[Webkit-unassigned] [Bug 218965] New: ASSERT setting value to renderer-less <input type=search incremental>

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Nov 15 15:33:03 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=218965

            Bug ID: 218965
           Summary: ASSERT setting value to renderer-less <input
                    type=search incremental>
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Forms
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sam at webkit.org
                CC: cdumez at apple.com, wenson_hsieh at apple.com

Created attachment 414182

  --> https://bugs.webkit.org/attachment.cgi?id=414182&action=review

Test Case (asserts in debug builds)

I noticed this assertion getting hit though not sure what page I was on. Made a reduction from first principles:

ASSERTION FAILED: element()->renderer()
./html/SearchInputType.cpp(167) : void WebCore::SearchInputType::startSearchEventTimer()
1   0x1956becc9 WTFCrash
2   0x1767985db WTFCrashWithInfo(int, char const*, char const*, int)
3   0x179b2ee1e WebCore::SearchInputType::startSearchEventTimer()
4   0x179b2f100 WebCore::SearchInputType::didSetValueByUserEdit()
5   0x179b394f3 WebCore::TextFieldInputType::setValue(WTF::String const&, bool, WebCore::TextFieldEventBehavior)
6   0x1799ee0c8 WebCore::HTMLInputElement::setValue(WTF::String const&, WebCore::TextFieldEventBehavior)
7   0x1774fc757 WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()::operator()() const
8   0x1774fc691 std::__1::enable_if<!(std::is_same<void, decltype(fp1())>::value), void>::type WebCore::AttributeSetter::call<WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)::'lambda'()&&)
9   0x1774fc628 WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)
10  0x17740e43e bool WebCore::IDLAttribute<WebCore::JSHTMLInputElement>::set<&(WebCore::setJSHTMLInputElement_valueSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*)
11  0x17740e2dc WebCore::setJSHTMLInputElement_value(JSC::JSGlobalObject*, long long, long long)
12  0x196e9109d JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue)
13  0x19704761f JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
14  0x19675c451 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
15  0x19675bf18 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
16  0x19675cf83 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
17  0x196bf85cb llint_slow_path_put_by_id
18  0x195c83c30 llint_entry
19  0x195c78180 vmEntryToJavaScript
20  0x196ac907b JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
21  0x196ac9837 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
22  0x196e1717d JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
23  0x196edf97a JSC::callSetter(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue, JSC::JSValue, JSC::ECMAMode)
24  0x197047496 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
25  0x19675c451 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
26  0x19675bf18 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
27  0x19675cf83 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)


```Test Case

<input type="search" incremental style="display: none" id="test">
Hit any key to assert in a debug build.
<script>
  window.addEventListener("keydown", event => {
    const inputElement = document.getElementById("test");
    inputElement.value = "hello";
  });
</script>

```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201115/e212ab0f/attachment.htm>

More information about the webkit-unassigned mailing list