Bug 40232

Summary: postMessage(window) throws "Type error" with input elements other than text fields
Product: WebKit Reporter: Kim Grönholm <kim.1.gronholm>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: hausmann, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Bug Depends on:    
Bug Blocks: 39757    
Attachments:
Description Flags
Backtrace of postMessage(window) throwing a type error
none
LayoutTests/fast/dom/Window/window-postmessage-clone with additional input element none

Kim Grönholm
Reported 2010-06-07 06:10:22 PDT
Created attachment 58021 [details] Backtrace of postMessage(window) throwing a type error postMessage(window) should throw TypeError: "Cannot post cyclic structures." like it (normally) does in LayoutTests/fast/dom/Window/window-postmessage-clone.html. However, in case the TreeWalker traverses through an input element other than text field before it notices the cyclic structure, it throws TypeError: "Type error". This issue was revealed when adding a new attribute to Element.idl which caused the hash lookup to traverse through the objects/properties in different order in LayoutTests/fast/dom/Window/window-postmessage-clone.html. The issue can also be seen by slightly modifying the test page by e.g. adding a dummy input element on top of the test page with type "button" or "file" (I'll attach a test case for this) The reason why this happens is that when the TreeWalkers in WebCore/bindings/ js/SerializedScriptValue.cpp walk through the objects and their properties, the getProperty function ends up querying the JSHTMLInputElement::selectionStart or JSHTMLInputElement::selectionEnd properties whose getters throw the type error in case the input element is not of type "TextField" (!input->canHaveSelection()) See the example backtrace for further clarification.
Attachments
Backtrace of postMessage(window) throwing a type error (1.63 KB, text/plain)
2010-06-07 06:10 PDT, Kim Grönholm 		no flags
Details
LayoutTests/fast/dom/Window/window-postmessage-clone with additional input element (5.48 KB, text/html)
2010-06-07 06:17 PDT, Kim Grönholm 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Kim Grönholm
Comment 1 2010-06-07 06:17:11 PDT
Created attachment 58022 [details] LayoutTests/fast/dom/Window/window-postmessage-clone with additional input element Added a test case that is otherwise identical to LayoutTests/fast/dom/Window/window-postmessage-clone.html except one dummy input (type="button") element that is added on top of the page. This dummy input element makes the postMessage(window) test fail prompting: PASS: 'postMessage(window)' threw TypeError: Type error when the expected output would be: PASS: 'postMessage(window)' threw TypeError: Cannot post cyclic structures. Removing the dummy button results in the expected output.
Kim Grönholm
Comment 2 2010-06-08 13:35:32 PDT
The actual issue is that postMessage should serialise dom objects to null by default and it is being tracked in https://bugs.webkit.org/show_bug.cgi?id=40329 *** This bug has been marked as a duplicate of bug 40329 ***
Note You need to log in before you can comment on or make changes to this bug.