Bug 12942

Summary: ASSERTION FAILURE: qantas.com.au changing selected item in <select> via JS
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: ap
Priority: P1 Keywords: HasReduction
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.qantas.com.au/regions/dyn/home/qualifier-region-au
Attachments:
Description Flags
Crash log
none
Reduction
none
Patch sam: review+

Mark Rowe (bdash)
Reported 2007-03-01 22:30:23 PST
Steps to reproduce: 1. Load <http://www.qantas.com.au/regions/dyn/home/qualifier-region-au>. 2. Select 'April 2007' from the "Depart" dropdown. 3. From the "Return" day dropdown select "Tuesday 10". Expected results: Page updates to match new selection. Actual results: Beachball, then crash. 0 com.apple.WebCore 0x010aa4d4 WebCore::HTMLSelectElement::setSelectedIndex(int, bool, bool) + 326 (HTMLSelectElement.cpp:188) 1 com.apple.WebCore 0x013c278d WebCore::JSHTMLSelectElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 153 (JSHTMLSelectElement.cpp:224) 2 com.apple.WebCore 0x015bf15a bool KJS::lookupPut<WebCore::JSHTMLSelectElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, WebCore::JSHTMLSelectElement*) + 162 (lookup.h:254) Will attach the full backtrace.
Attachments
Crash log (10.16 KB, text/plain)
2007-03-01 22:31 PST, Mark Rowe (bdash) 		no flags
Details
Reduction (732 bytes, text/html)
2007-03-04 23:12 PST, Mark Rowe (bdash) 		no flags
Details
Patch (3.77 KB, patch)
2007-03-05 19:49 PST, Mark Rowe (bdash) 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2007-03-01 22:31:33 PST
Created attachment 13448 [details] Crash log
Alexey Proskuryakov
Comment 2 2007-03-02 11:22:20 PST
I cannot reproduce this with r19943 on a PowerPC Mac.
Jeff McGlynn
Comment 3 2007-03-02 20:49:12 PST
I cannot reproduce this in r19940, r18726, r17722, r16233, or Safari 2.0.4 (419.3). I'm using a 10.4.8 on a PPC architecture.
Mark Rowe (bdash)
Comment 4 2007-03-02 21:41:20 PST
I cannot reproduce this either. This may be because the select lists have changed contents due to dates, or it may have been timing related. I was seeing this initially with r19940 and retesting there doesn't reproduce the problem. I'll leave this open and retest this in a few days to see if i can find other conditions to trigger this.
Mark Rowe (bdash)
Comment 5 2007-03-04 18:05:14 PST
As the crash log notes this is an assertion failure rather than a crash, so there is no way this will be triggered in a nightly build. I can reproduce this easily again today while I was unable during the weekend. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x010aa2c4 in WebCore::HTMLSelectElement::setSelectedIndex (this=0x1b957c60, optionIndex=0, deselect=true, fireOnChange=false) at /Users/mrowe/Documents/Work/Apple/OpenSource/WebCore/html/HTMLSelectElement.cpp:188 188 ASSERT(m_lastOnChangeIndex == -1 || m_lastOnChangeIndex == optionIndex); (gdb) print m_lastOnChangeIndex $1 = 2 (gdb) print optionIndex $2 = 0
Mark Rowe (bdash)
Comment 6 2007-03-04 22:51:38 PST
Further investigation shows that this is happening when the selectedIndex on the <select> element is set inside an onchange event handler of the element.
Mark Rowe (bdash)
Comment 7 2007-03-04 23:12:11 PST
Created attachment 13475 [details] Reduction Truncating the select element's options and changing selectedIndex from within the onchange event handler will trigger the assertion failure.
Mark Rowe (bdash)
Comment 8 2007-03-05 19:49:44 PST
Created attachment 13485 [details] Patch
Mark Rowe (bdash)
Comment 9 2007-03-06 20:21:07 PST
Landed in r20001.
Note You need to log in before you can comment on or make changes to this bug.