125761 2013-12-15 18:34:39 -0800 page crashes WebKit: ARGUMENT BAD in AccessibilityMenuListPopup::didUpdateActiveOption 2014-02-01 19:04:06 -0800 1 1 1 Unclassified WebKit WebCore JavaScript 528+ (Nightly build) PC Linux RESOLVED FIXED P2 Normal --- 1 adam webkit-unassigned deepak.deepakmittal oldest_to_newest 959964 0 adam 2013-12-15 18:34:39 -0800 I'm running WebKit 2.3.2 in Epiphany built from git master on Ubuntu 14.04. Every time I visit this page, WebKitWebProcess crashes: http://www.gaisma.com/en/location/somerville-massachusetts.html The top of the stack trace looks like this: #0 0x00007f6875e56c5c in WTFCrash () at ../Source/WTF/wtf/Assertions.cpp:341 #1 0x00007f6876d30c89 in overflowed () at ../Source/WTF/wtf/CheckedArithmetic.h:80 #2 at (i=11, this=0x7f67f3f37c90) at ../Source/WTF/wtf/Vector.h:584 #3 operator[] (i=11, this=0x7f67f3f37c90) at ../Source/WTF/wtf/Vector.h:604 #4 WebCore::AccessibilityMenuListPopup::didUpdateActiveOption (this=0x7f67f3f37c80, optionIndex=optionIndex@entry=11) at ../Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp:138 #5 0x00007f6876d304cf in WebCore::AccessibilityMenuList::didUpdateActiveOption (this=0x7f67f3b846e0, optionIndex=11) at ../Source/WebCore/accessibility/AccessibilityMenuList.cpp:118 #6 0x00007f6877423ae0 in WebCore::RenderMenuList::setTextFromOption (this=0x7f680439c6c0, optionIndex=11) at ../Source/WebCore/rendering/RenderMenuList.cpp:232 #7 0x00007f68770b8623 in WebCore::HTMLSelectElement::selectOption (this=0x2f1e180, optionIndex=<optimized out>, flags=1) at ../Source/WebCore/html/HTMLSelectElement.cpp:862 #8 0x00007f68770b879a in WebCore::HTMLSelectElement::setSelectedIndex (this=<optimized out>, index=<optimized out>) at ../Source/WebCore/html/HTMLSelectElement.cpp:824 #9 0x00007f68776fd874 in WebCore::setJSHTMLSelectElementSelectedIndex (exec=0x7f6805ffbea8, thisObject=<optimized out>, value=...) at DerivedSources/WebCore/JSHTMLSelectElement.cpp:475 #10 0x00007f68776ff35c in putEntry<WebCore::JSHTMLSelectElement> (shouldThrow=false, thisObj=0x7f681c01f7d0, value=..., propertyName=..., entry=<optimized out>, exec=0x7f6805ffbea8) at ../Source/JavaScriptCore/runtime/Lookup.h:301 #11 lookupPut<WebCore::JSHTMLSelectElement> (shouldThrow=false, thisObj=0x7f681c01f7d0, table=..., value=..., propertyName=..., exec=0x7f6805ffbea8) at ../Source/JavaScriptCore/runtime/Lookup.h:319 #12 lookupPut<WebCore::JSHTMLSelectElement, WebCore::JSHTMLElement> (slot=..., thisObj=0x7f681c01f7d0, table=..., value=..., propertyName=..., exec=0x7f6805ffbea8) at ../Source/JavaScriptCore/runtime/Lookup.h:332 #13 WebCore::JSHTMLSelectElement::put (cell=0x7f681c01f7d0, exec=0x7f6805ffbea8, propertyName=..., value=..., slot=...) at DerivedSources/WebCore/JSHTMLSelectElement.cpp:366 #14 0x00007f6875c62d85 in put (slot=..., value=..., propertyName=..., exec=0x7f6805ffbea8, this=0x7fff75349850) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703 #15 JSC::LLInt::llint_slow_path_put_by_id (exec=0x7f6805ffbea8, pc=0x7f67f3b988d0) at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:584 #16 0x00007f6875c6cc3c in llint_op_put_by_id () from /usr/lib/libjavascriptcoregtk-3.0.so.0 959965 1 adam 2013-12-15 18:36:49 -0800 (WebKitGTK 2.3.2, that is.) 960088 2 adam 2013-12-16 09:38:34 -0800 I tried visiting this page with WebKitGTK built from svn trunk with debugging enabled. WebKit failed with this stack trace: ARGUMENT BAD: optionIndex, optionIndex < static_cast<int>(m_children.size()) Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp(135) : void WebCore::AccessibilityMenuListPopup::didUpdateActiveOption(int) 1 0x7f35f25ff00c /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(WTFCrash+0x1e) [0x7f35f25ff00c] 2 0x7f35f518e926 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore26AccessibilityMenuListPopup21didUpdateActiveOptionEi+0x86) [0x7f35f518e926] 3 0x7f35f518db86 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore21AccessibilityMenuList21didUpdateActiveOptionEi+0x168) [0x7f35f518db86] 4 0x7f35f5bc4ac3 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList21didUpdateActiveOptionEi+0x171) [0x7f35f5bc4ac3] 5 0x7f35f5bc3c71 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList17setTextFromOptionEi+0x14d) [0x7f35f5bc3c71] 6 0x7f35f5bc3b22 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList17updateFromElementEv+0x88) [0x7f35f5bc3b22] 7 0x7f35f56e627b /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore17HTMLSelectElement12selectOptionEij+0x14b) [0x7f35f56e627b] 8 0x7f35f56e6065 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore17HTMLSelectElement16setSelectedIndexEi+0x25) [0x7f35f56e6065] 9 0x7f35f5f18805 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore35setJSHTMLSelectElementSelectedIndexEPN3JSC9ExecStateEPNS0_8JSObjectENS0_7JSValueE+0x72) [0x7f35f5f18805] 10 0x7f35f5f1a232 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a66232) [0x7f35f5f1a232] 11 0x7f35f5f1a18b /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a6618b) [0x7f35f5f1a18b] 12 0x7f35f5f19d0e /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a65d0e) [0x7f35f5f19d0e] 13 0x7f35f5f182b7 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore19JSHTMLSelectElement3putEPN3JSC6JSCellEPNS1_9ExecStateENS1_12PropertyNameENS1_7JSValueERNS1_15PutPropertySlotE+0x14d) [0x7f35f5f182b7] 14 0x7f35f22a1244 /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC7JSValue3putEPNS_9ExecStateENS_12PropertyNameES0_RNS_15PutPropertySlotE+0x96) [0x7f35f22a1244] 15 0x7f35f23efe0b /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(+0xa9fe0b) [0x7f35f23efe0b] 16 0x7f35f23f937a /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(+0xaa937a) [0x7f35f23f937a] 974610 3 deepak.deepakmittal 2014-02-01 05:00:22 -0800 I am not getting this crash while checking on the latest webkit.. The link http://www.gaisma.com/en/location/somerville-massachusetts.html is getting loaded and working well. Can you please reverify this .. Thanks 974683 4 adam 2014-02-01 19:04:06 -0800 I can no longer reproduce this either - marking as fixed. Thanks!