Bug 12942

Summary: ASSERTION FAILURE: qantas.com.au changing selected item in <select> via JS
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: ap
Priority: P1 Keywords: HasReduction
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.qantas.com.au/regions/dyn/home/qualifier-region-au
Attachments:
Description Flags
Crash log
none
Reduction
none
Patch sam: review+

Description Mark Rowe (bdash) 2007-03-01 22:30:23 PST 
Steps to reproduce:
1. Load <http://www.qantas.com.au/regions/dyn/home/qualifier-region-au>.
2. Select 'April 2007' from the "Depart" dropdown.
3. From the "Return" day dropdown select "Tuesday 10".

Expected results:
Page updates to match new selection.

Actual results:
Beachball, then crash.

0   com.apple.WebCore              	0x010aa4d4 WebCore::HTMLSelectElement::setSelectedIndex(int, bool, bool) + 326 (HTMLSelectElement.cpp:188)
1   com.apple.WebCore              	0x013c278d WebCore::JSHTMLSelectElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 153 (JSHTMLSelectElement.cpp:224)
2   com.apple.WebCore              	0x015bf15a bool KJS::lookupPut<WebCore::JSHTMLSelectElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, WebCore::JSHTMLSelectElement*) + 162 (lookup.h:254)

Will attach the full backtrace.
Comment 1 Mark Rowe (bdash) 2007-03-01 22:31:33 PST 
Created attachment 13448 [details]
Crash log
Comment 2 Alexey Proskuryakov 2007-03-02 11:22:20 PST 
I cannot reproduce this with r19943 on a PowerPC Mac.
Comment 3 Jeff McGlynn 2007-03-02 20:49:12 PST 
I cannot reproduce this in r19940, r18726, r17722, r16233, or Safari 2.0.4 (419.3).  I'm using a 10.4.8 on a PPC architecture.
Comment 4 Mark Rowe (bdash) 2007-03-02 21:41:20 PST 
I cannot reproduce this either.  This may be because the select lists have changed contents due to dates, or it may have been timing related.  I was seeing this initially with r19940 and retesting there doesn't reproduce the problem.  I'll leave this open and retest this in a few days to see if i can find other conditions to trigger this.
Comment 5 Mark Rowe (bdash) 2007-03-04 18:05:14 PST 
As the crash log notes this is an assertion failure rather than a crash, so there is no way this will be triggered in a nightly build.  I can reproduce this easily again today while I was unable during the weekend.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
0x010aa2c4 in WebCore::HTMLSelectElement::setSelectedIndex (this=0x1b957c60, optionIndex=0, deselect=true, fireOnChange=false) at /Users/mrowe/Documents/Work/Apple/OpenSource/WebCore/html/HTMLSelectElement.cpp:188
188         ASSERT(m_lastOnChangeIndex == -1 || m_lastOnChangeIndex == optionIndex);
(gdb) print m_lastOnChangeIndex
$1 = 2
(gdb) print optionIndex
$2 = 0
Comment 6 Mark Rowe (bdash) 2007-03-04 22:51:38 PST 
Further investigation shows that this is happening when the selectedIndex on the <select> element is set inside an onchange event handler of the element.
Comment 7 Mark Rowe (bdash) 2007-03-04 23:12:11 PST 
Created attachment 13475 [details]
Reduction

Truncating the select element's options and changing selectedIndex from within the onchange event handler will trigger the assertion failure.
Comment 8 Mark Rowe (bdash) 2007-03-05 19:49:44 PST 
Created attachment 13485 [details]
Patch
Comment 9 Mark Rowe (bdash) 2007-03-06 20:21:07 PST 
Landed in r20001.