218965 – ASSERT setting value to renderer-less <input type=search incremental>

Bug 218965 - ASSERT setting value to renderer-less <input type=search incremental>

Summary: ASSERT setting value to renderer-less <input type=search incremental>

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Forms (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-11-15 15:33 PST by Sam Weinig
Modified:	2020-11-22 15:34 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Test Case (asserts in debug builds) (271 bytes, text/html) 2020-11-15 15:33 PST, Sam Weinig	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam Weinig 2020-11-15 15:33:03 PST

Created attachment 414182 [details]
Test Case (asserts in debug builds)

I noticed this assertion getting hit though not sure what page I was on. Made a reduction from first principles:

ASSERTION FAILED: element()->renderer()
./html/SearchInputType.cpp(167) : void WebCore::SearchInputType::startSearchEventTimer()
1   0x1956becc9 WTFCrash
2   0x1767985db WTFCrashWithInfo(int, char const*, char const*, int)
3   0x179b2ee1e WebCore::SearchInputType::startSearchEventTimer()
4   0x179b2f100 WebCore::SearchInputType::didSetValueByUserEdit()
5   0x179b394f3 WebCore::TextFieldInputType::setValue(WTF::String const&, bool, WebCore::TextFieldEventBehavior)
6   0x1799ee0c8 WebCore::HTMLInputElement::setValue(WTF::String const&, WebCore::TextFieldEventBehavior)
7   0x1774fc757 WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()::operator()() const
8   0x1774fc691 std::__1::enable_if<!(std::is_same<void, decltype(fp1())>::value), void>::type WebCore::AttributeSetter::call<WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()&&)
9   0x1774fc628 WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)
10  0x17740e43e bool WebCore::IDLAttribute<WebCore::JSHTMLInputElement>::set<&(WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*)
11  0x17740e2dc WebCore::setJSHTMLInputElement_value(JSC::JSGlobalObject*, long long, long long)
12  0x196e9109d JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue)
13  0x19704761f JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
14  0x19675c451 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
15  0x19675bf18 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
16  0x19675cf83 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
17  0x196bf85cb llint_slow_path_put_by_id
18  0x195c83c30 llint_entry
19  0x195c78180 vmEntryToJavaScript
20  0x196ac907b JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
21  0x196ac9837 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
22  0x196e1717d JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
23  0x196edf97a JSC::callSetter(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue, JSC::JSValue, JSC::ECMAMode)
24  0x197047496 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
25  0x19675c451 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
26  0x19675bf18 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
27  0x19675cf83 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)


```Test Case

<input type="search" incremental style="display: none" id="test">
Hit any key to assert in a debug build.
<script>
  window.addEventListener("keydown", event => {
    const inputElement = document.getElementById("test");
    inputElement.value = "hello";
  });
</script>

```

Comment 1 Sam Weinig 2020-11-15 15:44:12 PST

From a cursory look, it seems like the assert is just wrong and unnecessary. It doesn't appear that anything depends on element()->renderer() being valid here (unless calling element()->innerTextValue() somehow requires that, but there are other callers who access element()->innerTextValue() without checking for a renderer).

Comment 2 Radar WebKit Bug Importer 2020-11-22 15:34:15 PST

<rdar://problem/71669747>