Bug 12942 - ASSERTION FAILURE: qantas.com.au changing selected item in <select> via JS
Summary: ASSERTION FAILURE: qantas.com.au changing selected item in <select> via JS
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Nobody
URL: http://www.qantas.com.au/regions/dyn/...
Keywords: HasReduction
Depends on:
Reported: 2007-03-01 22:30 PST by Mark Rowe (bdash)
Modified: 2007-03-06 20:21 PST (History)
1 user (show)

See Also:

Crash log (10.16 KB, text/plain)
2007-03-01 22:31 PST, Mark Rowe (bdash)
no flags Details
Reduction (732 bytes, text/html)
2007-03-04 23:12 PST, Mark Rowe (bdash)
no flags Details
Patch (3.77 KB, patch)
2007-03-05 19:49 PST, Mark Rowe (bdash)
sam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2007-03-01 22:30:23 PST
Steps to reproduce:
1. Load <http://www.qantas.com.au/regions/dyn/home/qualifier-region-au>.
2. Select 'April 2007' from the "Depart" dropdown.
3. From the "Return" day dropdown select "Tuesday 10".

Expected results:
Page updates to match new selection.

Actual results:
Beachball, then crash.

0   com.apple.WebCore              	0x010aa4d4 WebCore::HTMLSelectElement::setSelectedIndex(int, bool, bool) + 326 (HTMLSelectElement.cpp:188)
1   com.apple.WebCore              	0x013c278d WebCore::JSHTMLSelectElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 153 (JSHTMLSelectElement.cpp:224)
2   com.apple.WebCore              	0x015bf15a bool KJS::lookupPut<WebCore::JSHTMLSelectElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, WebCore::JSHTMLSelectElement*) + 162 (lookup.h:254)

Will attach the full backtrace.
Comment 1 Mark Rowe (bdash) 2007-03-01 22:31:33 PST
Created attachment 13448 [details]
Crash log
Comment 2 Alexey Proskuryakov 2007-03-02 11:22:20 PST
I cannot reproduce this with r19943 on a PowerPC Mac.
Comment 3 Jeff McGlynn 2007-03-02 20:49:12 PST
I cannot reproduce this in r19940, r18726, r17722, r16233, or Safari 2.0.4 (419.3).  I'm using a 10.4.8 on a PPC architecture.
Comment 4 Mark Rowe (bdash) 2007-03-02 21:41:20 PST
I cannot reproduce this either.  This may be because the select lists have changed contents due to dates, or it may have been timing related.  I was seeing this initially with r19940 and retesting there doesn't reproduce the problem.  I'll leave this open and retest this in a few days to see if i can find other conditions to trigger this.
Comment 5 Mark Rowe (bdash) 2007-03-04 18:05:14 PST
As the crash log notes this is an assertion failure rather than a crash, so there is no way this will be triggered in a nightly build.  I can reproduce this easily again today while I was unable during the weekend.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
0x010aa2c4 in WebCore::HTMLSelectElement::setSelectedIndex (this=0x1b957c60, optionIndex=0, deselect=true, fireOnChange=false) at /Users/mrowe/Documents/Work/Apple/OpenSource/WebCore/html/HTMLSelectElement.cpp:188
188         ASSERT(m_lastOnChangeIndex == -1 || m_lastOnChangeIndex == optionIndex);
(gdb) print m_lastOnChangeIndex
$1 = 2
(gdb) print optionIndex
$2 = 0

Comment 6 Mark Rowe (bdash) 2007-03-04 22:51:38 PST
Further investigation shows that this is happening when the selectedIndex on the <select> element is set inside an onchange event handler of the element.
Comment 7 Mark Rowe (bdash) 2007-03-04 23:12:11 PST
Created attachment 13475 [details]

Truncating the select element's options and changing selectedIndex from within the onchange event handler will trigger the assertion failure.
Comment 8 Mark Rowe (bdash) 2007-03-05 19:49:44 PST
Created attachment 13485 [details]
Comment 9 Mark Rowe (bdash) 2007-03-06 20:21:07 PST
Landed in r20001.