Bug 57343

Summary: REGRESSION (r74895): Crash if input.type = 'file' twice
Product: WebKit Reporter: Kent Tamura <tkent>
Component: FormsAssignee: Kent Tamura <tkent>
Status: RESOLVED FIXED    
Severity: Major CC: abarth, darin, eric, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch 2 none

Description Kent Tamura 2011-03-29 08:04:31 PDT 
See HTMLInputElement::updateType().
If both of the current type and the new type return false for canChangeFromAnotherType(), an infinite recursion occurs.
  updateType() -> setAttribute(typeAttr, current-type) -> parseMappedAttribute() -> updateType() -> setAttribute(typeAttr, current-type) -> ...

http://code.google.com/p/chromium/issues/detail?id=77751
Comment 1 Darin Adler 2011-03-29 09:29:06 PDT 
Should be extremely easy to fix.
Comment 2 Darin Adler 2011-03-29 09:30:08 PDT 
Kent, would you be willing to make a test case and make a patch with the failing test (and expected results from a success)? I could then focus on the fix.
Comment 3 Kent Tamura 2011-03-29 21:44:38 PDT 
(In reply to comment #2)
> Kent, would you be willing to make a test case and make a patch with the failing test (and expected results from a success)? I could then focus on the fix.

It's easy to fix it.  So I'll post a patch :-)
Comment 4 Kent Tamura 2011-03-29 21:48:05 PDT 
Created attachment 87464 [details]
Patch
Comment 5 Kent Tamura 2011-03-30 06:08:48 PDT 
Created attachment 87517 [details]
Patch 2

Simplify the code
Comment 6 Kent Tamura 2011-03-30 19:21:44 PDT 
Comment on attachment 87517 [details]
Patch 2

Clearing flags on attachment: 87517

Committed r82534: <http://trac.webkit.org/changeset/82534>
Comment 7 Kent Tamura 2011-03-30 19:21:50 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 WebKit Review Bot 2011-03-30 20:35:46 PDT 
http://trac.webkit.org/changeset/82534 might have broken GTK Linux 32-bit Debug