[Webkit-unassigned] [Bug 155699] New: ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary in WebCore::HTMLFieldSetElement::removeInvalidDescendant
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Mar 20 10:26:36 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=155699
Bug ID: 155699
Summary: ASSERTION FAILED: Updating the fieldset on validity
change is not an efficient operation, it should only
be done when necessary in
WebCore::HTMLFieldSetElement::removeInvalidDescendant
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Forms
Assignee: webkit-unassigned at lists.webkit.org
Reporter: rhodovan.u-szeged at partner.samsung.com
CC: benjamin at webkit.org, darin at apple.com
Blocks: 116980
Created attachment 274542
--> https://bugs.webkit.org/attachment.cgi?id=274542&action=review
Test case for Mac
Load the attached test with minibrowser:
<!DOCTYPE html>
<fieldset>
<datalist>
<select>
<select>
<select required></select>
</select>
</select>
</datalist>
</fieldset>
OS: Mac OS X 10.11.1 (x86_64), x86_64
Checked build: ASAN debug
Checked version: d52551a
Backtrace:
ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary.
m_invalidDescendants.contains(&formControlElement)
/Users/reni/work/WebKit/Source/WebCore/html/HTMLFieldSetElement.cpp(222) : void WebCore::HTMLFieldSetElement::removeInvalidDescendant(const WebCore::HTMLFormControlElement &)
1 0x10a037ed4 WTFCrash
2 0x10fd35bc4 WebCore::HTMLFieldSetElement::removeInvalidDescendant(WebCore::HTMLFormControlElement const&)
3 0x10fd4d9cc WebCore::removeInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLFormControlElement const&, WebCore::ContainerNode*)
4 0x10fd4bf1f WebCore::HTMLFormControlElement::setNeedsWillValidateCheck()
5 0x10fd4cca1 WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&)
6 0x10fd61526 WebCore::HTMLFormControlElementWithState::insertedInto(WebCore::ContainerNode&)
7 0x10fefe2f4 WebCore::HTMLSelectElement::insertedInto(WebCore::ContainerNode&)
8 0x10e64e704 WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&)
9 0x10e64efbf WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&)
10 0x10e62faf5 WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource)
11 0x10e62dd59 WebCore::ContainerNode::parserAppendChild(WTF::Ref<WebCore::Node>&&)
12 0x10fc64b2f WebCore::insert(WebCore::HTMLConstructionSiteTask&)
13 0x10fc64346 WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&)
14 0x10fc5cc76 WebCore::executeTask(WebCore::HTMLConstructionSiteTask&)
15 0x10fc5cb44 WebCore::HTMLConstructionSite::executeQueuedTasks()
16 0x10ff7bc2e WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&)
17 0x10fcd20b1 WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&)
18 0x10fcd1e06 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)
19 0x10fccfb51 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
20 0x10fccf533 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
21 0x10fcd32b7 WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&)
22 0x10ed26f02 WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&)
23 0x10f05efdd WebCore::DocumentWriter::end()
24 0x10efb16dd WebCore::DocumentLoader::finishedLoading(double)
25 0x10efb11eb WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*)
26 0x10e388c77 WebCore::CachedResource::checkNotify()
27 0x10e388e64 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*)
28 0x10e37f1dd WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*)
29 0x113a46101 WebCore::SubresourceLoader::didFinishLoading(double)
30 0x102a4c94d WebKit::WebResourceLoader::didFinishResourceLoad(double)
31 0x102a60ce3 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>)
ASAN:SIGSEGV
=================================================================
==81499==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a037f0c bp 0x7fff5ecdb910 sp 0x7fff5ecdb900 T0)
#0 0x10a037f0b in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b5df0b)
#1 0x10fd35bc3 in WebCore::HTMLFieldSetElement::removeInvalidDescendant(WebCore::HTMLFormControlElement const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fc5bc3)
#2 0x10fd4d9cb in WebCore::removeInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLFormControlElement const&, WebCore::ContainerNode*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdd9cb)
#3 0x10fd4bf1e in WebCore::HTMLFormControlElement::setNeedsWillValidateCheck() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdbf1e)
#4 0x10fd4cca0 in WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdcca0)
#5 0x10fd61525 in WebCore::HTMLFormControlElementWithState::insertedInto(WebCore::ContainerNode&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ff1525)
#6 0x10fefe2f3 in WebCore::HTMLSelectElement::insertedInto(WebCore::ContainerNode&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x218e2f3)
#7 0x10e64e703 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8de703)
#8 0x10e64efbe in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8defbe)
#9 0x10e62faf4 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8bfaf4)
#10 0x10e62dd58 in WebCore::ContainerNode::parserAppendChild(WTF::Ref<WebCore::Node>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8bdd58)
#11 0x10fc64b2e in WebCore::insert(WebCore::HTMLConstructionSiteTask&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef4b2e)
#12 0x10fc64345 in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef4345)
#13 0x10fc5cc75 in WebCore::executeTask(WebCore::HTMLConstructionSiteTask&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eecc75)
#14 0x10fc5cb43 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eecb43)
#15 0x10ff7bc2d in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x220bc2d)
#16 0x10fcd20b0 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f620b0)
#17 0x10fcd1e05 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f61e05)
#18 0x10fccfb50 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5fb50)
#19 0x10fccf532 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5f532)
#20 0x10fcd32b6 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f632b6)
#21 0x10ed26f01 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb6f01)
#22 0x10f05efdc in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12eefdc)
#23 0x10efb16dc in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12416dc)
#24 0x10efb11ea in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12411ea)
#25 0x10e388c76 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618c76)
#26 0x10e388e63 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618e63)
#27 0x10e37f1dc in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f1dc)
#28 0x113a46100 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cd6100)
#29 0x102a4c94c in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1894c)
#30 0x102a60ce2 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2cce2)
#31 0x102a60961 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2c961)
#32 0x102a5cd1e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b28d1e)
#33 0x102a59d9d in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b25d9d)
#34 0x1017d02e2 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x89c2e2)
#35 0x1011081e0 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d41e0)
#36 0x1010ef741 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb741)
#37 0x101108fd0 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4fd0)
#38 0x10113871c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20471c)
#39 0x1011386ec in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2046ec)
#40 0x10113850b in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20450b)
#41 0x108e6e53a in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x199453a)
#42 0x10a1144dd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3a4dd)
#43 0x10a115449 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2c3b449)
#44 0x7fff888498b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0)
#45 0x7fff888290ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab)
#46 0x7fff888285ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce)
#47 0x7fff88827fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7)
#48 0x7fff86540d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54)
#49 0x7fff86540b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e)
#50 0x7fff865409ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce)
#51 0x7fff97bc6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95)
#52 0x7fff97bc61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4)
#53 0x7fff97bbad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27)
#54 0x7fff97b83fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd)
#55 0x7fff9408b4f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1)
#56 0x7fff94089f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d)
#57 0x100f201cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb)
#58 0x7fff908b05ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
#59 0x0 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash
==81499==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 81499)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160320/af8ae19c/attachment-0001.html>
More information about the webkit-unassigned
mailing list