Bug 12942 - ASSERTION FAILURE: qantas.com.au changing selected item in <select> via JS
: ASSERTION FAILURE: qantas.com.au changing selected item in <select> via JS
Status: RESOLVED FIXED
: WebKit
HTML DOM
: 523.x (Safari 3)
: Macintosh Mac OS X 10.4
: P1 Major
Assigned To:
: http://www.qantas.com.au/regions/dyn/...
: HasReduction, NeedsRadar
:
:
  Show dependency treegraph
 
Reported: 2007-03-01 22:30 PST by
Modified: 2007-03-06 20:21 PST (History)


Attachments
Crash log (10.16 KB, text/plain)
2007-03-01 22:31 PST, Mark Rowe (bdash)
no flags Details
Reduction (732 bytes, text/html)
2007-03-04 23:12 PST, Mark Rowe (bdash)
no flags Details
Patch (3.77 KB, patch)
2007-03-05 19:49 PST, Mark Rowe (bdash)
sam: review+
Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2007-03-01 22:30:23 PST
Steps to reproduce:
1. Load <http://www.qantas.com.au/regions/dyn/home/qualifier-region-au>.
2. Select 'April 2007' from the "Depart" dropdown.
3. From the "Return" day dropdown select "Tuesday 10".

Expected results:
Page updates to match new selection.

Actual results:
Beachball, then crash.

0   com.apple.WebCore                  0x010aa4d4 WebCore::HTMLSelectElement::setSelectedIndex(int, bool, bool) + 326 (HTMLSelectElement.cpp:188)
1   com.apple.WebCore                  0x013c278d WebCore::JSHTMLSelectElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 153 (JSHTMLSelectElement.cpp:224)
2   com.apple.WebCore                  0x015bf15a bool KJS::lookupPut<WebCore::JSHTMLSelectElement>(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int, KJS::HashTable const*, WebCore::JSHTMLSelectElement*) + 162 (lookup.h:254)

Will attach the full backtrace.
------- Comment #1 From 2007-03-01 22:31:33 PST -------
Created an attachment (id=13448) [details]
Crash log
------- Comment #2 From 2007-03-02 11:22:20 PST -------
I cannot reproduce this with r19943 on a PowerPC Mac.
------- Comment #3 From 2007-03-02 20:49:12 PST -------
I cannot reproduce this in r19940, r18726, r17722, r16233, or Safari 2.0.4 (419.3).  I'm using a 10.4.8 on a PPC architecture.
------- Comment #4 From 2007-03-02 21:41:20 PST -------
I cannot reproduce this either.  This may be because the select lists have changed contents due to dates, or it may have been timing related.  I was seeing this initially with r19940 and retesting there doesn't reproduce the problem.  I'll leave this open and retest this in a few days to see if i can find other conditions to trigger this.
------- Comment #5 From 2007-03-04 18:05:14 PST -------
As the crash log notes this is an assertion failure rather than a crash, so there is no way this will be triggered in a nightly build.  I can reproduce this easily again today while I was unable during the weekend.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef
0x010aa2c4 in WebCore::HTMLSelectElement::setSelectedIndex (this=0x1b957c60, optionIndex=0, deselect=true, fireOnChange=false) at /Users/mrowe/Documents/Work/Apple/OpenSource/WebCore/html/HTMLSelectElement.cpp:188
188         ASSERT(m_lastOnChangeIndex == -1 || m_lastOnChangeIndex == optionIndex);
(gdb) print m_lastOnChangeIndex
$1 = 2
(gdb) print optionIndex
$2 = 0
------- Comment #6 From 2007-03-04 22:51:38 PST -------
Further investigation shows that this is happening when the selectedIndex on the <select> element is set inside an onchange event handler of the element.
------- Comment #7 From 2007-03-04 23:12:11 PST -------
Created an attachment (id=13475) [details]
Reduction

Truncating the select element's options and changing selectedIndex from within the onchange event handler will trigger the assertion failure.
------- Comment #8 From 2007-03-05 19:49:44 PST -------
Created an attachment (id=13485) [details]
Patch
------- Comment #9 From 2007-03-06 20:21:07 PST -------
Landed in r20001.