99967 – Possible assertion hit in WebCore::HTMLSelectElement::updateListBoxSelection()

Bug 99967 - Possible assertion hit in WebCore::HTMLSelectElement::updateListBoxSelection()

Summary: Possible assertion hit in WebCore::HTMLSelectElement::updateListBoxSelection()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-10-22 01:44 PDT by Chris Dumez
Modified:	2012-10-23 11:22 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (4.50 KB, patch) 2012-10-22 03:54 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (4.43 KB, patch) 2012-10-22 22:49 PDT, Chris Dumez	tony: review+ tony: commit-queue-	Details \| Formatted Diff \| Diff
Patch for landing (4.47 KB, patch) 2012-10-23 10:42 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2012-10-22 01:44:07 PDT

We get the following assertion hit in WebCore::HTMLSelectElement::updateListBoxSelection():

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff470b550 in WebCore::HTMLSelectElement::updateListBoxSelection (this=0x4db070, deselectOtherOptions=false) at /home/chris/Devel/WebKit/Source/WebCore/html/HTMLSelectElement.cpp:614
warning: Source file is more recent than executable.
614	    ASSERT(!listItems().size() || m_activeSelectionAnchorIndex >= 0);
(gdb) bt 25
#0  0x00007ffff470b550 in WebCore::HTMLSelectElement::updateListBoxSelection (this=0x4db070, deselectOtherOptions=false) at /home/chris/Devel/WebKit/Source/WebCore/html/HTMLSelectElement.cpp:614
#1  0x00007ffff470dd7a in WebCore::HTMLSelectElement::listBoxDefaultEventHandler (this=0x4db070, event=0x65c750) at /home/chris/Devel/WebKit/Source/WebCore/html/HTMLSelectElement.cpp:1318
#2  0x00007ffff470e6a7 in WebCore::HTMLSelectElement::defaultEventHandler (this=0x4db070, event=0x65c750) at /home/chris/Devel/WebKit/Source/WebCore/html/HTMLSelectElement.cpp:1442
#3  0x00007ffff451b8e9 in WebCore::EventDispatcher::dispatchEventPostProcess (this=0x7fffffffcc30, event=..., preDispatchEventHandlerResult=0x0)
    at /home/chris/Devel/WebKit/Source/WebCore/dom/EventDispatcher.cpp:353
#4  0x00007ffff451a986 in WebCore::EventDispatcher::dispatchEvent (this=0x7fffffffcc30, prpEvent=...) at /home/chris/Devel/WebKit/Source/WebCore/dom/EventDispatcher.cpp:259
#5  0x00007ffff4533c96 in WebCore::MouseEventDispatchMediator::dispatchEvent (this=0x41cbc0, dispatcher=0x7fffffffcc30) at /home/chris/Devel/WebKit/Source/WebCore/dom/MouseEvent.cpp:238
#6  0x00007ffff4519a1c in WebCore::EventDispatcher::dispatchEvent (node=0x5ebbf0, mediator=...) at /home/chris/Devel/WebKit/Source/WebCore/dom/EventDispatcher.cpp:127
#7  0x00007ffff4550bc0 in WebCore::Node::dispatchMouseEvent (this=0x5ebbf0, event=..., eventType=..., detail=0, relatedTarget=0x0) at /home/chris/Devel/WebKit/Source/WebCore/dom/Node.cpp:2631
#8  0x00007ffff49c6d29 in WebCore::EventHandler::dispatchMouseEvent (this=0x4a33e0, eventType=..., targetNode=0x5ebbf0, clickCount=0, mouseEvent=..., setUnder=true)
    at /home/chris/Devel/WebKit/Source/WebCore/page/EventHandler.cpp:2289
#9  0x00007ffff49c4d08 in WebCore::EventHandler::handleMouseMoveEvent (this=0x4a33e0, mouseEvent=..., hoveredNode=0x7fffffffcf80, onlyUpdateScrollbars=false)
    at /home/chris/Devel/WebKit/Source/WebCore/page/EventHandler.cpp:1835
#10 0x00007ffff49c443b in WebCore::EventHandler::mouseMoved (this=0x4a33e0, event=...) at /home/chris/Devel/WebKit/Source/WebCore/page/EventHandler.cpp:1707
#11 0x00007ffff7f51b4b in ewk_frame_feed_mouse_move (ewkFrame=0x48d2a0, moveEvent=0x7fffffffd2e0) at /home/chris/Devel/WebKit/Source/WebKit/efl/ewk/ewk_frame.cpp:979
#12 0x00007ffff7f72c8d in _ewk_view_smart_mouse_move (smartData=0x4912f0, moveEvent=0x7fffffffd2e0) at /home/chris/Devel/WebKit/Source/WebKit/efl/ewk/ewk_view.cpp:600
#13 0x00007ffff7f7360b in _ewk_view_on_mouse_move (data=0x4912f0, eventInfo=0x7fffffffd2e0) at /home/chris/Devel/WebKit/Source/WebKit/efl/ewk/ewk_view.cpp:710
#14 0x00007ffff7bb8142 in evas_object_event_callback_call (obj=0x48cb20, type=EVAS_CALLBACK_MOUSE_MOVE, event_info=0x7fffffffd2e0, event_id=1237) at evas_callbacks.c:232
#15 0x00007ffff7bb827a in evas_object_event_callback_call (obj=0x48d0c0, type=EVAS_CALLBACK_MOUSE_MOVE, event_info=0x7fffffffd2e0, event_id=1237) at evas_callbacks.c:261
#16 0x00007ffff7bbcbda in evas_event_feed_mouse_move (e=0x480f10, x=308, y=80, timestamp=6908314, data=0x0) at evas_events.c:699
#17 0x00007ffff05d5ed6 in ecore_event_evas_mouse_move (data=<optimized out>, type=<optimized out>, event=0x572a20) at ecore_input_evas.c:238
#18 0x00007ffff7e29100 in _ecore_call_handler_cb (event=<optimized out>, type=<optimized out>, data=<optimized out>, func=<optimized out>) at ecore_private.h:319
#19 _ecore_event_call () at ecore_events.c:559
#20 0x00007ffff7e2d8cc in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1900
#21 0x00007ffff7e2dd97 in ecore_main_loop_begin () at ecore_main.c:934
#22 0x0000000000406ba3 in main (argc=2, argv=0x7fffffffe608) at /home/chris/Devel/WebKit/Tools/EWebLauncher/main.c:1017

This happens when pressing left mouse button outside a multiselect and then moving the mouse over the multiselect (while keeping the mouse button pressed).

Comment 1 Chris Dumez 2012-10-22 03:54:15 PDT

Created attachment 169872 [details]
Patch

Comment 2 yosin 2012-10-22 18:28:41 PDT

Comment on attachment 169872 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=169872&action=review

> Source/WebCore/html/HTMLSelectElement.cpp:1313
> +        if (m_activeSelectionAnchorIndex < 0)

Should we check m_activeSelectionAnchorIndex only for m_multiple case?
Or put this check before L1317 to minimize effect of this change.

1316 if (m_multiple) {
1317     setActiveSelectionEndIndex(listIndex);
1318     updateListBoxSelection(false);

Comment 3 Chris Dumez 2012-10-22 22:47:19 PDT

Comment on attachment 169872 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=169872&action=review

>> Source/WebCore/html/HTMLSelectElement.cpp:1313
>> +        if (m_activeSelectionAnchorIndex < 0)
> 
> Should we check m_activeSelectionAnchorIndex only for m_multiple case?
> Or put this check before L1317 to minimize effect of this change.
> 
> 1316 if (m_multiple) {
> 1317     setActiveSelectionEndIndex(listIndex);
> 1318     updateListBoxSelection(false);

Yes, I'll move it inside the if (m_multiple) case. Thanks.

Comment 4 Chris Dumez 2012-10-22 22:49:42 PDT

Created attachment 170066 [details]
Patch

Take Yosin's feedback into consideration.

Comment 5 yosin 2012-10-23 00:14:22 PDT

LGTM. Please wait for reviewer's approval.
Thanks for fixing nasty bug and quick response!

Comment 6 Tony Chang 2012-10-23 10:35:25 PDT

Comment on attachment 170066 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=170066&action=review

> LayoutTests/ChangeLog:10
> +        WebCore::HTMLSelectElement::updateListBoxSelection() when doing a pressing
> +        left button outside a multiselect and then moving the mouse over the

"when doing a pressing" is awkward English. I would probably say:
"when pressing the left button outside a ..."

Comment 7 Chris Dumez 2012-10-23 10:42:22 PDT

Created attachment 170189 [details]
Patch for landing

Take Tony's feedback into consideration.

Could someone please cq+ ?

Comment 8 WebKit Review Bot 2012-10-23 11:22:29 PDT

Comment on attachment 170189 [details]
Patch for landing

Clearing flags on attachment: 170189

Committed r132246: <http://trac.webkit.org/changeset/132246>

Comment 9 WebKit Review Bot 2012-10-23 11:22:33 PDT

All reviewed patches have been landed.  Closing bug.