40390 2010-06-09 14:39:35 -0700 Destroyed popup menu gets called during AutoFill thus crashing the tab. 2010-06-11 10:58:35 -0700 1 1 1 Unclassified WebKit WebKit API 528+ (Nightly build) PC Windows Vista RESOLVED DUPLICATE 40459 P1 Normal --- 0 georgey webkit-unassigned jhawkins oldest_to_newest 236016 0 georgey 2010-06-09 14:39:35 -0700 This verified using chromium. 1. Have two autofill profiles, one with name only. 2. Go to https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo works. 3. Autofill by clicking on first name and selecting name-only profile. 4. Click on the field again to re-select profiles list of profiles should appear. Instead tab crashes. Call stack: chrome.dll!WebKit::WebPopupMenuImpl::client() Line 80 + 0x11 bytes C++ chrome.dll!WebKit::WebViewImpl::refreshSuggestionsPopup() Line 2105 + 0x14 bytes C++ chrome.dll!WebKit::WebViewImpl::applyAutoFillSuggestions(const WebKit::WebNode & node={...}, const WebKit::WebVector<WebKit::WebString> & names={...}, const WebKit::WebVector<WebKit::WebString> & labels={...}, int defaultSuggestionIndex=-1) Line 1836 C++ chrome.dll!RenderView::OnAutoFillSuggestionsReturned(int query_id=1, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > & values=[1]("a56757576576"), const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > & labels=[1]("#2"), int default_suggestion_index=-1) Line 1486 + 0x4b bytes C++ chrome.dll!DispatchToMethod<RenderView,void (__thiscall RenderView::*)(int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,int),int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int>(RenderView * obj=0x05550400, void (int, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, int)* method=0x5a1f6600, const Tuple4<int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int> & arg={...}) Line 441 + 0x36 bytes C++ chrome.dll!IPC::MessageWithTuple<Tuple4<int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int> >::Dispatch<RenderView,void (__thiscall RenderView::*)(int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,int)>(const IPC::Message * msg=0x064ce5a8, RenderView * obj=0x05550400, void (int, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, int)* func=0x5a1f6600) Line 1020 + 0x23 bytes C++ chrome.dll!RenderView::OnMessageReceived(const IPC::Message & message={...}) Line 653 + 0x4a bytes C++ chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...}) Line 40 + 0x13 bytes C++ chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg={...}) Line 31 + 0x13 bytes C++ cause: in WebViewImpl::refreshSuggestionsPopup() WebPopupMenuImpl* popupMenu = static_cast<WebPopupMenuImpl*>(m_suggestionsPopup->client()); returns NULL, and crashes next line. popupMenu->client()->setWindowRect(newBounds); 236900 1 jhawkins 2010-06-11 10:45:01 -0700 I took a look at this George, and the proposed solution (offline) is actually not correct. The problem is that the AutoFillPopupMenuClient is not notifying the WebView when the popup hides. 236901 2 jhawkins 2010-06-11 10:45:44 -0700 So this bug should probably be closed in favor of https://bugs.webkit.org/show_bug.cgi?id=40459 236909 3 georgey 2010-06-11 10:58:35 -0700 *** This bug has been marked as a duplicate of bug 40459 ***