Bug 152847

Summary:

Absolute positioning -webkit-search-cancel-button crashes Safari

Product:

WebKit

Reporter:

m.renty

Component:

CSS

Assignee:

alan <zalan>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, dbates, esprehn+autocc, glenn, kondapallykalyan, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

Safari 9

Hardware:

Mac

OS:

OS X 10.10

Attachments:

Description	Flags
Patch	none
Patch	none

m.renty

Reported 2016-01-07 12:33:55 PST

When trying to absolute position of the -webkit-search-cancel-button of an input[type=search] Safari quits unexpectedly. I recreated it in JSBin http://jsbin.com/bimiqipojo, you can trigger it by focussing the input. Tested this both in OSX 10.10 and 10.11.

Attachments
Patch (17.21 KB, patch) 2016-01-08 20:13 PST, alan	no flags	Details Formatted Diff Diff
Patch (27.66 KB, patch) 2016-01-08 20:54 PST, alan	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

alan

Comment 1 2016-01-07 19:42:44 PST

I can't reproduce it with trunk r194751.

m.renty

Comment 2 2016-01-08 00:18:58 PST

What do you mean with trunk r194751? I have enclosed a link to JSBin where I recreated the bug, when you focus the input Safari quits every time. (In reply to comment #1) > I can't reproduce it with trunk r194751.

alan

Comment 3 2016-01-08 13:07:45 PST

(In reply to comment #2) > What do you mean with trunk r194751? > I have enclosed a link to JSBin where I recreated the bug, when you focus > the input Safari quits every time. > > (In reply to comment #1) > > I can't reproduce it with trunk r194751. Could you include the version of Safari that you use to reproduce this crash? (something like Version 9.0.X (XXXXX.X.X))

Simon Fraser (smfr)

Comment 4 2016-01-08 13:18:34 PST

I can reproduce with r194567. Click in the input, then type: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010cb003b7 WebCore::RenderBox::offsetFromContainer(WebCore::RenderElement&, WebCore::LayoutPoint const&, bool*) const + 135 1 com.apple.WebCore 0x000000010cbeade3 WebCore::RenderThemeMac::convertToPaintingRect(WebCore::RenderObject const&, WebCore::RenderObject const&, WebCore::FloatRect const&, WebCore::IntRect const&) const + 131 2 com.apple.WebCore 0x000000010cbef558 WebCore::RenderThemeMac::paintSearchFieldCancelButton(WebCore::RenderObject const&, WebCore::PaintInfo const&, WebCore::IntRect const&) + 1096 3 com.apple.WebCore 0x000000010cbe740c WebCore::RenderTheme::paint(WebCore::RenderBox const&, WebCore::ControlStates&, WebCore::PaintInfo const&, WebCore::LayoutRect const&) + 1516 4 com.apple.WebCore 0x000000010bed579d WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 541 5 com.apple.WebCore 0x000000010bed2db5 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 277 6 com.apple.WebCore 0x000000010bed5126 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 326 7 com.apple.WebCore 0x000000010cb57871 WebCore::RenderLayer::paintBackgroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 385 8 com.apple.WebCore 0x000000010cb546ea WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2650 9 com.apple.WebCore 0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 10 com.apple.WebCore 0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 11 com.apple.WebCore 0x000000010cb52677 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int) + 263 12 com.apple.WebCore 0x000000010c43cd12 WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) + 514 13 com.apple.WebCore 0x000000010cc58630 WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) + 416 14 com.apple.WebCore 0x000000010bfa174d WebCore::RenderWidget::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 909 15 com.apple.WebCore 0x000000010bfa10e3 WebCore::RenderWidget::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 787 16 com.apple.WebCore 0x000000010cb5abba WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 394 17 com.apple.WebCore 0x000000010cb57b40 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool) + 496 18 com.apple.WebCore 0x000000010cb54840 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2992 19 com.apple.WebCore 0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 20 com.apple.WebCore 0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 21 com.apple.WebCore 0x000000010cb52677 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int) + 263 22 com.apple.WebCore 0x000000010c43cd12 WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) + 514 23 com.apple.WebCore 0x000000010cc58630 WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) + 416 24 com.apple.WebCore 0x000000010bfa174d WebCore::RenderWidget::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 909 25 com.apple.WebCore 0x000000010bfa10e3 WebCore::RenderWidget::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 787 26 com.apple.WebCore 0x000000010cb5abba WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 394 27 com.apple.WebCore 0x000000010cb57b40 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool) + 496 28 com.apple.WebCore 0x000000010cb54840 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2992 29 com.apple.WebCore 0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 30 com.apple.WebCore 0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 31 com.apple.WebCore 0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 32 com.apple.WebCore 0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320 33 com.apple.WebCore 0x000000010cb65bcc WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, unsigned int, unsigned int) + 524 34 com.apple.WebCore 0x000000010cb65e70 WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 528 35 com.apple.WebCore 0x000000010c469977 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 135 36 com.apple.WebCore 0x000000010caa18c9 WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow, 16ul>&) + 345 37 com.apple.WebCore 0x000000010ce1e533 WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 163 38 com.apple.WebCore 0x000000010cec34ac -[WebSimpleLayer drawInContext:] + 172

Radar WebKit Bug Importer

Comment 5 2016-01-08 13:18:45 PST

<rdar://problem/24112087>

m.renty

Comment 6 2016-01-08 13:20:53 PST

It occurs in Safari Version 9.0.2 (10601.3.9) both on OSX 10.10.5 and 10.11.2. When you focus the input[type=search] everything is fine, but when you type the first character Safari quits. (In reply to comment #3) > (In reply to comment #2) > > What do you mean with trunk r194751? > > I have enclosed a link to JSBin where I recreated the bug, when you focus > > the input Safari quits every time. > > > > (In reply to comment #1) > > > I can't reproduce it with trunk r194751. > > Could you include the version of Safari that you use to reproduce this crash? > (something like Version 9.0.X (XXXXX.X.X))

alan

Comment 7 2016-01-08 13:30:35 PST

containingRenderer -> null ASSERTION FAILED: containingRenderer RenderThemeMac.mm(685) : WebCore::FloatRect WebCore::RenderThemeMac::convertToPaintingRect(const WebCore::RenderObject &, const WebCore::RenderObject &, const WebCore::FloatRect &, const WebCore::IntRect &) const 1 0x10f02cb80 WTFCrash 2 0x112bad992 WebCore::RenderThemeMac::convertToPaintingRect(WebCore::RenderObject const&, WebCore::RenderObject const&, WebCore::FloatRect const&, WebCore::IntRect const&) const 3 0x112bb6b21 WebCore::RenderThemeMac::paintSearchFieldCancelButton(WebCore::RenderObject const&, WebCore::PaintInfo const&, WebCore::IntRect const&) 4 0x112ba566c WebCore::RenderTheme::paint(WebCore::RenderBox const&, WebCore::ControlStates&, WebCore::PaintInfo const&, WebCore::LayoutRect const&) 5 0x112902d79 WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 6 0x112892dd4 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 7 0x1128920e5 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 8 0x1129eb250 WebCore::RenderLayer::paintBackgroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) 9 0x1129e75f6 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 10 0x1129e6c5a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 11 0x1129e59d6 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 12 0x1129eb374 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 13 0x1129e7848 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 14 0x1129e6c5a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 15 0x1129e59d6 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 16 0x1129eb374 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 17 0x1129e7848 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 18 0x1129e6c5a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 19 0x1129e59d6 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 20 0x1129e5321 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int) 21 0x11185b3ce WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&)

alan

Comment 8 2016-01-08 20:13:16 PST

Created attachment 268605 [details] Patch

alan

Comment 9 2016-01-08 20:54:17 PST

Created attachment 268610 [details] Patch

Simon Fraser (smfr)

Comment 10 2016-01-08 21:22:49 PST

Comment on attachment 268610 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=268610&action=review > Source/WebCore/rendering/RenderThemeMac.mm:679 > + IntPoint offsetFromInputRenderer = roundedIntPoint(customButtonRenderer.localToContainerPoint(customButtonRenderer.contentBoxRect().location(), &inputRenderer)); Should this be FloatPoint or LayoutPoint?

WebKit Commit Bot

Comment 11 2016-01-08 22:27:59 PST

Comment on attachment 268610 [details] Patch Clearing flags on attachment: 268610 Committed r194817: <http://trac.webkit.org/changeset/194817>

WebKit Commit Bot

Comment 12 2016-01-08 22:28:04 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.