argv=0xbfffee74) at ../../src/ephy-main.c:739
Comment 1 Alexey Proskuryakov 2010-02-04 12:31:13 PST
This affects each and every page using jQuery 1.4.1.
Comment 2 Alexey Proskuryakov 2010-02-04 13:41:16 PST
Created attachment 48167 [details]
proposed fix
Comment 3 Alexey Proskuryakov 2010-02-04 14:32:44 PST
Committed revision 54372.
Comment 4 Steven Lai 2010-04-20 00:18:42 PDT
Created attachment 53778 [details]
Simplified Test Case

The test case is a a simple page containing a radio box.
The radio box is initially checked. But a call to radioBox.cloneNode() would unintentionally uncheck the radio box.
Comment 5 Alexey Proskuryakov 2010-04-30 09:39:23 PDT
This fix was an immediate cause of bug 37900.