[Webkit-unassigned] [Bug 40390] New: Destroyed popup menu gets called during AutoFill thus crashing the tab.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 9 14:39:36 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=40390

           Summary: Destroyed popup menu gets called during AutoFill thus
                    crashing the tab.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P1
         Component: WebKit API
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: georgey at chromium.org


This verified using chromium.

1. Have two autofill profiles, one with name only. 
2. Go to https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo works.
3. Autofill by clicking on first name and selecting name-only profile.
4. Click on the field again to re-select profiles

list of profiles should appear. Instead tab crashes.

Call stack:
     chrome.dll!WebKit::WebPopupMenuImpl::client()  Line 80 + 0x11 bytes    C++
    chrome.dll!WebKit::WebViewImpl::refreshSuggestionsPopup()  Line 2105 + 0x14 bytes    C++
     chrome.dll!WebKit::WebViewImpl::applyAutoFillSuggestions(const WebKit::WebNode & node={...}, const WebKit::WebVector<WebKit::WebString> & names={...}, const WebKit::WebVector<WebKit::WebString> & labels={...}, int defaultSuggestionIndex=-1)  Line 1836    C++
     chrome.dll!RenderView::OnAutoFillSuggestionsReturned(int query_id=1, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > & values=[1]("a56757576576"), const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > & labels=[1]("#2"), int default_suggestion_index=-1)  Line 1486 + 0x4b bytes    C++
     chrome.dll!DispatchToMethod<RenderView,void (__thiscall RenderView::*)(int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,int),int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int>(RenderView * obj=0x05550400, void (int, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t
 > >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, int)* method=0x5a1f6600, const Tuple4<int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int> & arg={...})  Line 441 + 0x36 bytes    C++
     chrome.dll!IPC::MessageWithTuple<Tuple4<int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > >,int> >::Dispatch<RenderView,void (__thiscall RenderView::*)(int,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > const &,int)>(const IPC::Message * msg=0x064ce5a8, RenderView * obj=0x05550400, void (int, const std::vector<std::basic_s
 tring<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, const std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > &, int)* func=0x5a1f6600)  Line 1020 + 0x23 bytes    C++
     chrome.dll!RenderView::OnMessageReceived(const IPC::Message & message={...})  Line 653 + 0x4a bytes    C++
     chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...})  Line 40 + 0x13 bytes    C++
     chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg={...})  Line 31 + 0x13 bytes    C++

cause:
in WebViewImpl::refreshSuggestionsPopup()
        WebPopupMenuImpl* popupMenu =
            static_cast<WebPopupMenuImpl*>(m_suggestionsPopup->client());
returns NULL, and crashes next line.
        popupMenu->client()->setWindowRect(newBounds);

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list