Bug 21385

Steps to reproduce the problem : 1. Save simple testcase below to a file : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>file input crasher</title> </head> <body> <input type="file" /> </body> </html> 2. Open that file with webkit/gtk 3. Click on the "Choose file" button, select any file and press OK (*). 4. WebKit/GTK crashes with the following stacktrace : #4 <signal handler called> #5 0xb6c18938 in cairo_save () from /usr/lib/libcairo.so.2 #6 0xb4cb2e64 in ?? () #7 0xb646e8aa in WebCore::RenderFileUploadControl::paintObject () from ./libwebkit-1.0.so #8 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so #9 0xb6441b0f in WebCore::InlineBox::paint () from ./libwebkit-1.0.so #10 0xb64432da in WebCore::InlineFlowBox::paint () from ./libwebkit-1.0.so #11 0xb64c5dc3 in WebCore::RootInlineBox::paint () from ./libwebkit-1.0.so #12 0xb647759c in WebCore::RenderFlow::paintLines () from ./libwebkit-1.0.so #13 0xb644ebd3 in WebCore::RenderBlock::paintContents () from ./libwebkit-1.0.so #14 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so #15 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so #16 0xb644eb40 in WebCore::RenderBlock::paintChildren () from ./libwebkit-1.0.so #17 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so #18 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so #19 0xb644eb40 in WebCore::RenderBlock::paintChildren () from ./libwebkit-1.0.so #20 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so #21 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so #22 0xb644eb40 in WebCore::RenderBlock::paintChildren () from ./libwebkit-1.0.so #23 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so #24 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so #25 0xb644eb40 in WebCore::RenderBlock::paintChildren () from ./libwebkit-1.0.so #26 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so #27 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so #28 0xb6485d8d in WebCore::RenderLayer::paintLayer () from ./libwebkit-1.0.so #29 0xb64859ed in WebCore::RenderLayer::paintLayer () from ./libwebkit-1.0.so #30 0xb64860c1 in WebCore::RenderLayer::paint () from ./libwebkit-1.0.so #31 0xb63ccc08 in WebCore::FrameView::paintContents () from ./libwebkit-1.0.so #32 0xb63f8e61 in WebCore::ScrollView::paint () from ./libwebkit-1.0.so #33 0xb63ce82e in WebCore::FrameView::updateControlTints () from ./libwebkit-1.0.so #34 0xb63c001b in WebCore::FocusController::setActive () from ./libwebkit-1.0.so #35 0xb61488a2 in webkit_web_view_focus_in_event () from ./libwebkit-1.0.so This is happening as of rev. 37315, I've bisected the bug to have had been introduced after rev. 37103 ... Possibly as soon as rev. 37104 since it happens to be related to some painting code but I couldn't test further as this revisions and the following are not building successfully. * : interestingly it does not crash if one click on Cancel instead, so I guess it crashes when it paint the filename of the selected file.