Bug 101133

Summary:

Crash when replacing parts of text inputs with content: url(...)

Product:

WebKit

Reporter:

Elliott Sprehn <esprehn>

Component:

Layout and Rendering

Assignee:

Takashi Sakamoto <tasak>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cmarcelo, dglazkov, eric, inferno, jchaffraix, macpherson, menard, mifenton, mitz, tasak, tkent, webkit.review.bot

Priority:

Keywords:

HasReduction

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Reduction (instant crash!)	none
Patch	none
Patch	none
Patch	none
Patch for landing	none

Elliott Sprehn

Reported 2012-11-02 17:17:07 PDT

When you replace a part of a text input with an image using content: url(...) we crash in WebCore::RenderTextControlSingleLine::layout() #0 0x7f3d63b22655 in WebCore::RenderTextControlSingleLine::layout() third_party/WebKit/Source/WebCore/rendering/RenderTextControlSingleLine.cpp:111 #1 0x7f3d62f51f30 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:662 #2 0x7f3d630979d3 in WebCore::RenderBlock::layoutPositionedObjects(bool) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2682 #3 0x7f3d6308bc34 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1588 #4 0x7f3d63086cdd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #5 0x7f3d62f51f30 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:662 #6 0x7f3d630979d3 in WebCore::RenderBlock::layoutPositionedObjects(bool) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2682 #7 0x7f3d6308bc34 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1588 #8 0x7f3d63086cdd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 This is enough to cause it: <style> input::-webkit-textfield-decoration-container { content: url(""); } </style> <input type=number> This is because of the hack in RenderObject::createObject where we swap out the correct renderer for an element with a RenderImage if content is specified and only has a url(...). http://code.google.com/searchframe#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp&exact_package=chromium&q=RenderObject.cpp&type=cs&l=144

Attachments
Reduction (instant crash!) (126 bytes, text/html) 2012-11-02 17:18 PDT, Elliott Sprehn	no flags	Details
Patch (3.41 KB, patch) 2012-11-07 03:20 PST, Takashi Sakamoto	no flags	Details Formatted Diff Diff
Patch (4.31 KB, patch) 2012-11-12 19:50 PST, Takashi Sakamoto	no flags	Details Formatted Diff Diff
Patch (5.56 KB, patch) 2012-11-12 23:40 PST, Takashi Sakamoto	no flags	Details Formatted Diff Diff
Patch for landing (5.54 KB, patch) 2012-11-13 18:11 PST, Takashi Sakamoto	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Elliott Sprehn

Comment 1 2012-11-02 17:18:26 PDT

Created attachment 172181 [details] Reduction (instant crash!)

Elliott Sprehn

Comment 2 2012-11-02 17:49:10 PDT

I think the trivial fix for this is to override the content property in these cases: http://code.google.com/searchframe#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/html/TextFieldInputType.cpp&exact_package=chromium&q=textfield-decoration-container&type=cs&l=248 we should do m_container->setInlineStyleProperty(CSSPropertyContent, "none", false); as I can't fathom why you'd ever actually intend to swap out the entire inside of a text input with a content image.

Takashi Sakamoto

Comment 3 2012-11-07 03:20:58 PST

Created attachment 172749 [details] Patch

Elliott Sprehn

Comment 4 2012-11-09 10:16:51 PST

Comment on attachment 172749 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=172749&action=review > Source/WebCore/css/html.css:439 > + content: none !important; Do !important rules in author style sheets not override ones in the UA sheet? > LayoutTests/fast/dom/HTMLInputElement/input-set-content-url-crash.html:5 > + content: url(""); What happens if you put an !important here?

Eric Seidel (no email)

Comment 5 2012-11-09 12:57:41 PST

Comment on attachment 172749 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=172749&action=review I think we need some sort of ASSERT or other guard in the C++ code to make sure we don't ever hit this again. Right now if we removed that line we would start having this crash again. I suspect that's true of many lines in our UA file, but it still seems worthy of a C++ ASSERT to validate our understanding of the code's limitations. >> Source/WebCore/css/html.css:439 >> + content: none !important; > > Do !important rules in author style sheets not override ones in the UA sheet? UA sheets win: http://www.w3.org/TR/CSS2/cascade.html#cascading-order

Takashi Sakamoto

Comment 6 2012-11-12 19:50:37 PST

Created attachment 173798 [details] Patch

Takashi Sakamoto

Comment 7 2012-11-12 19:59:26 PST

Comment on attachment 172749 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=172749&action=review Thank you for reviewing. I added ASSERT to TextFieldInputType::attach() to confirm that container has no content data. Best regards, Takashi Sakamoto >> LayoutTests/fast/dom/HTMLInputElement/input-set-content-url-crash.html:5 >> + content: url(""); > > What happens if you put an !important here? I agree that I should add !important here. Done.

Kent Tamura

Comment 8 2012-11-12 22:49:08 PST

Comment on attachment 173798 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review > Source/WebCore/ChangeLog:11 > + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html Would you put the test as fast/forms/number/number-content-url-crash.html please? Also, this bug should happen with <input type=search>. We had better have the same test for type=search.

Takashi Sakamoto

Comment 9 2012-11-12 23:25:40 PST

Comment on attachment 173798 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review >> Source/WebCore/ChangeLog:11 >> + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html > > Would you put the test as fast/forms/number/number-content-url-crash.html please? > Also, this bug should happen with <input type=search>. We had better have the same test for type=search. So... I know the following input types inherit from class TextFieldInputType: - TextInputType - URLInputType - EmailInputType - SearchInputType - PasswordInputType - TelephoneInputType - NumberInputType - BaseDateAndTimeInputType We have to add the same test for above all types?

Kent Tamura

Comment 10 2012-11-12 23:30:55 PST

Comment on attachment 173798 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review >>> Source/WebCore/ChangeLog:11 >>> + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html >> >> Would you put the test as fast/forms/number/number-content-url-crash.html please? >> Also, this bug should happen with <input type=search>. We had better have the same test for type=search. > > So... I know the following input types inherit from class TextFieldInputType: > - TextInputType > - URLInputType > - EmailInputType > - SearchInputType > - PasswordInputType > - TelephoneInputType > - NumberInputType > - BaseDateAndTimeInputType > > We have to add the same test for above all types? No. -webkit-textfield-decoration-container is used only in type=number and type=search.

Takashi Sakamoto

Comment 11 2012-11-12 23:39:49 PST

(In reply to comment #10) > (From update of attachment 173798 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review > > >>> Source/WebCore/ChangeLog:11 > >>> + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html > >> > >> Would you put the test as fast/forms/number/number-content-url-crash.html please? > >> Also, this bug should happen with <input type=search>. We had better have the same test for type=search. > > > > So... I know the following input types inherit from class TextFieldInputType: > > - TextInputType > > - URLInputType > > - EmailInputType > > - SearchInputType > > - PasswordInputType > > - TelephoneInputType > > - NumberInputType > > - BaseDateAndTimeInputType > > > > We have to add the same test for above all types? > > No. -webkit-textfield-decoration-container is used only in type=number and type=search. I see.

Takashi Sakamoto

Comment 12 2012-11-12 23:40:37 PST

Created attachment 173834 [details] Patch

Takashi Sakamoto

Comment 13 2012-11-12 23:42:03 PST

(In reply to comment #11) > (In reply to comment #10) > > (From update of attachment 173798 [details] [details]) > > View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review > > > > >>> Source/WebCore/ChangeLog:11 > > >>> + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html > > >> > > >> Would you put the test as fast/forms/number/number-content-url-crash.html please? > > >> Also, this bug should happen with <input type=search>. We had better have the same test for type=search. > > > > > > So... I know the following input types inherit from class TextFieldInputType: > > > - TextInputType > > > - URLInputType > > > - EmailInputType > > > - SearchInputType > > > - PasswordInputType > > > - TelephoneInputType > > > - NumberInputType > > > - BaseDateAndTimeInputType > > > > > > We have to add the same test for above all types? > > > > No. -webkit-textfield-decoration-container is used only in type=number and type=search. Thanks. > I see. I added number-content-url-crash.html and search-content-url-crash.html instead of input-set-content-url-crash.html. Best regards, Takashi Sakamoto

Kent Tamura

Comment 14 2012-11-12 23:52:33 PST

Comment on attachment 173834 [details] Patch ok

WebKit Review Bot

Comment 15 2012-11-13 00:24:22 PST

Comment on attachment 173834 [details] Patch Clearing flags on attachment: 173834 Committed r134377: <http://trac.webkit.org/changeset/134377>

WebKit Review Bot

Comment 16 2012-11-13 00:24:26 PST

All reviewed patches have been landed. Closing bug.

Dimitri Glazkov (Google)

Comment 17 2012-11-13 16:34:11 PST

Reverted r134377 for reason: Caused a mysterious Android Clang build failure, needs investigation before landing again. Committed r134506: <http://trac.webkit.org/changeset/134506>

Dimitri Glazkov (Google)

Comment 18 2012-11-13 16:36:18 PST

This caused a weird breakage upstream: http://build.chromium.org/p/chromium.linux/builders/Android%20Clang%20Builder%20%28dbg%29/builds/1281/steps/compile/logs/stdio

Kent Tamura

Comment 19 2012-11-13 16:40:18 PST

Was it fixed by https://bugs.webkit.org/show_bug.cgi?id=102108 ?

Dimitri Glazkov (Google)

Comment 20 2012-11-13 17:15:49 PST

Doh! Can you guys re-land the patch?

Eric Seidel (no email)

Comment 21 2012-11-13 17:34:08 PST

There is no real need for these two tests to be separate. :) But that also shouldn't stand in the way of this patch (re-)landing.

Takashi Sakamoto

Comment 22 2012-11-13 18:10:50 PST

Sorry, Dimitri. Thank you, Kent-san. I will re-land the patch. Best regards, Takashi Sakamoto

Takashi Sakamoto

Comment 23 2012-11-13 18:11:40 PST

Created attachment 174046 [details] Patch for landing

WebKit Review Bot

Comment 24 2012-11-14 02:47:47 PST

Comment on attachment 174046 [details] Patch for landing Clearing flags on attachment: 174046 Committed r134584: <http://trac.webkit.org/changeset/134584>

WebKit Review Bot

Comment 25 2012-11-14 02:47:52 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.