Bug 21385

Summary:

[GTK] crash after selecting a file on an <input type=file>

Product:

WebKit

Reporter:

Cedric Vivier <cedricv>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

cedricv

Priority:

Keywords:

Gtk, HasReduction, Regression

Version:

528+ (Nightly build)

Hardware:

OS:

Linux

Attachments:

Description	Flags
check if painting is enabled before painting the icon	alp: review+

Description Cedric Vivier 2008-10-05 09:28:17 PDT

Steps to reproduce the problem :

1. Save simple testcase below to a file :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<title>file input crasher</title>
</head>
<body>
<input type="file" />
</body>
</html>

2. Open that file with webkit/gtk

3. Click on the "Choose file" button, select any file and press OK (*).

4. WebKit/GTK crashes with the following stacktrace :

#4  <signal handler called>
#5  0xb6c18938 in cairo_save () from /usr/lib/libcairo.so.2
#6  0xb4cb2e64 in ?? ()
#7  0xb646e8aa in WebCore::RenderFileUploadControl::paintObject () from ./libwebkit-1.0.so
#8  0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so
#9  0xb6441b0f in WebCore::InlineBox::paint () from ./libwebkit-1.0.so
#10 0xb64432da in WebCore::InlineFlowBox::paint () from ./libwebkit-1.0.so
#11 0xb64c5dc3 in WebCore::RootInlineBox::paint () from ./libwebkit-1.0.so
#12 0xb647759c in WebCore::RenderFlow::paintLines () from ./libwebkit-1.0.so
#13 0xb644ebd3 in WebCore::RenderBlock::paintContents () from ./libwebkit-1.0.so
#14 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so
#15 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so
#16 0xb644eb40 in WebCore::RenderBlock::paintChildren () from ./libwebkit-1.0.so
#17 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so
#18 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so
#19 0xb644eb40 in WebCore::RenderBlock::paintChildren () from ./libwebkit-1.0.so
#20 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so
#21 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so
#22 0xb644eb40 in WebCore::RenderBlock::paintChildren () from ./libwebkit-1.0.so
#23 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so
#24 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so
#25 0xb644eb40 in WebCore::RenderBlock::paintChildren () from ./libwebkit-1.0.so
#26 0xb6458bbf in WebCore::RenderBlock::paintObject () from ./libwebkit-1.0.so
#27 0xb644f452 in WebCore::RenderBlock::paint () from ./libwebkit-1.0.so
#28 0xb6485d8d in WebCore::RenderLayer::paintLayer () from ./libwebkit-1.0.so
#29 0xb64859ed in WebCore::RenderLayer::paintLayer () from ./libwebkit-1.0.so
#30 0xb64860c1 in WebCore::RenderLayer::paint () from ./libwebkit-1.0.so
#31 0xb63ccc08 in WebCore::FrameView::paintContents () from ./libwebkit-1.0.so
#32 0xb63f8e61 in WebCore::ScrollView::paint () from ./libwebkit-1.0.so
#33 0xb63ce82e in WebCore::FrameView::updateControlTints () from ./libwebkit-1.0.so
#34 0xb63c001b in WebCore::FocusController::setActive () from ./libwebkit-1.0.so
#35 0xb61488a2 in webkit_web_view_focus_in_event () from ./libwebkit-1.0.so


This is happening as of rev. 37315, I've bisected the bug to have had been introduced after rev. 37103 ...
Possibly as soon as rev. 37104 since it happens to be related to some painting code but I couldn't test further as this revisions and the following are not building successfully.



* : interestingly it does not crash if one click on Cancel instead, so I guess it crashes when it paint the filename of the selected file.

Comment 1 Cedric Vivier 2008-10-05 18:38:32 PDT

After some more research, I've found out it crashes at line 205 of WebCore/rendering/RenderFileUploadControl.cpp when (trying) painting the selected file icon :

m_fileChooser->icon()->paint(paintInfo.context, IntRect(iconX, iconY, iconWidth, iconHeight));

(and thus within IconGtk::paint() afterward)

Comment 2 Jan Alonzo 2008-10-18 02:20:12 PDT

Created attachment 24488 [details]
check if painting is enabled before painting the icon

This follows Mac and Win's behavior for Icon::paint

Comment 3 Alp Toker 2008-10-18 04:34:42 PDT

Comment on attachment 24488 [details]
check if painting is enabled before painting the icon

r=me

Might be better to have the TODO comment after the paintingDisabled() check though.

Nice catch!

Comment 4 Jan Alonzo 2008-10-18 14:24:48 PDT

Thanks Alp. Landed in r37679