11765 – REGRESSION: Clicking on a select with size other than 1 and no children results in a crash

Bug 11765 - REGRESSION: Clicking on a select with size other than 1 and no children results in a crash

Summary: REGRESSION: Clicking on a select with size other than 1 and no children resul...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	420+
Hardware:	Mac OS X 10.4

Importance:	P1 Normal
Assignee:	Nobody

URL:
Keywords:	Regression

Depends on:
Blocks:

Reported:	2006-12-05 17:15 PST by Jacob Lukas
Modified:	2006-12-08 15:07 PST (History)
CC List:	1 user (show)

See Also:

Attachments
Reduced test case (650 bytes, application/xhtml+xml) 2006-12-05 17:16 PST, Jacob Lukas	no flags	Details
First attempt (4.02 KB, patch) 2006-12-08 05:17 PST, Rob Buis	adele: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jacob Lukas 2006-12-05 17:15:58 PST

Clicking on a select with size other than 1 and no children results in a crash. This is reproducible every time.

Comment 1 Jacob Lukas 2006-12-05 17:16:33 PST

Created attachment 11747 [details]
Reduced test case

Comment 2 Matt Lilek 2006-12-05 17:44:34 PST

Confirming - I also get the following assertion failure

ASSERTION FAILED: i < size()
(/Users/matt/Code/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:387 const T& WTF::Vector<T, inlineCapacity>::at(size_t) const [with T = WebCore::HTMLElement*, long unsigned int inlineCapacity = 0ul])

Comment 3 Rob Buis 2006-12-08 05:17:38 PST

Created attachment 11771 [details]
First attempt

This patch should fix it. The testcase is a bit tricky but I think it does the job, with ToT it shows the crash, with my patch it will say Passed.
Cheers,

Rob.

Comment 4 Rob Buis 2006-12-08 15:07:42 PST

Landed in r18089.