[Webkit-unassigned] [Bug 41024] New: Crasher when a select sets an attribute from the onchange handler

Tue Jun 22 16:58:03 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=41024

           Summary: Crasher when a select sets an attribute from the
                    onchange handler
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jcivelli at chromium.org

Created an attachment (id=59446)
 --> (https://bugs.webkit.org/attachment.cgi?id=59446)
Crasher repro example.

- Open the attached HTML file.
- Select an item

It crashes.

Seen on Chromium and Safari 5.0

Here is the stack on Chromium:
    chrome.dll!WebCore::toRenderMenuList(WebCore::RenderObject * object=0x0b660dcc)  Line 139 + 0x42 bytes    C++
     chrome.dll!WebCore::SelectElement::setSelectedIndex(WebCore::SelectElementData & data={...}, WebCore::Element * element=0x0b66e8c0, int optionIndex=2, bool deselect=true, bool fireOnChangeNow=true, bool userDrivenChange=true)  Line 345 + 0xe bytes    C++
     chrome.dll!WebCore::HTMLSelectElement::setSelectedIndexByUser(int optionIndex=2, bool deselect=true, bool fireOnChangeNow=true)  Line 104 + 0x23 bytes    C++
     chrome.dll!WebCore::RenderMenuList::valueChanged(unsigned int listIndex=2, bool fireOnChange=true)  Line 310 + 0x31 bytes    C++
     chrome.dll!WebCore::PopupListBox::acceptIndex(int index=2)  Line 1007 + 0x21 bytes    C++
     chrome.dll!WebCore::PopupListBox::handleMouseReleaseEvent(const WebCore::PlatformMouseEvent & event={...})  Line 643    C++
     chrome.dll!WebCore::PopupContainer::handleMouseReleaseEvent(const WebCore::PlatformMouseEvent & event={...})  Line 467 + 0x47 bytes    C++
     chrome.dll!WebKit::WebPopupMenuImpl::MouseUp(const WebKit::WebMouseEvent & event={...})  Line 111 + 0x2c bytes    C++

It is asserting in RenderMenuList::toRenderMenuList because the passed object is not a MenuList (it is a RenderListBox).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.