Bug 122702

I can reproduce this with the GTK port using WebKit2. I believe the problem appears in this piece of code from the layout test (in particular the 'Z' option): debug('Insert/remove options:'); el = makeInvalid(); o1 = appendOption('', el); o2 = appendOption('X', el); o1.selected = true; shouldBe(elBackground, 'invalidColor'); o3 = insertOptionBefore('Y', el, el.firstChild); shouldBe(elBackground, 'validColor'); removeOption(o3, el); shouldBe(elBackground, 'invalidColor'); o3 = appendOption('Z', el); o3.selected = true; shouldBe(elBackground, 'validColor'); el.length = 2; shouldBe(elBackground, 'invalidColor'); WebKit asserts in AccessibilityMenuListPopup::didUpdateActiveOption(int optionIndex) ARGUMENT BAD: optionIndex, optionIndex < static_cast<int>(m_children.size()) optionIndex is 2 and m_children has 2 elements. In the previous call to AccessibilityMenuListPopup::addChildren(), the third option is not added to m_children because it has not been attached yet. Here's the full backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007fb242cb118f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; #0 0x00007fb242cb118f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342 #1 0x00007fb23db53020 in WebCore::AccessibilityMenuListPopup::didUpdateActiveOption (this=0xe7e990, optionIndex=2) at ../../Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp:135 #2 0x00007fb23db52340 in WebCore::AccessibilityMenuList::didUpdateActiveOption (this=0xe7d800, optionIndex=2) at ../../Source/WebCore/accessibility/AccessibilityMenuList.cpp:118 #3 0x00007fb23e5d18e9 in WebCore::RenderMenuList::didUpdateActiveOption (this=0xe7ea78, optionIndex=2) at ../../Source/WebCore/rendering/RenderMenuList.cpp:379 #4 0x00007fb23e5d09c5 in WebCore::RenderMenuList::setTextFromOption (this=0xe7ea78, optionIndex=2) at ../../Source/WebCore/rendering/RenderMenuList.cpp:234 #5 0x00007fb23e5d0876 in WebCore::RenderMenuList::updateFromElement (this=0xe7ea78) at ../../Source/WebCore/rendering/RenderMenuList.cpp:215 #6 0x00007fb23e0bd17d in WebCore::HTMLSelectElement::selectOption (this=0xe7bad0, optionIndex=2, flags=0) at ../../Source/WebCore/html/HTMLSelectElement.cpp:863 #7 0x00007fb23e0bcfdc in WebCore::HTMLSelectElement::optionSelectionStateChanged (this=0xe7bad0, option=0xe80ea0, optionIsSelected=true) at ../../Source/WebCore/html/HTMLSelectElement.cpp:832 #8 0x00007fb23e0b11aa in WebCore::HTMLOptionElement::setSelected (this=0xe80ea0, selected=true) at ../../Source/WebCore/html/HTMLOptionElement.cpp:242 #9 0x00007fb23e90f0f5 in WebCore::setJSHTMLOptionElementSelected (exec=0x7fb1ec72ffa0, thisObject=0x7fb1ec16f250, value=...) at DerivedSources/WebCore/JSHTMLOptionElement.cpp:306 #10 0x00007fb23e910146 in JSC::putEntry<WebCore::JSHTMLOptionElement> (exec=0x7fb1ec72ffa0, entry=0x10f1768, propertyName=..., value=..., thisObj=0x7fb1ec16f250, shouldThrow=false) at ../../Source/JavaScriptCore/runtime/Lookup.h:301 #11 0x00007fb23e91009f in JSC::lookupPut<WebCore::JSHTMLOptionElement> (exec=0x7fb1ec72ffa0, propertyName=..., value=..., table=..., thisObj=0x7fb1ec16f250, shouldThrow=false) at ../../Source/JavaScriptCore/runtime/Lookup.h:319 #12 0x00007fb23e90fa8e in JSC::lookupPut<WebCore::JSHTMLOptionElement, WebCore::JSHTMLElement> (exec=0x7fb1ec72ffa0, propertyName=..., value=..., table=..., thisObj=0x7fb1ec16f250, slot=...) at ../../Source/JavaScriptCore/runtime/Lookup.h:332 #13 0x00007fb23e90eebb in WebCore::JSHTMLOptionElement::put (cell=0x7fb1ec16f250, exec=0x7fb1ec72ffa0, propertyName=..., value=..., slot=...) at DerivedSources/WebCore/JSHTMLOptionElement.cpp:259 #14 0x00007fb24299ebd6 in JSC::JSValue::put (this=0x7fff913691b0, exec=0x7fb1ec72ffa0, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703 #15 0x00007fb242ae1ddb in JSC::LLInt::llint_slow_path_put_by_id (exec=0x7fb1ec72ffa0, pc=0xf53360) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:584 #16 0x00007fb242aead94 in llint_op_put_by_id () from /usr/local/devel/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0 #17 0x00007fb1ec72ffa0 in ?? () #18 0x00007fb1ec16f3f0 in ?? () #19 0x0000000000f88e60 in ?? () #20 0x00007fb1ec2ef758 in ?? () #21 0x00007fb1ec72ffa0 in ?? () #22 0x00000000010acd40 in ?? () #23 0x00007fff913692a0 in ?? () #24 0x00007fb242aa000e in JSC::MacroAssemblerCodeRef::operator! (this= 0x7fb23dbc8b14 <WebCore::JSDOMWindowBase::supportsRichSourceInfo(JSC::JSGlobalObject const*)>) at ../../Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h:409 #25 0x00007fb242a9f8d0 in JSC::JITCode::execute (this=0x10acd30, stack=0xf9db08, callFrame=0x7fb1ec72ffa0, vm=0x10fb4f0) at ../../Source/JavaScriptCore/jit/JITCode.cpp:46 #26 0x00007fb242a87e92 in JSC::Interpreter::execute (this=0xf9daf0, program=0x7fb1ec1afe70, callFrame=0x7fb1ec26f9b0, thisObj=0x7fb1ec2affd8) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:882 #27 0x00007fb242b8b7ed in JSC::evaluate (exec=0x7fb1ec26f9b0, source=..., thisValue=..., returnedException=0x7fff91369fc0) at ../../Source/JavaScriptCore/runtime/Completion.cpp:83 #28 0x00007fb23dbf40d3 in WebCore::JSMainThreadExecState::evaluate (exec=0x7fb1ec26f9b0, source=..., thisValue=..., exception=0x7fff91369fc0) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:62 #29 0x00007fb23dc21981 in WebCore::ScriptController::evaluateInWorld (this=0xf234f0, sourceCode=..., world=...) at ../../Source/WebCore/bindings/js/ScriptController.cpp:146 #30 0x00007fb23dc21a90 in WebCore::ScriptController::evaluate (this=0xf234f0, sourceCode=...) at ../../Source/WebCore/bindings/js/ScriptController.cpp:162 #31 0x00007fb23deedb33 in WebCore::ScriptElement::executeScript (this=0x1090958, sourceCode=...) at ../../Source/WebCore/dom/ScriptElement.cpp:315 #32 0x00007fb23e103c54 in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent (this=0xec5070, pendingScript=...) at ../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:149 #33 0x00007fb23e103aa2 in WebCore::HTMLScriptRunner::executeParsingBlockingScript (this=0xec5070) at ../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:121 #34 0x00007fb23e103f80 in WebCore::HTMLScriptRunner::executeParsingBlockingScripts (this=0xec5070) at ../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:200 #35 0x00007fb23e103f3f in WebCore::HTMLScriptRunner::execute (this=0xec5070, scriptElement=..., scriptStartPosition=...) at ../../Source/WebCore/html/parser/HTMLScriptRunner.cpp:188 #36 0x00007fb23e0ee883 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder (this=0xec53b0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:272 #37 0x00007fb23e0ee96e in WebCore::HTMLDocumentParser::canTakeNextToken (this=0xec53b0, mode=WebCore::HTMLDocumentParser::AllowYield, session=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:291 #38 0x00007fb23e0eef70 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0xec53b0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:536 #39 0x00007fb23e0ee6f7 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0xec53b0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:236 #40 0x00007fb23e0efd13 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0xec53b0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:898 #41 0x00007fb23e0eff9d in WebCore::HTMLDocumentParser::notifyFinished (this=0xec53b0, cachedResource=0x10e1050) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:938 #42 0x00007fb23e2b450a in WebCore::CachedResource::checkNotify (this=0x10e1050) at ../../Source/WebCore/loader/cache/CachedResource.cpp:369 #43 0x00007fb23e2b45e0 in WebCore::CachedResource::finishLoading (this=0x10e1050) at ../../Source/WebCore/loader/cache/CachedResource.cpp:385 #44 0x00007fb23e2c8b9a in WebCore::CachedScript::finishLoading (this=0x10e1050, data=0x10cfc20) at ../../Source/WebCore/loader/cache/CachedScript.cpp:89 #45 0x00007fb23e335e19 in WebCore::SubresourceLoader::didFinishLoading (this=0x10e1670, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:283 #46 0x00007fb23e32c64f in WebCore::ResourceLoader::didFinishLoading (this=0x10e1670, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:487 #47 0x00007fb23eb2e0c4 in WebCore::readCallback (asyncResult=0xec49d0, data=0xeb81f0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1329 #48 0x00007fb23b0cc869 in async_ready_callback_wrapper (source_object=0x10621e0, res=0xec49d0, user_data=0xeb81f0) at ginputstream.c:530 #49 0x00007fb23b0ee76b in g_task_return_now (task=0xec49d0) at gtask.c:1105 #50 0x00007fb23b0ee789 in complete_in_idle_cb (task=0xec49d0) at gtask.c:1114 #51 0x00007fb23af46215 in g_main_dispatch (context=0xd10c10) at gmain.c:3054 #52 g_main_context_dispatch (context=context@entry=0xd10c10) at gmain.c:3630 #53 0x00007fb23af46558 in g_main_context_iterate (context=0xd10c10, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3701 #54 0x00007fb23af469ca in g_main_loop_run (loop=0xda2580) at gmain.c:3895 #55 0x00007fb23f0bf5d6 in WebCore::RunLoop::run () at ../../Source/WebCore/platform/gtk/RunLoopGtk.cpp:61 #56 0x00007fb23d9f1dff in WebKit::WebProcessMainGtk (argc=2, argv=0x7fff9136aa08) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:78 #57 0x000000000040099d in main (argc=2, argv=0x7fff9136aa08) at ../../Source/WebKit2/gtk/MainGtk.cpp:31