Bug 13243

Summary:

REGRESSION (r20506): Repro crash/assert when using scroll wheel on a list box taller than its contents

Product:

WebKit

Reporter:

mitz

Component:

Forms

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Critical

Keywords:

InRadar, Regression

Priority:

Version:

523.x (Safari 3)

Hardware:

Mac

OS:

OS X 10.4

URL:

data:text/html,<select multiple><option>Scrollwheel here</option></select>

Attachments:

Description	Flags
Patch	darin: review+

Description mitz 2007-03-31 06:10:46 PDT

Open the URL, position the mouse inside the list box and use the scroll wheel to scroll up or down. Crashes r20610. In a debug build you get:

ASSERTION FAILED: i < size()
(JavaScriptCore.framework/PrivateHeaders/Vector.h:406 const T& WTF::Vector<T, inlineCapacity>::at(size_t) const [with T = WebCore::HTMLElement*, long unsigned int inlineCapacity = 0ul])


Thread 0 Crashed:
0   com.apple.WebCore              	0x0165f2b8 WTF::Vector<WebCore::HTMLElement*, (unsigned long)0>::at(unsigned long) const + 120 (Vector.h:406)
1   com.apple.WebCore              	0x0165f320 WTF::Vector<WebCore::HTMLElement*, (unsigned long)0>::operator[](int) const + 44 (Vector.h:415)
2   com.apple.WebCore              	0x0144b4f8 WebCore::RenderListBox::paintItemBackground(WebCore::RenderObject::PaintInfo&, int, int, int) + 96 (RenderListBox.cpp:351)
3   com.apple.WebCore              	0x0144ce20 WebCore::RenderListBox::paintObject(WebCore::RenderObject::PaintInfo&, int, int) + 300 (RenderListBox.cpp:268)
4   com.apple.WebCore              	0x01181bc4 WebCore::RenderBlock::paint(WebCore::RenderObject::PaintInfo&, int, int) + 672 (RenderBlock.cpp:1326)
[...]

Comment 1 mitz 2007-03-31 07:02:36 PDT

Created attachment 13909 [details]
Patch

Comment 2 Darin Adler 2007-03-31 17:33:56 PDT

Comment on attachment 13909 [details]
Patch

r=me

Comment 3 Mark Rowe (bdash) 2007-03-31 22:13:03 PDT

<rdar://problem/5103226>

Comment 4 Mark Rowe (bdash) 2007-03-31 22:24:04 PDT

Landed in r20645.