RESOLVED DUPLICATE of bug 40459 40390
Destroyed popup menu gets called during AutoFill thus crashing the tab. 
https://bugs.webkit.org/show_bug.cgi?id=40390
Summary Destroyed popup menu gets called during AutoFill thus crashing the tab.
George Yakovlev
Reported 2010-06-09 14:39:35 PDT
This verified using chromium. 1. Have two autofill profiles, one with name only. 2. Go to https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo works. 3. Autofill by clicking on first name and selecting name-only profile. 4. Click on the field again to re-select profiles list of profiles should appear. Instead tab crashes. Call stack: chrome.dll!WebKit::WebPopupMenuImpl::client() Line 80 + 0x11 bytes C++ chrome.dll!WebKit::WebViewImpl::refreshSuggestionsPopup() Line 2105 + 0x14 bytes C++ chrome.dll!WebKit::WebViewImpl::applyAutoFillSuggestions(const WebKit::WebNode & node={...}, const WebKit::WebVector<WebKit::WebString> & names={...}, const WebKit::WebVector<WebKit::WebString> & labels={...}, int defaultSuggestionIndex=-1) Line 1836 C++ chrome.dll!RenderView::OnAutoFillSuggestionsReturned(int query_id=1, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > & values=[1]("a56757576576"), const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > & labels=[1]("#2"), int default_suggestion_index=-1) Line 1486 + 0x4b bytes C++ chrome.dll!DispatchToMethod<RenderView,void (__thiscall RenderView::*)(int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,int),int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int>(RenderView * obj=0x05550400, void (int, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, int)* method=0x5a1f6600, const Tuple4<int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int> & arg={...}) Line 441 + 0x36 bytes C++ chrome.dll!IPC::MessageWithTuple<Tuple4<int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int> >::Dispatch<RenderView,void (__thiscall RenderView::*)(int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,int)>(const IPC::Message * msg=0x064ce5a8, RenderView * obj=0x05550400, void (int, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, int)* func=0x5a1f6600) Line 1020 + 0x23 bytes C++ chrome.dll!RenderView::OnMessageReceived(const IPC::Message & message={...}) Line 653 + 0x4a bytes C++ chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...}) Line 40 + 0x13 bytes C++ chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg={...}) Line 31 + 0x13 bytes C++ cause: in WebViewImpl::refreshSuggestionsPopup() WebPopupMenuImpl* popupMenu = static_cast<WebPopupMenuImpl*>(m_suggestionsPopup->client()); returns NULL, and crashes next line. popupMenu->client()->setWindowRect(newBounds);
Attachments
Add attachment proposed patch, testcase, etc.
James Hawkins
Comment 1 2010-06-11 10:45:01 PDT
I took a look at this George, and the proposed solution (offline) is actually not correct. The problem is that the AutoFillPopupMenuClient is not notifying the WebView when the popup hides.
James Hawkins
Comment 2 2010-06-11 10:45:44 PDT
So this bug should probably be closed in favor of https://bugs.webkit.org/show_bug.cgi?id=40459
George Yakovlev
Comment 3 2010-06-11 10:58:35 PDT
*** This bug has been marked as a duplicate of bug 40459 ***
Note You need to log in before you can comment on or make changes to this bug.