Bug 57343

Summary: REGRESSION (r74895): Crash if input.type = 'file' twice
Product: WebKit Reporter: Kent Tamura <tkent>
Component: FormsAssignee: Kent Tamura <tkent>
Status: RESOLVED FIXED    
Severity: Major CC: abarth, darin, eric, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch 2 none

Kent Tamura
Reported 2011-03-29 08:04:31 PDT
See HTMLInputElement::updateType(). If both of the current type and the new type return false for canChangeFromAnotherType(), an infinite recursion occurs. updateType() -> setAttribute(typeAttr, current-type) -> parseMappedAttribute() -> updateType() -> setAttribute(typeAttr, current-type) -> ... http://code.google.com/p/chromium/issues/detail?id=77751
Attachments
Patch (3.71 KB, patch)
2011-03-29 21:48 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Patch 2 (4.03 KB, patch)
2011-03-30 06:08 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2011-03-29 09:29:06 PDT
Should be extremely easy to fix.
Darin Adler
Comment 2 2011-03-29 09:30:08 PDT
Kent, would you be willing to make a test case and make a patch with the failing test (and expected results from a success)? I could then focus on the fix.
Kent Tamura
Comment 3 2011-03-29 21:44:38 PDT
(In reply to comment #2) > Kent, would you be willing to make a test case and make a patch with the failing test (and expected results from a success)? I could then focus on the fix. It's easy to fix it. So I'll post a patch :-)
Kent Tamura
Comment 4 2011-03-29 21:48:05 PDT
Created attachment 87464 [details] Patch
Kent Tamura
Comment 5 2011-03-30 06:08:48 PDT
Created attachment 87517 [details] Patch 2 Simplify the code
Kent Tamura
Comment 6 2011-03-30 19:21:44 PDT
Comment on attachment 87517 [details] Patch 2 Clearing flags on attachment: 87517 Committed r82534: <http://trac.webkit.org/changeset/82534>
Kent Tamura
Comment 7 2011-03-30 19:21:50 PDT
All reviewed patches have been landed. Closing bug.
WebKit Review Bot
Comment 8 2011-03-30 20:35:46 PDT
http://trac.webkit.org/changeset/82534 might have broken GTK Linux 32-bit Debug
Note You need to log in before you can comment on or make changes to this bug.