Bug 125761
| Summary: | page crashes WebKit: ARGUMENT BAD in AccessibilityMenuListPopup::didUpdateActiveOption | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Dingle <adam> |
| Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | deepak.deepakmittal |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Linux | ||
Adam Dingle
I'm running WebKit 2.3.2 in Epiphany built from git master on Ubuntu 14.04.
Every time I visit this page, WebKitWebProcess crashes:
http://www.gaisma.com/en/location/somerville-massachusetts.html
The top of the stack trace looks like this:
#0 0x00007f6875e56c5c in WTFCrash () at ../Source/WTF/wtf/Assertions.cpp:341
#1 0x00007f6876d30c89 in overflowed () at ../Source/WTF/wtf/CheckedArithmetic.h:80
#2 at (i=11, this=0x7f67f3f37c90) at ../Source/WTF/wtf/Vector.h:584
#3 operator[] (i=11, this=0x7f67f3f37c90) at ../Source/WTF/wtf/Vector.h:604
#4 WebCore::AccessibilityMenuListPopup::didUpdateActiveOption (this=0x7f67f3f37c80,
optionIndex=optionIndex@entry=11) at ../Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp:138
#5 0x00007f6876d304cf in WebCore::AccessibilityMenuList::didUpdateActiveOption (this=0x7f67f3b846e0,
optionIndex=11) at ../Source/WebCore/accessibility/AccessibilityMenuList.cpp:118
#6 0x00007f6877423ae0 in WebCore::RenderMenuList::setTextFromOption (this=0x7f680439c6c0, optionIndex=11)
at ../Source/WebCore/rendering/RenderMenuList.cpp:232
#7 0x00007f68770b8623 in WebCore::HTMLSelectElement::selectOption (this=0x2f1e180,
optionIndex=<optimized out>, flags=1) at ../Source/WebCore/html/HTMLSelectElement.cpp:862
#8 0x00007f68770b879a in WebCore::HTMLSelectElement::setSelectedIndex (this=<optimized out>,
index=<optimized out>) at ../Source/WebCore/html/HTMLSelectElement.cpp:824
#9 0x00007f68776fd874 in WebCore::setJSHTMLSelectElementSelectedIndex (exec=0x7f6805ffbea8,
thisObject=<optimized out>, value=...) at DerivedSources/WebCore/JSHTMLSelectElement.cpp:475
#10 0x00007f68776ff35c in putEntry<WebCore::JSHTMLSelectElement> (shouldThrow=false, thisObj=0x7f681c01f7d0,
value=..., propertyName=..., entry=<optimized out>, exec=0x7f6805ffbea8)
at ../Source/JavaScriptCore/runtime/Lookup.h:301
#11 lookupPut<WebCore::JSHTMLSelectElement> (shouldThrow=false, thisObj=0x7f681c01f7d0, table=..., value=...,
propertyName=..., exec=0x7f6805ffbea8) at ../Source/JavaScriptCore/runtime/Lookup.h:319
#12 lookupPut<WebCore::JSHTMLSelectElement, WebCore::JSHTMLElement> (slot=..., thisObj=0x7f681c01f7d0,
table=..., value=..., propertyName=..., exec=0x7f6805ffbea8)
at ../Source/JavaScriptCore/runtime/Lookup.h:332
#13 WebCore::JSHTMLSelectElement::put (cell=0x7f681c01f7d0, exec=0x7f6805ffbea8, propertyName=..., value=...,
slot=...) at DerivedSources/WebCore/JSHTMLSelectElement.cpp:366
#14 0x00007f6875c62d85 in put (slot=..., value=..., propertyName=..., exec=0x7f6805ffbea8, this=0x7fff75349850)
at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703
#15 JSC::LLInt::llint_slow_path_put_by_id (exec=0x7f6805ffbea8, pc=0x7f67f3b988d0)
at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:584
#16 0x00007f6875c6cc3c in llint_op_put_by_id () from /usr/lib/libjavascriptcoregtk-3.0.so.0
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Dingle
(WebKitGTK 2.3.2, that is.)
Adam Dingle
I tried visiting this page with WebKitGTK built from svn trunk with debugging enabled. WebKit failed with this stack trace:
ARGUMENT BAD: optionIndex, optionIndex < static_cast<int>(m_children.size())
Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp(135) : void WebCore::AccessibilityMenuListPopup::didUpdateActiveOption(int)
1 0x7f35f25ff00c /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(WTFCrash+0x1e) [0x7f35f25ff00c]
2 0x7f35f518e926 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore26AccessibilityMenuListPopup21didUpdateActiveOptionEi+0x86) [0x7f35f518e926]
3 0x7f35f518db86 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore21AccessibilityMenuList21didUpdateActiveOptionEi+0x168) [0x7f35f518db86]
4 0x7f35f5bc4ac3 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList21didUpdateActiveOptionEi+0x171) [0x7f35f5bc4ac3]
5 0x7f35f5bc3c71 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList17setTextFromOptionEi+0x14d) [0x7f35f5bc3c71]
6 0x7f35f5bc3b22 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList17updateFromElementEv+0x88) [0x7f35f5bc3b22]
7 0x7f35f56e627b /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore17HTMLSelectElement12selectOptionEij+0x14b) [0x7f35f56e627b]
8 0x7f35f56e6065 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore17HTMLSelectElement16setSelectedIndexEi+0x25) [0x7f35f56e6065]
9 0x7f35f5f18805 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore35setJSHTMLSelectElementSelectedIndexEPN3JSC9ExecStateEPNS0_8JSObjectENS0_7JSValueE+0x72) [0x7f35f5f18805]
10 0x7f35f5f1a232 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a66232) [0x7f35f5f1a232]
11 0x7f35f5f1a18b /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a6618b) [0x7f35f5f1a18b]
12 0x7f35f5f19d0e /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a65d0e) [0x7f35f5f19d0e]
13 0x7f35f5f182b7 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore19JSHTMLSelectElement3putEPN3JSC6JSCellEPNS1_9ExecStateENS1_12PropertyNameENS1_7JSValueERNS1_15PutPropertySlotE+0x14d) [0x7f35f5f182b7]
14 0x7f35f22a1244 /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC7JSValue3putEPNS_9ExecStateENS_12PropertyNameES0_RNS_15PutPropertySlotE+0x96) [0x7f35f22a1244]
15 0x7f35f23efe0b /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(+0xa9fe0b) [0x7f35f23efe0b]
16 0x7f35f23f937a /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(+0xaa937a) [0x7f35f23f937a]
Deepak Mittal
I am not getting this crash while checking on the latest webkit..
The link http://www.gaisma.com/en/location/somerville-massachusetts.html is getting loaded and working well.
Can you please reverify this ..
Thanks
Adam Dingle
I can no longer reproduce this either - marking as fixed. Thanks!