This verified using chromium. 1. Have two autofill profiles, one with name only. 2. Go to https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo works. 3. Autofill by clicking on first name and selecting name-only profile. 4. Click on the field again to re-select profiles list of profiles should appear. Instead tab crashes. Call stack: chrome.dll!WebKit::WebPopupMenuImpl::client() Line 80 + 0x11 bytes C++ chrome.dll!WebKit::WebViewImpl::refreshSuggestionsPopup() Line 2105 + 0x14 bytes C++ chrome.dll!WebKit::WebViewImpl::applyAutoFillSuggestions(const WebKit::WebNode & node={...}, const WebKit::WebVector<WebKit::WebString> & names={...}, const WebKit::WebVector<WebKit::WebString> & labels={...}, int defaultSuggestionIndex=-1) Line 1836 C++ chrome.dll!RenderView::OnAutoFillSuggestionsReturned(int query_id=1, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > & values=[1]("a56757576576"), const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > & labels=[1]("#2"), int default_suggestion_index=-1) Line 1486 + 0x4b bytes C++ chrome.dll!DispatchToMethod<RenderView,void (__thiscall RenderView::*)(int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,int),int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int>(RenderView * obj=0x05550400, void (int, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, int)* method=0x5a1f6600, const Tuple4<int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int> & arg={...}) Line 441 + 0x36 bytes C++ chrome.dll!IPC::MessageWithTuple<Tuple4<int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int> >::Dispatch<RenderView,void (__thiscall RenderView::*)(int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,int)>(const IPC::Message * msg=0x064ce5a8, RenderView * obj=0x05550400, void (int, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, int)* func=0x5a1f6600) Line 1020 + 0x23 bytes C++ chrome.dll!RenderView::OnMessageReceived(const IPC::Message & message={...}) Line 653 + 0x4a bytes C++ chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...}) Line 40 + 0x13 bytes C++ chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg={...}) Line 31 + 0x13 bytes C++ cause: in WebViewImpl::refreshSuggestionsPopup() WebPopupMenuImpl* popupMenu = static_cast<WebPopupMenuImpl*>(m_suggestionsPopup->client()); returns NULL, and crashes next line. popupMenu->client()->setWindowRect(newBounds);
I took a look at this George, and the proposed solution (offline) is actually not correct. The problem is that the AutoFillPopupMenuClient is not notifying the WebView when the popup hides.
So this bug should probably be closed in favor of https://bugs.webkit.org/show_bug.cgi?id=40459
*** This bug has been marked as a duplicate of bug 40459 ***