WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 190252
Regression(
r236779
): Crash when changing the input element type from inside an 'input' event listener
https://bugs.webkit.org/show_bug.cgi?id=190252
Summary
Regression(r236779): Crash when changing the input element type from inside a...
Chris Dumez
Reported
2018-10-03 09:54:30 PDT
Crash when changing the input element type from inside an 'input' event listener: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [7691] VM Regions Near 0: --> __TEXT 000000010eb67000-000000010eb69000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000006ca50e32e WebCore::HTMLTextFormControlElement::dispatchFormControlChangeEvent() + 30 (HTMLTextFormControlElement.cpp:211) 1 com.apple.WebCore 0x00000006ca35c518 WebCore::BaseCheckableInputType::fireInputAndChangeEvents() + 200 (BaseCheckableInputType.cpp:133) 2 com.apple.WebCore 0x00000006ca361bcc WebCore::CheckboxInputType::didDispatchClick(WebCore::Event&, WebCore::InputElementClickState const&) + 252 (CheckboxInputType.cpp:92) 3 com.apple.WebCore 0x00000006ca4281a1 WebCore::HTMLInputElement::didDispatchClickEvent(WebCore::Event&, WebCore::InputElementClickState const&) + 81 (HTMLInputElement.cpp:1128) 4 com.apple.WebCore 0x00000006ca0f2a06 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 614 (EventDispatcher.cpp:165) 5 com.apple.WebCore 0x00000006ca15d2dd WebCore::Node::dispatchEvent(WebCore::Event&) + 29 (Node.cpp:2383) 6 com.apple.WebCore 0x00000006ca1dbfa5 WebCore::simulateMouseEvent(WTF::AtomicString const&, WebCore::Element&, WebCore::Event*, WebCore::SimulatedClickSource) + 149 (SimulatedClick.cpp:79) 7 com.apple.WebCore 0x00000006ca1dbe94 WebCore::simulateClick(WebCore::Element&, WebCore::Event*, WebCore::SimulatedClickMouseEventOptions, WebCore::SimulatedClickVisualOptions, WebCore::SimulatedClickSource) + 436 (SimulatedClick.cpp:101) 8 com.apple.WebCore 0x00000006ca3d8112 WebCore::HTMLElement::click() + 34 (HTMLElement.cpp:695) 9 com.apple.WebCore 0x00000006c8ab80ea WebCore::jsHTMLElementPrototypeFunctionClickBody(JSC::ExecState*, WebCore::JSHTMLElement*, JSC::ThrowScope&) + 42 (JSHTMLElement.cpp:3118) 10 com.apple.WebCore 0x00000006c8a7c906 long long WebCore::IDLOperation<WebCore::JSHTMLElement>::call<&(WebCore::jsHTMLElementPrototypeFunctionClickBody(JSC::ExecState*, WebCore::JSHTMLElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 742 (JSDOMOperation.h:53)
Attachments
Patch
(6.10 KB, patch)
2018-10-03 10:00 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
Patch
(6.19 KB, patch)
2018-10-04 10:54 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Chris Dumez
Comment 1
2018-10-03 10:00:06 PDT
Created
attachment 351529
[details]
Patch
WebKit Commit Bot
Comment 2
2018-10-03 11:26:39 PDT
Comment on
attachment 351529
[details]
Patch Clearing flags on attachment: 351529 Committed
r236803
: <
https://trac.webkit.org/changeset/236803
>
WebKit Commit Bot
Comment 3
2018-10-03 11:26:41 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 4
2018-10-03 11:27:45 PDT
<
rdar://problem/44980354
>
Chris Dumez
Comment 5
2018-10-04 10:52:48 PDT
Reverted
r236803
for reason: Caused crashes on some bots Committed
r236837
: <
https://trac.webkit.org/changeset/236837
>
Chris Dumez
Comment 6
2018-10-04 10:54:07 PDT
Created
attachment 351602
[details]
Patch
Chris Dumez
Comment 7
2018-10-04 10:54:28 PDT
Comment on
attachment 351602
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=351602&action=review
> Source/WebCore/html/BaseCheckableInputType.cpp:130 > + auto protectedThis = makeRef(*this);
Previous iteration was missing this protectedThis.
Alex Christensen
Comment 8
2018-10-04 12:19:37 PDT
Comment on
attachment 351602
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=351602&action=review
> Source/WebCore/html/BaseCheckableInputType.cpp:134 > + if (auto* element = this->element()) > + element->dispatchFormControlChangeEvent();
It seems like this is a general JavaScript re-entry problem. Maybe this should be done on the next runloop iteration?
Chris Dumez
Comment 9
2018-10-04 12:29:59 PDT
(In reply to Alex Christensen from
comment #8
)
> Comment on
attachment 351602
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=351602&action=review
> > > Source/WebCore/html/BaseCheckableInputType.cpp:134 > > + if (auto* element = this->element()) > > + element->dispatchFormControlChangeEvent(); > > It seems like this is a general JavaScript re-entry problem. Maybe this > should be done on the next runloop iteration?
I do not think this would be Web-compliant as it would be observable. Note that protecting |this| and null-checking element() is how the InputType code is currently dealing with this so my patch is consistent with existing code.
Chris Dumez
Comment 10
2018-10-04 12:31:21 PDT
Comment on
attachment 351602
[details]
Patch Clearing flags on attachment: 351602 Committed
r236841
: <
https://trac.webkit.org/changeset/236841
>
Chris Dumez
Comment 11
2018-10-04 12:31:24 PDT
All reviewed patches have been landed. Closing bug.
Geoffrey Garen
Comment 12
2018-10-04 12:40:53 PDT
Comment on
attachment 351602
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=351602&action=review
>>> Source/WebCore/html/BaseCheckableInputType.cpp:134 >>> + element->dispatchFormControlChangeEvent(); >> >> It seems like this is a general JavaScript re-entry problem. Maybe this should be done on the next runloop iteration? > > I do not think this would be Web-compliant as it would be observable. > > Note that protecting |this| and null-checking element() is how the InputType code is currently dealing with this so my patch is consistent with existing code.
Though some parts of WebCore -- like layout -- forbid JavaScript execution, the default condition in WebCore is that it is generally possible, acceptable, and required to allow JavaScript execution.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug