[Webkit-unassigned] [Bug 103592] New: [BlackBerry] DRT - crashed on WebCore::SearchFieldCancelButtonElement

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 28 20:19:43 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=103592

           Summary: [BlackBerry] DRT - crashed on
                    WebCore::SearchFieldCancelButtonElement
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Other
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Event Handling
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: xiaobo.wang at torchmobile.com.cn
                CC: rwlbuis at gmail.com


Got a crash when running DRT test fast/forms/search-delete-while-cancel-button-clicked.html on BlackBerry platform. It doesn't reproduce 100%, but it did happen from time to time.

Back Trace
==========
#0  WebCore::SearchFieldCancelButtonElement::defaultEventHandler
(this=0x4fca4d0, event=0x4eba738)
    at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/html/shadow/TextControlInnerElements.cpp:206
#1  0x7a4f304e in dispatchEventPostProcess (preDispatchEventHandlerResult=0x0,
event=..., this=0xdfee38)
    at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/dom/EventDispatcher.cpp:340
#2  WebCore::EventDispatcher::dispatchEvent (this=0xdfee38, prpEvent=...)
    at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/dom/EventDispatcher.cpp:255
#3  0x7a4f9596 in dispatchEvent (dispatcher=0xdfee38, this=0x4e66e00) at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/dom/MouseEvent.cpp:215
#4  WebCore::MouseEventDispatchMediator::dispatchEvent (this=0x4e66e00,
dispatcher=0xdfee38)
    at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/dom/MouseEvent.cpp:204
#5  0x7a4f2770 in WebCore::EventDispatcher::dispatchEvent (node=<optimized
out>, mediator=...)
    at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/dom/EventDispatcher.cpp:128
#6  0x79daab66 in WebCore::Node::dispatchMouseEvent (this=0x4fca4d0, event=...,
eventType=..., detail=<optimized out>, relatedTarget=0x3a06618)
    at /home/yanbin/workspace/playbook/webkit/Source/WebCore/dom/Node.cpp:2664
#7  0x79f6d504 in WebCore::EventHandler::updateMouseEventTargetNode
(this=0x1cddd8, targetNode=<optimized out>, mouseEvent=..., 
    fireMouseOverOut=<optimized out>) at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/page/EventHandler.cpp:2235
#8  0x79f6d6ae in WebCore::EventHandler::dispatchMouseEvent (this=0x1cddd8,
eventType=..., targetNode=0x3a06618, clickCount=0, mouseEvent=..., 
    setUnder=true) at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/page/EventHandler.cpp:2252
#9  0x79f6e312 in WebCore::EventHandler::handleMouseMoveEvent (this=<optimized
out>, mouseEvent=..., hoveredNode=<optimized out>, 
    onlyUpdateScrollbars=<optimized out>) at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/page/EventHandler.cpp:1827
#10 0x79f6f7f0 in WebCore::EventHandler::mouseMoved (this=0x1cddd8, event=...)
    at
/home/yanbin/workspace/playbook/webkit/Source/WebCore/page/EventHandler.cpp:1699
#11 0x79c909c6 in BlackBerry::WebKit::WebPagePrivate::handleMouseEvent
(this=0x1446d8, mouseEvent=...)
    at
/home/yanbin/workspace/playbook/webkit/Source/WebKit/blackberry/Api/WebPage.cpp:4021
#12 0x79c90bae in BlackBerry::WebKit::WebPage::mouseEvent (this=0x18a938,
mouseEvent=..., wheelDeltaAccepted=0x0)
    at
/home/yanbin/workspace/playbook/webkit/Source/WebKit/blackberry/Api/WebPage.cpp:3965
#13 0x79ce098c in mouseMoveToCallback (context=0x8e6090, function=<optimized
out>, thisObject=<optimized out>, argumentCount=<optimized out>, 
    arguments=0xdff49c, exception=0xdff510) at
/home/yanbin/workspace/playbook/webkit/Tools/DumpRenderTree/blackberry/EventSender.cpp:99
#14 0x7a8fe7b6 in JSC::JSCallbackFunction::call (exec=0x8e6090)
    at
/home/yanbin/workspace/playbook/webkit/Source/JavaScriptCore/API/JSCallbackFunction.cpp:73
#15 0x7a877f22 in JSC::JITStubThunked_op_call_NotJSFunction (args=0xdff578)
    at
/home/yanbin/workspace/playbook/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:2275
#16 0x7a874b64 in cti_op_call_NotJSFunction () from libwebkit.so.0
#17 0x0011519a in ?? ()
#18 0x0011519a in ?? ()

The issue is when we handle the mouseout event in the search field cancel button, the input element has already been removed. See code below.

void SearchFieldCancelButtonElement::defaultEventHandler(Event* event)
{
    // If the element is visible, on mouseup, clear the value, and set
selection
    RefPtr<HTMLInputElement>
input(static_cast<HTMLInputElement*>(shadowHost()));
    /**********BUG: input is null if the input element has been removed.*****/
    if (input->disabled() || input->readOnly()) {
        if (!event->defaultHandled())
            HTMLDivElement::defaultEventHandler(event);
        return;
    }
    ...
}

Further investigation shows we're trying to send mouseout event to the old node AFTER it has
been detached, see log below. Note the log below is from a DRT run with NO crash.

Output of instrumented code
============================
Debug - EventHandler::handleMouseMoveEvent()
Debug - newSubframe = 0
Debug - EventHandler::updateMouseEventTargetNode(): m_nodeUnderMouse is 0
Debug - EventHandler::handleMouseMoveEvent()
Debug - newSubframe = 0
Debug - EventHandler::updateMouseEventTargetNode(): m_nodeUnderMouse=5db2d8
(DIV, , 1)
Debug - SearchFieldCancelButtonElement::defaultEventHandler: input is 4e0300
Debug - SearchFieldCancelButtonElement::defaultEventHandler: input is 4e0300
Debug - EventHandler::updateMouseEventTargetNode(): m_nodeUnderMouse=5db2d8
(DIV, , 1)
Debug - SearchFieldCancelButtonElement::defaultEventHandler: input is 4e0300
Debug - EventHandler::setCapturingMouseEventsNode: 0x5db2d8
Debug - SearchFieldCancelButtonElement::detach(): m_capturing=1  <====== Cancel button detached.
Debug - EventHandler::setCapturingMouseEventsNode: 0x0
Debug - frame->eventHandler()->setCapturingMouseEventsNode(0)
Debug - EventHandler::handleMouseMoveEvent()
Debug - newSubframe = 0
Debug - EventHandler::updateMouseEventTargetNode(): m_nodeUnderMouse=1dd840
(INPUT, , 1)
Debug - SearchFieldCancelButtonElement::defaultEventHandler: input is 4e0300 <====== Called after detached, because it is the m_lastNodeUnderMouse.
Debug - EventHandler::updateMouseEventTargetNode(): m_lastNodeUnderMouse=5db2d8
(DIV, , 1)
Debug - EventHandler::updateMouseEventTargetNode(): m_nodeUnderMouse=1dd840
(INPUT, , 1)
Debug - EventHandler::updateMouseEventTargetNode(): m_nodeUnderMouse=1dd840
(INPUT, , 1)
Debug - EventHandler::updateMouseEventTargetNode(): m_nodeUnderMouse=1dd840
(INPUT, , 1)
This tests that events don't continue to target a search cancel button if it is
deleted while mouse is down. 

clicking in cancel

deleting search input

clicking button
button click!

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list