RESOLVED FIXED 118591
ASSERTION FAILED: !listItems().size() || m_activeSelectionAnchorIndex >= 0 in WebCore::HTMLSelectElement::updateListBoxSelection 
https://bugs.webkit.org/show_bug.cgi?id=118591
Summary ASSERTION FAILED: !listItems().size() || m_activeSelectionAnchorIndex >= 0 in...
Renata Hodovan
Reported 2013-07-12 03:02:12 PDT
The test caused the assertion problem: <html> <svg onload="document.execCommand('SelectAll')"></svg> <select multiple="1" autofocus="autofocus"> <option disabled="DISABLED"></option> </select> </html> And the backtrace... Program received signal SIGSEGV, Segmentation fault. 0x00007ffff577f390 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff577f390 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 #1 0x00007ffff44a6433 in WebCore::HTMLSelectElement::updateListBoxSelection (this=0x8abc60, deselectOtherOptions=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLSelectElement.cpp:614 #2 0x00007ffff44a6166 in WebCore::HTMLSelectElement::selectAll (this=0x8abc60) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLSelectElement.cpp:571 #3 0x00007ffff43d4301 in WebCore::FrameSelection::selectAll (this=0x74c470) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/FrameSelection.cpp:1638 #4 0x00007ffff43c809c in WebCore::executeSelectAll (frame=0x7ad090) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1008 #5 0x00007ffff43c9a94 in WebCore::Editor::Command::execute (this=0x7fffffffbe80, parameter=..., triggeringEvent=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1706 #6 0x00007ffff429b272 in WebCore::Document::execCommand (this=0x871bd0, commandName=..., userInterface=false, value=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4159 #7 0x00007ffff4f772a8 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffe41a70a8) at generated/JSDocument.cpp:2751 #8 0x00007fff9ffff0e5 in ?? () #9 0x00007fffffffc010 in ?? () #10 0x00007ffff56305e2 in llint_op_call () from /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/lib/libQt5WebKit.so.5 #11 0x00007fffe41a7060 in ?? () #12 0x00000000007b3850 in ?? () #13 0x00007fffffffbfd0 in ?? () #14 0x00007ffff55dbf31 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #15 0x00007ffff55daea8 in JSC::JITCode::execute (this=0x7fff863cfe90, stack=0x7b3850, callFrame=0x7fffe41a7060, vm=0x7f2e30) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITCode.h:135 #16 0x00007ffff55d8c53 in JSC::Interpreter::executeCall (this=0x7b3840, callFrame=0x7fffe402f8d8, function=0x7fff9c05f2b0, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:1023 #17 0x00007ffff56b0289 in JSC::call (exec=0x7fffe402f8d8, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CallData.cpp:40 #18 0x00007ffff402140d in WebCore::JSMainThreadExecState::call (exec=0x7fffe402f8d8, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSMainThreadExecState.h:56 #19 0x00007ffff404fde8 in WebCore::JSEventListener::handleEvent (this=0x88b290, scriptExecutionContext=0x871c80, event=0x8ba320) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/js/JSEventListener.cpp:130 #20 0x00007ffff4306e04 in WebCore::EventTarget::fireEventListeners (this=0x888650, event=0x8ba320, d=0x88b110, entry=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:248 #21 0x00007ffff4306a6f in WebCore::EventTarget::fireEventListeners (this=0x888650, event=0x8ba320) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventTarget.cpp:190 #22 0x00007ffff4331bdb in WebCore::Node::handleLocalEvents (this=0x888650, event=0x8ba320) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2216 #23 0x00007ffff42f977c in WebCore::EventContext::handleLocalEvents (this=0x8b9f90, event=0x8ba320) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventContext.cpp:58 #24 0x00007ffff42fb52b in WebCore::EventDispatcher::dispatchEventAtTarget (this=0x7fffffffc670) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:162 #25 0x00007ffff42fb1ec in WebCore::EventDispatcher::dispatch (this=0x7fffffffc670) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:119 #26 0x00007ffff42fa0f1 in WebCore::EventDispatchMediator::dispatchEvent (this=0x8ba380, dispatcher=0x7fffffffc670) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatchMediator.cpp:54 #27 0x00007ffff42fa79d in WebCore::EventDispatcher::dispatchEvent (node=0x888650, mediator=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/EventDispatcher.cpp:53 #28 0x00007ffff4331dea in WebCore::Node::dispatchEvent (this=0x888650, event=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:2237 #29 0x00007ffff4d1f0c4 in WebCore::SVGElement::sendSVGLoadEventIfPossible (this=0x888650, sendParentLoadEvents=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGElement.cpp:476 #30 0x00007ffff4cd7c47 in WebCore::SVGDocumentExtensions::dispatchSVGLoadEventToOutermostSVGElements (this=0x88c080) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/svg/SVGDocumentExtensions.cpp:129 #31 0x00007ffff4294f50 in WebCore::Document::implicitClose (this=0x871bd0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2411 ---Type <return> to continue, or q <return> to quit--- #32 0x00007ffff4689ec3 in WebCore::FrameLoader::checkCallImplicitClose (this=0x7ad118) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:843 #33 0x00007ffff4689c2e in WebCore::FrameLoader::checkCompleted (this=0x7ad118) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:786 #34 0x00007ffff468996c in WebCore::FrameLoader::finishedParsing (this=0x7ad118) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:719 #35 0x00007ffff429c03b in WebCore::Document::finishedParsing (this=0x871bd0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4417 #36 0x00007ffff44e8dd3 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7ef898) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:348 #37 0x00007ffff451a4bf in WebCore::HTMLTreeBuilder::finished (this=0x7ef880) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2926 #38 0x00007ffff44f0386 in WebCore::HTMLDocumentParser::end (this=0x7675a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:756 #39 0x00007ffff44f0473 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7675a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:767 #40 0x00007ffff44ef0a6 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7675a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211 #41 0x00007ffff44f04b6 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7675a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:779 #42 0x00007ffff44f056d in WebCore::HTMLDocumentParser::finish (this=0x7675a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:828 #43 0x00007ffff46819b5 in WebCore::DocumentWriter::end (this=0x6942f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:248 #44 0x00007ffff467459e in WebCore::DocumentLoader::finishedLoading (this=0x694250, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:402 #45 0x00007ffff467430c in WebCore::DocumentLoader::notifyFinished (this=0x694250, resource=0x75d930) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344 #46 0x00007ffff465b9d8 in WebCore::CachedResource::checkNotify (this=0x75d930) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #47 0x00007ffff465baae in WebCore::CachedResource::finishLoading (this=0x75d930) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #48 0x00007ffff46581be in WebCore::CachedRawResource::finishLoading (this=0x75d930, data=0x796ed0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #49 0x00007ffff46bda4a in WebCore::SubresourceLoader::didFinishLoading (this=0x754950, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282 #50 0x00007ffff46b43d7 in WebCore::ResourceLoader::didFinishLoading (this=0x754950, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488 #51 0x00007ffff4b4179c in WebCore::QNetworkReplyHandler::finish (this=0x74f730) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #52 0x00007ffff4b40462 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x74f768) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #53 0x00007ffff4b4018a in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x74f768, method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4b415de <WebCore::QNetworkReplyHandler::finish()>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216 #54 0x00007ffff4b410e8 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x74f7a0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #55 0x00007ffff4b43aaa in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x74f7a0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffcf80) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176 #56 0x00007ffff231e5cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #57 0x00007ffff231f84e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #58 0x00007ffff3165dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #59 0x00007ffff3169075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #60 0x00007ffff22f9dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #61 0x00007ffff22fba76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #62 0x00007ffff2341333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 ---Type <return> to continue, or q <return> to quit--- #63 0x00007fffee4840a6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3058 #64 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3634 #65 0x00007fffee4843f8 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3705 #66 0x00007fffee48449c in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3766 #67 0x00007ffff23414bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #68 0x00007ffff22f8d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #69 0x00007ffff22fc120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #70 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #71 0x0000000000423680 in main (argc=2, argv=0x7fffffffdc58) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Attachments
Test case (177 bytes, text/html)
2013-07-12 03:02 PDT, Renata Hodovan 		no flags
Details
Patch (3.52 KB, patch)
2013-07-13 11:31 PDT, Santosh Mahto 		no flags
DetailsFormatted DiffDiff
patch for Landing (3.52 KB, patch)
2013-07-18 00:22 PDT, Santosh Mahto 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2013-07-12 03:02:51 PDT
Created attachment 206518 [details] Test case
Santosh Mahto
Comment 2 2013-07-13 11:31:06 PDT
Created attachment 206617 [details] Patch
Santosh Mahto
Comment 3 2013-07-13 11:43:35 PDT
crash is happening becasue we are trying to call updateListBoxSelection even if the selection index are not valid i.e -1 its becasue the select element contain the disabled option element so the m_activeSelectionActiveIndex will be -1 when we call updateListBoxSelection
Ryosuke Niwa
Comment 4 2013-07-14 23:07:37 PDT
Comment on attachment 206617 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=206617&action=review > LayoutTests/fast/forms/select/selectall-command-crash.html:1 > +<html> Missing DOCTYPE.
Ryosuke Niwa
Comment 5 2013-07-14 23:09:14 PDT
Comment on attachment 206617 [details] Patch Wait, I’m not so sure anymore.
Kent Tamura
Comment 6 2013-07-15 18:44:41 PDT
Comment on attachment 206617 [details] Patch Looks ok.
Santosh Mahto
Comment 7 2013-07-18 00:22:29 PDT
Created attachment 206958 [details] patch for Landing
WebKit Commit Bot
Comment 8 2013-07-18 01:03:14 PDT
Comment on attachment 206958 [details] patch for Landing Clearing flags on attachment: 206958 Committed r152836: <http://trac.webkit.org/changeset/152836>
WebKit Commit Bot
Comment 9 2013-07-18 01:03:16 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.