RESOLVED INVALID62190
Web Inspector: inspector crash on attempt to add x-webkit-speech attribute to <input> 
https://bugs.webkit.org/show_bug.cgi?id=62190
Summary Web Inspector: inspector crash on attempt to add x-webkit-speech attribute to...
Yury Semikhatsky
Reported 2011-06-06 23:27:52 PDT
What steps will reproduce the problem? 1. Build chrome locally with ToT or download the latest dev channel build with "--single-process" command line flag. 2. Run chrome and enter "data:text/html,<input>" in the omnibox to see a page with just an input box. 3. Right click on the input box and select "Inspect element" to open inspector 4. Double-click the <input> element in inspector and add a new attribute "x-webkit-speech". i.e. double-click the <input> element in inspector and in the text box which appears append "x-webkit-speech" (with no value set) and click outside. 5. The first time you add this attribute, nothing happens. The text box goes empty again. This in itself is an error, I'm not sure what is going on here. 6. Type in "x-webkit-speech" again in that empty text box and click outside. On Chromium I see the crash on step 4.
Attachments
patch (9.38 KB, patch)
2011-06-07 11:55 PDT, Andrey Kosyakov 		pfeldman: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yury Semikhatsky
Comment 1 2011-06-06 23:29:34 PDT
Chromium stack trace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffe4b4f700 (LWP 14712)] 0x0000000002457c49 in WebCore::InspectorObject::writeJSON (this=0x7fffe54e5380, output=0x7fffe4b4cdb0) at third_party/WebKit/Source/WebCore/inspector/InspectorValues.cpp:716 716 it->second->writeJSON(output); (gdb) bt #0 0x0000000002457c49 in WebCore::InspectorObject::writeJSON (this=0x7fffe54e5380, output=0x7fffe4b4cdb0) at third_party/WebKit/Source/WebCore/inspector/InspectorValues.cpp:716 #1 0x0000000002457c62 in WebCore::InspectorObject::writeJSON (this=0x7fffe566cc80, output=0x7fffe4b4cdb0) at third_party/WebKit/Source/WebCore/inspector/InspectorValues.cpp:716 #2 0x0000000002457129 in WebCore::InspectorValue::toJSONString (this=0x7fffe566cc80) at third_party/WebKit/Source/WebCore/inspector/InspectorValues.cpp:555 #3 0x000000000358f85e in WebCore::InspectorFrontend::DOM::shadowRootUpdated (this=0x7fffb8029040, hostId=5, shadowRoot=...) at out/Debug/obj/gen/webcore/InspectorFrontend.cpp:556 #4 0x00000000027b1f84 in WebCore::InspectorDOMAgent::didRemoveDOMNode (this=0x7fffe53e1780, node=0x7fffe54c0700) at third_party/WebKit/Source/WebCore/inspector/InspectorDOMAgent.cpp:1304 #5 0x0000000002438494 in WebCore::InspectorInstrumentation::didRemoveDOMNodeImpl (instrumentingAgents=0x7fffe53f0280, node=0x7fffe54c0700) at third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.cpp:144 #6 0x000000000234fb4d in WebCore::InspectorInstrumentation::willRemoveDOMNode (document=0x7fffe562d800, node=0x7fffe54c0700) at third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:361 #7 0x000000000234ad7f in WebCore::Element::removeShadowRoot (this=0x7fffe54be2d0) at third_party/WebKit/Source/WebCore/dom/Element.cpp:1222 #8 0x00000000029055ba in WebCore::InputType::destroyShadowSubtree (this=0x7fffdddd19c0) at third_party/WebKit/Source/WebCore/html/InputType.cpp:364 #9 0x00000000028d6276 in WebCore::HTMLInputElement::parseMappedAttribute (this=0x7fffe54be2d0, attr=0x7fffe199bec0) at third_party/WebKit/Source/WebCore/html/HTMLInputElement.cpp:745 #10 0x000000000273133a in WebCore::StyledElement::attributeChanged (this=0x7fffe54be2d0, attr=0x7fffe199bec0, preserveDecls=false) at third_party/WebKit/Source/WebCore/dom/StyledElement.cpp:188 #11 0x00000000028c3315 in WebCore::HTMLFormControlElement::attributeChanged (this=0x7fffe54be2d0, attr=0x7fffe199bec0, preserveDecls=false) at third_party/WebKit/Source/WebCore/html/HTMLFormControlElement.cpp:464 #12 0x000000000236c1ad in WebCore::NamedNodeMap::addAttribute (this=0x7fffb816d280, prpAttribute=...) at third_party/WebKit/Source/WebCore/dom/NamedNodeMap.cpp:255 #13 0x0000000002348896 in WebCore::Element::setAttribute (this=0x7fffe54be2d0, name=..., value=...) at third_party/WebKit/Source/WebCore/dom/Element.cpp:720 #14 0x00000000027add25 in WebCore::InspectorDOMAgent::setAttribute (this=0x7fffe53e1780, errorString=0x7fffe4b4d410, elementId=5, name=..., value=...) at third_party/WebKit/Source/WebCore/inspector/InspectorDOMAgent.cpp:607 #15 0x000000000359b34a in WebCore::InspectorBackendDispatcher::DOM_setAttribute (this=0x7fffb817d680, callId=36, requestMessageObject=0x7fffe19ad100) at out/Debug/obj/gen/webcore/InspectorBackendDispatcher.cpp:1173 #16 0x00000000035a9154 in WebCore::InspectorBackendDispatcher::dispatch (this=0x7fffb817d680, message=...) at out/Debug/obj/gen/webcore/InspectorBackendDispatcher.cpp:2869 #17 0x00000000027a7378 in WebCore::InspectorController::dispatchMessageFromFrontend (this=0x7fffe54ab180, message=...) at third_party/WebKit/Source/WebCore/inspector/InspectorController.cpp:399 #18 0x0000000002ec5508 in WebKit::WebDevToolsAgentImpl::dispatchOnInspectorBackend (this=0x7fffe53ed0c0, message=...) at third_party/WebKit/Source/WebKit/chromium/src/WebDevToolsAgentImpl.cpp:235 #19 0x00000000009afcc9 in DevToolsAgent::OnDispatchOnInspectorBackend (this=0x7fffe54e6270, message= "{\"method\":\"DOM.setAttribute\",\"params\":{\"nodeId\":5,\"name\":\" \",\"value\":\"x-webkit-speech\"},\"id\":36}") at chrome/renderer/devtools_agent.cc:175 #20 0x00000000009b0870 in DispatchToMethod<DevToolsAgent, void (DevToolsAgent::*)(std::string const&), std::basic_string<char, std::char_traits<char>, std::allocator<char> > > (obj=0x7fffe54e6270, method= (void (DevToolsAgent::*)(DevToolsAgent *, const std::string &)) 0x9afc70 <DevToolsAgent::OnDispatchOnInspectorBackend(std::string const&)>, arg=...) at ./base/tuple.h:551 #21 0x00000000009b04cb in IPC::MessageWithTuple<Tuple1<std::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::Dispatch<DevToolsAgent, DevToolsAgent, void (DevToolsAgent::*)(std::string const&)> (msg=0x7fffb80b1548, obj=0x7fffe54e6270, sender=0x7fffe54e6270, func= (void (DevToolsAgent::*)(DevToolsAgent *, const std::string &)) 0x9afc70 <DevToolsAgent::OnDispatchOnInspectorBackend(std::string const&)>) at ./ipc/ipc_message_utils.h:963 #22 0x00000000009af545 in DevToolsAgent::OnMessageReceived (this=0x7fffe54e6270, message=...) at chrome/renderer/devtools_agent.cc:78 #23 0x000000000064f3b4 in RenderView::OnMessageReceived (this=0x7fffd8fb3400, message=...) at content/renderer/render_view.cc:591 #24 0x000000000061e5d4 in MessageRouter::RouteMessage (this=0x7fffe5fc4030, msg=...) at content/common/message_router.cc:46 #25 0x000000000061e576 in MessageRouter::OnMessageReceived (this=0x7fffe5fc4030, msg=...) at content/common/message_router.cc:38 #26 0x00000000005483d1 in ChildThread::OnMessageReceived (this=0x7fffe5fc4008, msg=...) at content/common/child_thread.cc:175 #27 0x0000000001bf343e in IPC::ChannelProxy::Context::OnDispatchMessage (this=0x7fffe5fcb180, message=...) at ipc/ipc_channel_proxy.cc:256 #28 0x0000000001bf658f in DispatchToMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(IPC::Message const&), IPC::Message> ( obj=0x7fffe5fcb180, method= (void (IPC::ChannelProxy::Context::*)(IPC::ChannelProxy::Context *, const IPC::Message &)) 0x1bf3394 <IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&)>, arg=...) at ./base/tuple.h:551 #29 0x0000000001bf62b6 in RunnableMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(IPC::Message const&), Tuple1<IPC::Message> >::Run (this=0x7fffb80b1510) at ./base/task.h:338 #30 0x00000000004651fd in (anonymous namespace)::TaskClosureAdapter::Run (this=0x7fffb817bd80) at base/message_loop.cc:102 #31 0x0000000000468dc2 in base::internal::Invoker1<false, base::internal::InvokerStorage1<void (<unnamed>::TaskClosureAdapter::*)(), <unnamed>::TaskClosureAdapter*>, void (<unnamed>::TaskClosureAdapter::*)()>::DoInvoke(base::internal::InvokerStorageBase *) (base=0x7fffdde05900) at ./base/bind_internal.h:547 #32 0x000000000046a0cf in base::Callback<void()>::Run(void) const (this=0x7fffe4b4e630) at ./base/callback.h:261 #33 0x0000000000467b93 in MessageLoop::RunTask (this=0x7fffe4b4ec60, pending_task=...) at base/message_loop.cc:482 #34 0x0000000000467cc9 in MessageLoop::DeferOrRunPendingTask (this=0x7fffe4b4ec60, pending_task=...) at base/message_loop.cc:500 #35 0x00000000004684df in MessageLoop::DoWork (this=0x7fffe4b4ec60) at base/message_loop.cc:691 #36 0x000000000046fa10 in base::MessagePumpDefault::Run (this=0x7fffe5fbb400, delegate=0x7fffe4b4ec60) at base/message_pump_default.cc:23 #37 0x0000000000467987 in MessageLoop::RunInternal (this=0x7fffe4b4ec60) at base/message_loop.cc:449 #38 0x000000000046783a in MessageLoop::RunHandler (this=0x7fffe4b4ec60) at base/message_loop.cc:422 #39 0x0000000000467255 in MessageLoop::Run (this=0x7fffe4b4ec60) at base/message_loop.cc:346 #40 0x00000000018f5f4a in base::Thread::Run (this=0x7fffe5fa8e60, message_loop=0x7fffe4b4ec60) at base/threading/thread.cc:128 #41 0x00000000018f6105 in base::Thread::ThreadMain (this=0x7fffe5fa8e60) at base/threading/thread.cc:164 #42 0x00000000004ab927 in base::(anonymous namespace)::ThreadFunc (params=0x7fffe5f9f5d0) at base/threading/platform_thread_posix.cc:51 #43 0x00007ffff3e6d9ca in start_thread (arg=<value optimized out>) at pthread_create.c:300 #44 0x00007ffff187770d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 warning: (Internal error: pc 0x0 in read in psymtab, but not in symtab.) #45 0x0000000000000000 in ?? () (gdb) quit
Andrey Kosyakov
Comment 2 2011-06-07 11:55:14 PDT
Created attachment 96273 [details] patch
Andrey Kosyakov
Comment 3 2011-06-07 11:56:17 PDT
Note this also makes shadow DOM exposure conditional on Preferences.exposeShadowDOM (off by default).
Pavel Feldman
Comment 4 2011-06-07 11:57:34 PDT
Comment on attachment 96273 [details] patch As we agreed, lets revert the original shadow dom change. One more scenario to consider: - expand input element - doubleclick on div under shadow dom, rename it to span. crash.
Pavel Feldman
Comment 5 2011-08-08 22:27:42 PDT
The cause was rolled out.
Note You need to log in before you can comment on or make changes to this bug.