RESOLVED FIXED 50095
Assertion failure by resetting <output> twice
https://bugs.webkit.org/show_bug.cgi?id=50095
Summary Assertion failure by resetting <output> twice
Kent Tamura
Reported 2010-11-25 15:51:35 PST
<form action="output.html"> <output value=foo></output> <input type=reset> </form> Load the above HTML on debug build WebKit, and click the reset button twice. ASSERTION FAILED: !m_isSetTextContentInProgress (..../WebKit/WebCore/html/HTMLOutputElement.cpp:125 void WebCore::HTMLOutputElement::setTextContentInternal(const WTF::String&))
Attachments
Patch (4.39 KB, patch)
2010-11-25 18:21 PST, Kenichi Ishibashi
no flags
Patch V1 (5.05 KB, patch)
2010-11-25 19:15 PST, Kenichi Ishibashi
no flags
Patch V2 (7.08 KB, patch)
2010-11-25 20:14 PST, Kenichi Ishibashi
no flags
Kenichi Ishibashi
Comment 1 2010-11-25 18:21:34 PST
Kent Tamura
Comment 2 2010-11-25 18:36:58 PST
Comment on attachment 74898 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=74898&action=review > LayoutTests/fast/forms/script-tests/output-reset-assertion-failed.js:10 > +form.reset(); > + We had better have testPassed('Not crashed'); or something. > WebCore/html/HTMLOutputElement.cpp:91 > + if (m_isSetTextContentInProgress) > + return; Really? Does an HTML page have a change to call reset() before clearing m_isSetTextContentInProgress?
Kenichi Ishibashi
Comment 3 2010-11-25 19:10:17 PST
Comment on attachment 74898 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=74898&action=review Thank you for prompt review. I'll revise the patch soon. >> LayoutTests/fast/forms/script-tests/output-reset-assertion-failed.js:10 >> + > > We had better have > testPassed('Not crashed'); > or something. Done. >> WebCore/html/HTMLOutputElement.cpp:91 >> + return; > > Really? > Does an HTML page have a change to call reset() before clearing m_isSetTextContentInProgress? I completely misunderstood the cause. The cause is there is no chance to clear the flag when the value and the default value are the same. Thank you for letting me aware of that.
Kenichi Ishibashi
Comment 4 2010-11-25 19:15:36 PST
Created attachment 74899 [details] Patch V1
Kent Tamura
Comment 5 2010-11-25 19:20:57 PST
Probably the same reason, <output value=foo></output> var o = document.getElementsByTagName('output')[0] o.value = ""; o.value = ""; causes an assertion failure.
Kent Tamura
Comment 6 2010-11-25 19:24:12 PST
(In reply to comment #5) > Probably the same reason, > > <output value=foo></output> > > var o = document.getElementsByTagName('output')[0] > o.value = ""; > o.value = ""; o.value = ""; o.value = "foo"; also fails.
Kenichi Ishibashi
Comment 7 2010-11-25 20:14:51 PST
Created attachment 74900 [details] Patch V2
Kenichi Ishibashi
Comment 8 2010-11-25 20:16:14 PST
Kent-san, Thanks a lot for another cases. I've revised the patch. (In reply to comment #6) > (In reply to comment #5) > > Probably the same reason, > > > > <output value=foo></output> > > > > var o = document.getElementsByTagName('output')[0] > > o.value = ""; > > o.value = ""; > > o.value = ""; > o.value = "foo"; > > also fails.
Kent Tamura
Comment 9 2010-11-25 20:24:54 PST
Comment on attachment 74900 [details] Patch V2 Looks ok. Thanks.
WebKit Commit Bot
Comment 10 2010-11-25 20:52:40 PST
The commit-queue encountered the following flaky tests while processing attachment 74900 [details]: fast/profiler/throw-exception-from-eval.html Please file bugs against the tests. These tests were authored by kmccullough@apple.com, oliver@apple.com, and timothy@apple.com. The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 11 2010-11-25 20:57:48 PST
Comment on attachment 74900 [details] Patch V2 Clearing flags on attachment: 74900 Committed r72750: <http://trac.webkit.org/changeset/72750>
WebKit Commit Bot
Comment 12 2010-11-25 20:57:53 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.