40232 – postMessage(window) throws "Type error" with input elements other than text fields

Bug 40232 - postMessage(window) throws "Type error" with input elements other than text fields

Summary: postMessage(window) throws "Type error" with input elements other than text f...

Status:	RESOLVED DUPLICATE of bug 40329

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	39757
	Show dependency tree / graph

Reported:	2010-06-07 06:10 PDT by Kim Grönholm
Modified:	2010-06-08 13:35 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Backtrace of postMessage(window) throwing a type error (1.63 KB, text/plain) 2010-06-07 06:10 PDT, Kim Grönholm	no flags	Details
LayoutTests/fast/dom/Window/window-postmessage-clone with additional input element (5.48 KB, text/html) 2010-06-07 06:17 PDT, Kim Grönholm	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kim Grönholm 2010-06-07 06:10:22 PDT

Created attachment 58021 [details]
Backtrace of postMessage(window) throwing a type error

postMessage(window) should throw TypeError: "Cannot post cyclic structures."
like it (normally) does in LayoutTests/fast/dom/Window/window-postmessage-clone.html.
However, in case the TreeWalker traverses through an input element other than
text field before it notices the cyclic structure, it throws TypeError: "Type 
error".

This issue was revealed when adding a new attribute to Element.idl which
caused the hash lookup to traverse through the objects/properties in different
order in LayoutTests/fast/dom/Window/window-postmessage-clone.html. The issue can
also be seen by slightly modifying the test page by e.g. adding a dummy input
element on top of the test page with type "button" or "file" (I'll attach a
test case for this)

The reason why this happens is that when the TreeWalkers in WebCore/bindings/
js/SerializedScriptValue.cpp walk through the objects and their properties,
the getProperty function ends up querying the JSHTMLInputElement::selectionStart
or JSHTMLInputElement::selectionEnd properties whose getters throw the type
error in case the input element is not of type "TextField" (!input->canHaveSelection())

See the example backtrace for further clarification.

Comment 1 Kim Grönholm 2010-06-07 06:17:11 PDT

Created attachment 58022 [details]
LayoutTests/fast/dom/Window/window-postmessage-clone with additional input element

Added a test case that is otherwise identical to 
LayoutTests/fast/dom/Window/window-postmessage-clone.html except one
dummy input (type="button") element that is added on top of the page.

This dummy input element makes the postMessage(window) test fail
prompting:
PASS: 'postMessage(window)' threw TypeError: Type error

when the expected output would be:
PASS: 'postMessage(window)' threw TypeError: Cannot post cyclic structures.

Removing the dummy button results in the expected output.

Comment 2 Kim Grönholm 2010-06-08 13:35:32 PDT

The actual issue is that postMessage should serialise dom objects to null by default and it is being tracked in https://bugs.webkit.org/show_bug.cgi?id=40329

*** This bug has been marked as a duplicate of bug 40329 ***