Bug 12942 - ASSERTION FAILURE: qantas.com.au changing selected item in <select> via JS
Summary: ASSERTION FAILURE: qantas.com.au changing selected item in <select> via JS
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Nobody
URL: http://www.qantas.com.au/regions/dyn/...
Keywords: HasReduction
Depends on:
Blocks:
 
Reported: 2007-03-01 22:30 PST by Mark Rowe (bdash)
Modified: 2007-03-06 20:21 PST (History)
1 user (show)

See Also:

Attachments
Crash log (10.16 KB, text/plain)
2007-03-01 22:31 PST, Mark Rowe (bdash) 		no flags Details
Reduction (732 bytes, text/html)
2007-03-04 23:12 PST, Mark Rowe (bdash) 		no flags Details
Patch (3.77 KB, patch)
2007-03-05 19:49 PST, Mark Rowe (bdash) 		sam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Rowe (bdash) 2007-03-01 22:30:23 PST 
Steps to reproduce:
1. Load <http://www.qantas.com.au/regions/dyn/home/qualifier-region-au>.
2. Select 'April 2007' from the "Depart" dropdown.
3. From the "Return" day dropdown select "Tuesday 10".

Expected results:
Page updates to match new selection.

Actual results:
Beachball, then crash.

0   com.apple.WebCore              	0x010aa4d4 WebCore::HTMLSelectElement::setSelectedIndex(int, bool, bool) + 326 (HTMLSelectElement.cpp:188)
1   com.apple.WebCore              	0x013c278d WebCore::JSHTMLSelectElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 153 (JSHTMLSelectElement.cpp:224)
2   com.apple.WebCore              	0x015bf15a bool KJS::lookupPut<WebCore::JSHTMLSelectElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, WebCore::JSHTMLSelectElement*) + 162 (lookup.h:254)

Will attach the full backtrace.
Comment 1 Mark Rowe (bdash) 2007-03-01 22:31:33 PST 
Created attachment 13448 [details]
Crash log
Comment 2 Alexey Proskuryakov 2007-03-02 11:22:20 PST 
I cannot reproduce this with r19943 on a PowerPC Mac.
Comment 3 Jeff McGlynn 2007-03-02 20:49:12 PST 
I cannot reproduce this in r19940, r18726, r17722, r16233, or Safari 2.0.4 (419.3).  I'm using a 10.4.8 on a PPC architecture.
Comment 4 Mark Rowe (bdash) 2007-03-02 21:41:20 PST 
I cannot reproduce this either.  This may be because the select lists have changed contents due to dates, or it may have been timing related.  I was seeing this initially with r19940 and retesting there doesn't reproduce the problem.  I'll leave this open and retest this in a few days to see if i can find other conditions to trigger this.
Comment 5 Mark Rowe (bdash) 2007-03-04 18:05:14 PST 
As the crash log notes this is an assertion failure rather than a crash, so there is no way this will be triggered in a nightly build.  I can reproduce this easily again today while I was unable during the weekend.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
0x010aa2c4 in WebCore::HTMLSelectElement::setSelectedIndex (this=0x1b957c60, optionIndex=0, deselect=true, fireOnChange=false) at /Users/mrowe/Documents/Work/Apple/OpenSource/WebCore/html/HTMLSelectElement.cpp:188
188         ASSERT(m_lastOnChangeIndex == -1 || m_lastOnChangeIndex == optionIndex);
(gdb) print m_lastOnChangeIndex
$1 = 2
(gdb) print optionIndex
$2 = 0
Comment 6 Mark Rowe (bdash) 2007-03-04 22:51:38 PST 
Further investigation shows that this is happening when the selectedIndex on the <select> element is set inside an onchange event handler of the element.
Comment 7 Mark Rowe (bdash) 2007-03-04 23:12:11 PST 
Created attachment 13475 [details]
Reduction

Truncating the select element's options and changing selectedIndex from within the onchange event handler will trigger the assertion failure.
Comment 8 Mark Rowe (bdash) 2007-03-05 19:49:44 PST 
Created attachment 13485 [details]
Patch
Comment 9 Mark Rowe (bdash) 2007-03-06 20:21:07 PST 
Landed in r20001.