New issue
Advanced search Search tips

Issue 806185 link

Starred by 1 user
Status: Fixed
Owner:
tkent@chromium.org
Closed: Jan 2018
Cc:
yoichio@chromium.org
yosin@chromium.org
domenic@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocking:
issue 805326



Sign in to add a comment

HTMLFormElement.idl should have HTMLConstruct extend attribute

Project Member Reported by yosin@chromium.org, Jan 26 2018 
When adding [HTMLConstruct] to HTMLFormElement.idl, we get following crash
with LayoutTests/external/wpt/custom-elements/builtin-coverage.html


listed_element is nullptr.

void HTMLFormControlsCollection::UpdateIdNameCache() const {
  if (HasValidIdNameCache())
    return;

  NamedItemCache* cache = NamedItemCache::Create();
  HashSet<StringImpl*> found_input_elements;

  for (const auto& listed_element : ListedElements()) {
    if (listed_element->IsEnumeratable()) {
      HTMLElement* element = ToHTMLElement(listed_element);




HTMLFormControlsCollection::UpdateIdNameCache() Line 141
HTMLCollection::NamedItems(const WTF::AtomicString & name, blink::HeapVector<blink::Member<blink::Element>,0> & result) Line 528
HTMLFormElement::GetNamedElements(const WTF::AtomicString & name, blink::HeapVector<blink::Member<blink::Element>,0> & named_items) Line 769
HTMLFormElement::AnonymousNamedGetter(const WTF::AtomicString & name, blink::RadioNodeListOrElement & return_value) Line 806
HTMLFormElementV8Internal::namedPropertyGetter(const WTF::AtomicString & name, const v8::PropertyCallbackInfo<v8::Value> & info) Line 379
V8HTMLFormElement::namedPropertyGetterCallback(v8::Local<v8::Name> name, const v8::PropertyCallbackInfo<v8::Value> & info) Line 611
v8.dll!v8::internal::PropertyCallbackArguments::BasicCallNamedGetterCallback(void(*)(v8::Local<v8::Name>, const v8::PropertyCallbackInfo<v8::Value> &) f, v8::internal::Handle<v8::internal::Name> name) Line 108
v8.dll!v8::internal::PropertyCallbackArguments::CallNamedGetter(v8::internal::Handle<v8::internal::InterceptorInfo> interceptor, v8::internal::Handle<v8::internal::Name> name) Line 85
v8.dll!v8::internal::`anonymous namespace'::GetPropertyWithInterceptorInternal(v8::internal::LookupIterator * it, v8::internal::Handle<v8::internal::InterceptorInfo> interceptor, bool * done) Line 1858
v8.dll!v8::internal::JSObject::GetPropertyWithInterceptor(v8::internal::LookupIterator * it, bool * done) Line 15753
v8.dll!v8::internal::Object::GetProperty(v8::internal::LookupIterator * it) Line 1124
v8.dll!v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object> object, v8::internal::Handle<v8::internal::Name> name) Line 461
v8.dll!v8::internal::__RT_impl_Runtime_LoadIC_Miss(v8::internal::Arguments args, v8::internal::Isolate * isolate) Line 2083
v8.dll!v8::internal::Runtime_LoadIC_Miss(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 2066

Comment 1 by yosin@chromium.org, Jan 26 2018

Blocking: 805326

Comment 2 by tkent@chromium.org, Jan 31 2018

Cc: yoichio@chromium.org yosin@chromium.org
It seems this is due to a bad cast.

If we add [HTMLConstrucotr] to HTMLFormElement.idl and add SECURITY_DCHECK(q_name != formTag) to HTMLElement::Create(), we see:

[69749:775:0131/152321.396061:FATAL:HTMLElement.cpp(142)] Security DCHECK failed: q_name != formTag. 
  ...
4   libbase.dylib                       0x0000000104f844e5 logging::LogMessage::~LogMessage() + 21
5   libblink_core.dylib                 0x000000012148ca5e blink::HTMLElement::Create(blink::QualifiedName const&, blink::Document&) + 222
6   libblink_core.dylib                 0x000000012155542b blink::CustomElementDefinition::CreateElementForConstructor(blink::Document&) + 107
7   libblink_core.dylib                 0x00000001204a70d2 blink::V8HTMLConstructor::HtmlConstructor(v8::FunctionCallbackInfo<v8::Value> const&, blink::WrapperTypeInfo const&, blink::HTMLElementType) + 3154
8   libblink_core.dylib                 0x00000001229ca088 blink::V8HTMLFormElement::constructorCallback(v8::FunctionCallbackInfo<v8::Value> const&) + 408
9   libv8.dylib                         0x000000011edc2a43 v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) + 451
  ...

Maybe this also affects  Issue 805281 .

Comment 3 by tkent@chromium.org, Jan 31 2018

Owner: tkent@chromium.org
Status: Started (was: Available)

Comment 5 by tkent@chromium.org, Jan 31 2018

Status: Fixed (was: Started)

Sign in to add a comment