NEW 218965
ASSERT setting value to renderer-less <input type=search incremental> 
https://bugs.webkit.org/show_bug.cgi?id=218965
Summary ASSERT setting value to renderer-less <input type=search incremental>
Sam Weinig
Reported 2020-11-15 15:33:03 PST
Created attachment 414182 [details] Test Case (asserts in debug builds) I noticed this assertion getting hit though not sure what page I was on. Made a reduction from first principles: ASSERTION FAILED: element()->renderer() ./html/SearchInputType.cpp(167) : void WebCore::SearchInputType::startSearchEventTimer() 1 0x1956becc9 WTFCrash 2 0x1767985db WTFCrashWithInfo(int, char const*, char const*, int) 3 0x179b2ee1e WebCore::SearchInputType::startSearchEventTimer() 4 0x179b2f100 WebCore::SearchInputType::didSetValueByUserEdit() 5 0x179b394f3 WebCore::TextFieldInputType::setValue(WTF::String const&, bool, WebCore::TextFieldEventBehavior) 6 0x1799ee0c8 WebCore::HTMLInputElement::setValue(WTF::String const&, WebCore::TextFieldEventBehavior) 7 0x1774fc757 WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()::operator()() const 8 0x1774fc691 std::__1::enable_if<!(std::is_same<void, decltype(fp1())>::value), void>::type WebCore::AttributeSetter::call<WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()&&) 9 0x1774fc628 WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue) 10 0x17740e43e bool WebCore::IDLAttribute<WebCore::JSHTMLInputElement>::set<&(WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) 11 0x17740e2dc WebCore::setJSHTMLInputElement_value(JSC::JSGlobalObject*, long long, long long) 12 0x196e9109d JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) 13 0x19704761f JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 14 0x19675c451 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 15 0x19675bf18 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 16 0x19675cf83 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 17 0x196bf85cb llint_slow_path_put_by_id 18 0x195c83c30 llint_entry 19 0x195c78180 vmEntryToJavaScript 20 0x196ac907b JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 21 0x196ac9837 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 22 0x196e1717d JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 23 0x196edf97a JSC::callSetter(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue, JSC::JSValue, JSC::ECMAMode) 24 0x197047496 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 25 0x19675c451 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 26 0x19675bf18 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 27 0x19675cf83 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) ```Test Case <input type="search" incremental style="display: none" id="test"> Hit any key to assert in a debug build. <script> window.addEventListener("keydown", event => { const inputElement = document.getElementById("test"); inputElement.value = "hello"; }); </script> ```
Attachments
Test Case (asserts in debug builds) (271 bytes, text/html)
2020-11-15 15:33 PST, Sam Weinig 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Sam Weinig
Comment 1 2020-11-15 15:44:12 PST
From a cursory look, it seems like the assert is just wrong and unnecessary. It doesn't appear that anything depends on element()->renderer() being valid here (unless calling element()->innerTextValue() somehow requires that, but there are other callers who access element()->innerTextValue() without checking for a renderer).
Radar WebKit Bug Importer
Comment 2 2020-11-22 15:34:15 PST
<rdar://problem/71669747>
Note You need to log in before you can comment on or make changes to this bug.