Bug 125761

Summary: page crashes WebKit: ARGUMENT BAD in AccessibilityMenuListPopup::didUpdateActiveOption
Product: WebKit Reporter: Adam Dingle <adam>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: deepak.deepakmittal
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   

Description Adam Dingle 2013-12-15 18:34:39 PST 
I'm running WebKit 2.3.2 in Epiphany built from git master on Ubuntu 14.04.

Every time I visit this page, WebKitWebProcess crashes:

http://www.gaisma.com/en/location/somerville-massachusetts.html

The top of the stack trace looks like this:

#0  0x00007f6875e56c5c in WTFCrash () at ../Source/WTF/wtf/Assertions.cpp:341
#1  0x00007f6876d30c89 in overflowed () at ../Source/WTF/wtf/CheckedArithmetic.h:80
#2  at (i=11, this=0x7f67f3f37c90) at ../Source/WTF/wtf/Vector.h:584
#3  operator[] (i=11, this=0x7f67f3f37c90) at ../Source/WTF/wtf/Vector.h:604
#4  WebCore::AccessibilityMenuListPopup::didUpdateActiveOption (this=0x7f67f3f37c80, 
    optionIndex=optionIndex@entry=11) at ../Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp:138
#5  0x00007f6876d304cf in WebCore::AccessibilityMenuList::didUpdateActiveOption (this=0x7f67f3b846e0, 
    optionIndex=11) at ../Source/WebCore/accessibility/AccessibilityMenuList.cpp:118
#6  0x00007f6877423ae0 in WebCore::RenderMenuList::setTextFromOption (this=0x7f680439c6c0, optionIndex=11)
    at ../Source/WebCore/rendering/RenderMenuList.cpp:232
#7  0x00007f68770b8623 in WebCore::HTMLSelectElement::selectOption (this=0x2f1e180, 
    optionIndex=<optimized out>, flags=1) at ../Source/WebCore/html/HTMLSelectElement.cpp:862
#8  0x00007f68770b879a in WebCore::HTMLSelectElement::setSelectedIndex (this=<optimized out>, 
    index=<optimized out>) at ../Source/WebCore/html/HTMLSelectElement.cpp:824
#9  0x00007f68776fd874 in WebCore::setJSHTMLSelectElementSelectedIndex (exec=0x7f6805ffbea8, 
    thisObject=<optimized out>, value=...) at DerivedSources/WebCore/JSHTMLSelectElement.cpp:475
#10 0x00007f68776ff35c in putEntry<WebCore::JSHTMLSelectElement> (shouldThrow=false, thisObj=0x7f681c01f7d0, 
    value=..., propertyName=..., entry=<optimized out>, exec=0x7f6805ffbea8)
    at ../Source/JavaScriptCore/runtime/Lookup.h:301
#11 lookupPut<WebCore::JSHTMLSelectElement> (shouldThrow=false, thisObj=0x7f681c01f7d0, table=..., value=..., 
    propertyName=..., exec=0x7f6805ffbea8) at ../Source/JavaScriptCore/runtime/Lookup.h:319
#12 lookupPut<WebCore::JSHTMLSelectElement, WebCore::JSHTMLElement> (slot=..., thisObj=0x7f681c01f7d0, 
    table=..., value=..., propertyName=..., exec=0x7f6805ffbea8)
    at ../Source/JavaScriptCore/runtime/Lookup.h:332
#13 WebCore::JSHTMLSelectElement::put (cell=0x7f681c01f7d0, exec=0x7f6805ffbea8, propertyName=..., value=..., 
    slot=...) at DerivedSources/WebCore/JSHTMLSelectElement.cpp:366
#14 0x00007f6875c62d85 in put (slot=..., value=..., propertyName=..., exec=0x7f6805ffbea8, this=0x7fff75349850)
    at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:703
#15 JSC::LLInt::llint_slow_path_put_by_id (exec=0x7f6805ffbea8, pc=0x7f67f3b988d0)
    at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:584
#16 0x00007f6875c6cc3c in llint_op_put_by_id () from /usr/lib/libjavascriptcoregtk-3.0.so.0
Comment 1 Adam Dingle 2013-12-15 18:36:49 PST 
(WebKitGTK 2.3.2, that is.)
Comment 2 Adam Dingle 2013-12-16 09:38:34 PST 
I tried visiting this page with WebKitGTK built from svn trunk with debugging enabled.  WebKit failed with this stack trace:

ARGUMENT BAD: optionIndex, optionIndex < static_cast<int>(m_children.size())
Source/WebCore/accessibility/AccessibilityMenuListPopup.cpp(135) : void WebCore::AccessibilityMenuListPopup::didUpdateActiveOption(int)
1   0x7f35f25ff00c /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(WTFCrash+0x1e) [0x7f35f25ff00c]
2   0x7f35f518e926 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore26AccessibilityMenuListPopup21didUpdateActiveOptionEi+0x86) [0x7f35f518e926]
3   0x7f35f518db86 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore21AccessibilityMenuList21didUpdateActiveOptionEi+0x168) [0x7f35f518db86]
4   0x7f35f5bc4ac3 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList21didUpdateActiveOptionEi+0x171) [0x7f35f5bc4ac3]
5   0x7f35f5bc3c71 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList17setTextFromOptionEi+0x14d) [0x7f35f5bc3c71]
6   0x7f35f5bc3b22 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore14RenderMenuList17updateFromElementEv+0x88) [0x7f35f5bc3b22]
7   0x7f35f56e627b /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore17HTMLSelectElement12selectOptionEij+0x14b) [0x7f35f56e627b]
8   0x7f35f56e6065 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore17HTMLSelectElement16setSelectedIndexEi+0x25) [0x7f35f56e6065]
9   0x7f35f5f18805 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore35setJSHTMLSelectElementSelectedIndexEPN3JSC9ExecStateEPNS0_8JSObjectENS0_7JSValueE+0x72) [0x7f35f5f18805]
10  0x7f35f5f1a232 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a66232) [0x7f35f5f1a232]
11  0x7f35f5f1a18b /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a6618b) [0x7f35f5f1a18b]
12  0x7f35f5f19d0e /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(+0x2a65d0e) [0x7f35f5f19d0e]
13  0x7f35f5f182b7 /home/adam/src/WebKit/.libs/libwebkit2gtk-3.0.so.25(_ZN7WebCore19JSHTMLSelectElement3putEPN3JSC6JSCellEPNS1_9ExecStateENS1_12PropertyNameENS1_7JSValueERNS1_15PutPropertySlotE+0x14d) [0x7f35f5f182b7]
14  0x7f35f22a1244 /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC7JSValue3putEPNS_9ExecStateENS_12PropertyNameES0_RNS_15PutPropertySlotE+0x96) [0x7f35f22a1244]
15  0x7f35f23efe0b /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(+0xa9fe0b) [0x7f35f23efe0b]
16  0x7f35f23f937a /home/adam/src/WebKit/.libs/libjavascriptcoregtk-3.0.so.0(+0xaa937a) [0x7f35f23f937a]
Comment 3 Deepak Mittal 2014-02-01 05:00:22 PST 
I am not getting this crash while checking on the latest webkit..
The link http://www.gaisma.com/en/location/somerville-massachusetts.html is getting loaded and working well.

Can you please reverify this ..
Thanks
Comment 4 Adam Dingle 2014-02-01 19:04:06 PST 
I can no longer reproduce this either - marking as fixed.  Thanks!