<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary. m_invalidDescendants.contains(&amp;formControlElement) in WebCore::HTMLFieldSetElement::removeInvalidDescendant"
   href="https://bugs.webkit.org/show_bug.cgi?id=166818">166818</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary. m_invalidDescendants.contains(&amp;formControlElement) in WebCore::HTMLFieldSetElement::removeInvalidDescendant
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Local Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Forms
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>hodovan&#64;inf.u-szeged.hu
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Load the attached test with debug WebKitTestRunner:

Checked version: 217d599
OS: Darwin-15.6.0-x86_64-i386-64bit

&lt;datalist&gt;&lt;fieldset&gt;&lt;textarea required&gt;

Backtrace:

ASSERTION FAILED: Updating the fieldset on validity change is not an efficient operation, it should only be done when necessary.
m_invalidDescendants.contains(&amp;formControlElement)
WebKit/Source/WebCore/html/HTMLFieldSetElement.cpp(223) : void WebCore::HTMLFieldSetElement::removeInvalidDescendant(const WebCore::HTMLFormControlElement &amp;)
1   0x11471cc71 WTFCrash
2   0x11acbe259 WebCore::HTMLFieldSetElement::removeInvalidDescendant(WebCore::HTMLFormControlElement const&amp;)
3   0x11acd5b7f WebCore::removeInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLFormControlElement const&amp;, WebCore::ContainerNode*)
4   0x11acd40ab WebCore::HTMLFormControlElement::setNeedsWillValidateCheck()
5   0x11acd4e71 WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&amp;)
6   0x11acdf194 WebCore::HTMLFormControlElementWithState::insertedInto(WebCore::ContainerNode&amp;)
7   0x11aebf087 WebCore::HTMLTextFormControlElement::insertedInto(WebCore::ContainerNode&amp;)
8   0x1195ace94 WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&amp;, WebCore::Node&amp;, WTF::Vector&lt;WTF::Ref&lt;WebCore::Node&gt;, 11ul, WTF::CrashOnOverflow, 16ul&gt;&amp;)
9   0x1195ad754 WebCore::notifyChildNodeInserted(WebCore::ContainerNode&amp;, WebCore::Node&amp;, WTF::Vector&lt;WTF::Ref&lt;WebCore::Node&gt;, 11ul, WTF::CrashOnOverflow, 16ul&gt;&amp;)
10  0x11958734a WebCore::ContainerNode::notifyChildInserted(WebCore::Node&amp;, WebCore::ContainerNode::ChildChangeSource)
11  0x1195851dc WebCore::ContainerNode::parserAppendChild(WebCore::Node&amp;)
12  0x11abef5d3 WebCore::insert(WebCore::HTMLConstructionSiteTask&amp;)
13  0x11abef07f WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&amp;)
14  0x11abe7802 WebCore::executeTask(WebCore::HTMLConstructionSiteTask&amp;)
15  0x11abe76d9 WebCore::HTMLConstructionSite::executeQueuedTasks()
16  0x11aef2253 WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&amp;&amp;)
17  0x11ac61cb8 WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&amp;)
18  0x11ac61a03 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&amp;)
19  0x11ac5f5e3 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)
20  0x11ac5efa0 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)
21  0x11ac631dc WebCore::HTMLDocumentParser::append(WTF::RefPtr&lt;WTF::StringImpl&gt;&amp;&amp;)
22  0x119db674c WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&amp;, char const*, unsigned long)
23  0x11a0e0ab2 WebCore::DocumentWriter::addData(char const*, unsigned long)
24  0x11a027ff6 WebCore::DocumentLoader::commitData(char const*, unsigned long)
25  0x10bad9e9e WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int)
26  0x11a02d187 WebCore::DocumentLoader::commitLoad(char const*, int)
27  0x11a02cecb WebCore::DocumentLoader::dataReceived(char const*, int)
28  0x11a02d569 WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&amp;, char const*, int)
29  0x1192dcf72 WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int)
30  0x1192dcc21 WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&amp;)
31  0x11f3e914b WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr&lt;WebCore::SharedBuffer&gt;&amp;&amp;, long long, WebCore::DataPayloadType)
ASAN:DEADLYSIGNAL
=================================================================
==40990==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00011471cca9 bp 0x7fff55264610 sp 0x7fff55264600 T0)
    #0 0x11471cca8 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2f81ca8)
    #1 0x11acbe258 in WebCore::HTMLFieldSetElement::removeInvalidDescendant(WebCore::HTMLFormControlElement const&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fc9258)
    #2 0x11acd5b7e in WebCore::removeInvalidElementToAncestorFromInsertionPoint(WebCore::HTMLFormControlElement const&amp;, WebCore::ContainerNode*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fe0b7e)
    #3 0x11acd40aa in WebCore::HTMLFormControlElement::setNeedsWillValidateCheck() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdf0aa)
    #4 0x11acd4e70 in WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fdfe70)
    #5 0x11acdf193 in WebCore::HTMLFormControlElementWithState::insertedInto(WebCore::ContainerNode&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fea193)
    #6 0x11aebf086 in WebCore::HTMLTextFormControlElement::insertedInto(WebCore::ContainerNode&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x21ca086)
    #7 0x1195ace93 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&amp;, WebCore::Node&amp;, WTF::Vector&lt;WTF::Ref&lt;WebCore::Node&gt;, 11ul, WTF::CrashOnOverflow, 16ul&gt;&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8b7e93)
    #8 0x1195ad753 in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&amp;, WebCore::Node&amp;, WTF::Vector&lt;WTF::Ref&lt;WebCore::Node&gt;, 11ul, WTF::CrashOnOverflow, 16ul&gt;&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8b8753)
    #9 0x119587349 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&amp;, WebCore::ContainerNode::ChildChangeSource) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x892349)
    #10 0x1195851db in WebCore::ContainerNode::parserAppendChild(WebCore::Node&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8901db)
    #11 0x11abef5d2 in WebCore::insert(WebCore::HTMLConstructionSiteTask&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1efa5d2)
    #12 0x11abef07e in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1efa07e)
    #13 0x11abe7801 in WebCore::executeTask(WebCore::HTMLConstructionSiteTask&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef2801)
    #14 0x11abe76d8 in WebCore::HTMLConstructionSite::executeQueuedTasks() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef26d8)
    #15 0x11aef2252 in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&amp;&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x21fd252)
    #16 0x11ac61cb7 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6ccb7)
    #17 0x11ac61a02 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6ca02)
    #18 0x11ac5f5e2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6a5e2)
    #19 0x11ac5ef9f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f69f9f)
    #20 0x11ac631db in WebCore::HTMLDocumentParser::append(WTF::RefPtr&lt;WTF::StringImpl&gt;&amp;&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6e1db)
    #21 0x119db674b in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&amp;, char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10c174b)
    #22 0x11a0e0ab1 in WebCore::DocumentWriter::addData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x13ebab1)
    #23 0x11a027ff5 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1332ff5)
    #24 0x10bad9e9d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x112be9d)
    #25 0x11a02d186 in WebCore::DocumentLoader::commitLoad(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1338186)
    #26 0x11a02ceca in WebCore::DocumentLoader::dataReceived(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1337eca)
    #27 0x11a02d568 in WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&amp;, char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1338568)
    #28 0x1192dcf71 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e7f71)
    #29 0x1192dcc20 in WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&amp;) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e7c20)
    #30 0x11f3e914a in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr&lt;WebCore::SharedBuffer&gt;&amp;&amp;, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x66f414a)
    #31 0x11f3e8a80 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x66f3a80)
    #32 0x10c4c9b3a in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&amp;, long long) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1bb3a)
    #33 0x10c4d7ae3 in void IPC::callMemberFunctionImpl&lt;WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&amp;, long long), std::__1::tuple&lt;IPC::DataReference, long long&gt;, 0ul, 1ul&gt;(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&amp;, long long), std::__1::tuple&lt;IPC::DataReference, long long&gt;&amp;&amp;, std::__1::integer_sequence&lt;unsigned long, 0ul, 1ul&gt;) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b29ae3)
    #34 0x10c4d75e4 in void IPC::callMemberFunction&lt;WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&amp;, long long), std::__1::tuple&lt;IPC::DataReference, long long&gt;, std::__1::integer_sequence&lt;unsigned long, 0ul, 1ul&gt; &gt;(std::__1::tuple&lt;IPC::DataReference, long long&gt;&amp;&amp;, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&amp;, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b295e4)
    #35 0x10c4d4cf1 in void IPC::handleMessage&lt;Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&amp;, long long)&gt;(IPC::Decoder&amp;, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&amp;, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b26cf1)
    #36 0x10c4d3280 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&amp;, IPC::Decoder&amp;) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b25280)
    #37 0x10b173629 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&amp;, IPC::Decoder&amp;) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c5629)
    #38 0x10ab8730a in IPC::Connection::dispatchMessage(IPC::Decoder&amp;) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d930a)
    #39 0x10ab71184 in IPC::Connection::dispatchMessage(std::__1::unique_ptr&lt;IPC::Decoder, std::__1::default_delete&lt;IPC::Decoder&gt; &gt;) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c3184)
    #40 0x10ab87ff5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d9ff5)
    #41 0x10ab985ac in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr&lt;IPC::Decoder, std::__1::default_delete&lt;IPC::Decoder&gt; &gt;)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1ea5ac)
    #42 0x10ab984d8 in WTF::Function&lt;void ()&gt;::CallableWrapper&lt;IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr&lt;IPC::Decoder, std::__1::default_delete&lt;IPC::Decoder&gt; &gt;)::$_14&gt;::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1ea4d8)
    #43 0x1147a2b60 in WTF::Function&lt;void ()&gt;::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3007b60)
    #44 0x1147e55b6 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x304a5b6)
    #45 0x1147e6781 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x304b781)
    #46 0x7fff94efd7e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa7e0)
    #47 0x7fff94edcf1b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89f1b)
    #48 0x7fff94edc43e in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8943e)
    #49 0x7fff94edbe37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
    #50 0x7fff93297934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #51 0x7fff9329776e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #52 0x7fff932975ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #53 0x7fff98137df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #54 0x7fff98137225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #55 0x7fff9812bd7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #56 0x7fff980f5367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #57 0x7fff8beec193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #58 0x7fff8beeabbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #59 0x10a996f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
    #60 0x7fff9ecd85ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #61 0x0  (&lt;unknown module&gt;)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2f81ca8) in WTFCrash
==40990==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 40990)</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>