RESOLVED FIXED 101133
Crash when replacing parts of text inputs with content: url(...) 
https://bugs.webkit.org/show_bug.cgi?id=101133
Summary Crash when replacing parts of text inputs with content: url(...)
Elliott Sprehn
Reported 2012-11-02 17:17:07 PDT
When you replace a part of a text input with an image using content: url(...) we crash in WebCore::RenderTextControlSingleLine::layout() #0 0x7f3d63b22655 in WebCore::RenderTextControlSingleLine::layout() third_party/WebKit/Source/WebCore/rendering/RenderTextControlSingleLine.cpp:111 #1 0x7f3d62f51f30 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:662 #2 0x7f3d630979d3 in WebCore::RenderBlock::layoutPositionedObjects(bool) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2682 #3 0x7f3d6308bc34 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1588 #4 0x7f3d63086cdd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 #5 0x7f3d62f51f30 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:662 #6 0x7f3d630979d3 in WebCore::RenderBlock::layoutPositionedObjects(bool) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2682 #7 0x7f3d6308bc34 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1588 #8 0x7f3d63086cdd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383 This is enough to cause it: <style> input::-webkit-textfield-decoration-container { content: url(""); } </style> <input type=number> This is because of the hack in RenderObject::createObject where we swap out the correct renderer for an element with a RenderImage if content is specified and only has a url(...). http://code.google.com/searchframe#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp&exact_package=chromium&q=RenderObject.cpp&type=cs&l=144
Attachments
Reduction (instant crash!) (126 bytes, text/html)
2012-11-02 17:18 PDT, Elliott Sprehn 		no flags
Details
Patch (3.41 KB, patch)
2012-11-07 03:20 PST, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
Patch (4.31 KB, patch)
2012-11-12 19:50 PST, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
Patch (5.56 KB, patch)
2012-11-12 23:40 PST, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
Patch for landing (5.54 KB, patch)
2012-11-13 18:11 PST, Takashi Sakamoto 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Elliott Sprehn
Comment 1 2012-11-02 17:18:26 PDT
Created attachment 172181 [details] Reduction (instant crash!)
Elliott Sprehn
Comment 2 2012-11-02 17:49:10 PDT
I think the trivial fix for this is to override the content property in these cases: http://code.google.com/searchframe#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/html/TextFieldInputType.cpp&exact_package=chromium&q=textfield-decoration-container&type=cs&l=248 we should do m_container->setInlineStyleProperty(CSSPropertyContent, "none", false); as I can't fathom why you'd ever actually intend to swap out the entire inside of a text input with a content image.
Takashi Sakamoto
Comment 3 2012-11-07 03:20:58 PST
Created attachment 172749 [details] Patch
Elliott Sprehn
Comment 4 2012-11-09 10:16:51 PST
Comment on attachment 172749 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=172749&action=review > Source/WebCore/css/html.css:439 > + content: none !important; Do !important rules in author style sheets not override ones in the UA sheet? > LayoutTests/fast/dom/HTMLInputElement/input-set-content-url-crash.html:5 > + content: url(""); What happens if you put an !important here?
Eric Seidel (no email)
Comment 5 2012-11-09 12:57:41 PST
Comment on attachment 172749 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=172749&action=review I think we need some sort of ASSERT or other guard in the C++ code to make sure we don't ever hit this again. Right now if we removed that line we would start having this crash again. I suspect that's true of many lines in our UA file, but it still seems worthy of a C++ ASSERT to validate our understanding of the code's limitations. >> Source/WebCore/css/html.css:439 >> + content: none !important; > > Do !important rules in author style sheets not override ones in the UA sheet? UA sheets win: http://www.w3.org/TR/CSS2/cascade.html#cascading-order
Takashi Sakamoto
Comment 6 2012-11-12 19:50:37 PST
Created attachment 173798 [details] Patch
Takashi Sakamoto
Comment 7 2012-11-12 19:59:26 PST
Comment on attachment 172749 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=172749&action=review Thank you for reviewing. I added ASSERT to TextFieldInputType::attach() to confirm that container has no content data. Best regards, Takashi Sakamoto >> LayoutTests/fast/dom/HTMLInputElement/input-set-content-url-crash.html:5 >> + content: url(""); > > What happens if you put an !important here? I agree that I should add !important here. Done.
Kent Tamura
Comment 8 2012-11-12 22:49:08 PST
Comment on attachment 173798 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review > Source/WebCore/ChangeLog:11 > + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html Would you put the test as fast/forms/number/number-content-url-crash.html please? Also, this bug should happen with <input type=search>. We had better have the same test for type=search.
Takashi Sakamoto
Comment 9 2012-11-12 23:25:40 PST
Comment on attachment 173798 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review >> Source/WebCore/ChangeLog:11 >> + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html > > Would you put the test as fast/forms/number/number-content-url-crash.html please? > Also, this bug should happen with <input type=search>. We had better have the same test for type=search. So... I know the following input types inherit from class TextFieldInputType: - TextInputType - URLInputType - EmailInputType - SearchInputType - PasswordInputType - TelephoneInputType - NumberInputType - BaseDateAndTimeInputType We have to add the same test for above all types?
Kent Tamura
Comment 10 2012-11-12 23:30:55 PST
Comment on attachment 173798 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review >>> Source/WebCore/ChangeLog:11 >>> + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html >> >> Would you put the test as fast/forms/number/number-content-url-crash.html please? >> Also, this bug should happen with <input type=search>. We had better have the same test for type=search. > > So... I know the following input types inherit from class TextFieldInputType: > - TextInputType > - URLInputType > - EmailInputType > - SearchInputType > - PasswordInputType > - TelephoneInputType > - NumberInputType > - BaseDateAndTimeInputType > > We have to add the same test for above all types? No. -webkit-textfield-decoration-container is used only in type=number and type=search.
Takashi Sakamoto
Comment 11 2012-11-12 23:39:49 PST
(In reply to comment #10) > (From update of attachment 173798 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review > > >>> Source/WebCore/ChangeLog:11 > >>> + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html > >> > >> Would you put the test as fast/forms/number/number-content-url-crash.html please? > >> Also, this bug should happen with <input type=search>. We had better have the same test for type=search. > > > > So... I know the following input types inherit from class TextFieldInputType: > > - TextInputType > > - URLInputType > > - EmailInputType > > - SearchInputType > > - PasswordInputType > > - TelephoneInputType > > - NumberInputType > > - BaseDateAndTimeInputType > > > > We have to add the same test for above all types? > > No. -webkit-textfield-decoration-container is used only in type=number and type=search. I see.
Takashi Sakamoto
Comment 12 2012-11-12 23:40:37 PST
Created attachment 173834 [details] Patch
Takashi Sakamoto
Comment 13 2012-11-12 23:42:03 PST
(In reply to comment #11) > (In reply to comment #10) > > (From update of attachment 173798 [details] [details]) > > View in context: https://bugs.webkit.org/attachment.cgi?id=173798&action=review > > > > >>> Source/WebCore/ChangeLog:11 > > >>> + Test: fast/dom/HTMLInputElement/input-set-content-url-crash.html > > >> > > >> Would you put the test as fast/forms/number/number-content-url-crash.html please? > > >> Also, this bug should happen with <input type=search>. We had better have the same test for type=search. > > > > > > So... I know the following input types inherit from class TextFieldInputType: > > > - TextInputType > > > - URLInputType > > > - EmailInputType > > > - SearchInputType > > > - PasswordInputType > > > - TelephoneInputType > > > - NumberInputType > > > - BaseDateAndTimeInputType > > > > > > We have to add the same test for above all types? > > > > No. -webkit-textfield-decoration-container is used only in type=number and type=search. Thanks. > I see. I added number-content-url-crash.html and search-content-url-crash.html instead of input-set-content-url-crash.html. Best regards, Takashi Sakamoto
Kent Tamura
Comment 14 2012-11-12 23:52:33 PST
Comment on attachment 173834 [details] Patch ok
WebKit Review Bot
Comment 15 2012-11-13 00:24:22 PST
Comment on attachment 173834 [details] Patch Clearing flags on attachment: 173834 Committed r134377: <http://trac.webkit.org/changeset/134377>
WebKit Review Bot
Comment 16 2012-11-13 00:24:26 PST
All reviewed patches have been landed. Closing bug.
Dimitri Glazkov (Google)
Comment 17 2012-11-13 16:34:11 PST
Reverted r134377 for reason: Caused a mysterious Android Clang build failure, needs investigation before landing again. Committed r134506: <http://trac.webkit.org/changeset/134506>
Dimitri Glazkov (Google)
Comment 18 2012-11-13 16:36:18 PST
This caused a weird breakage upstream: http://build.chromium.org/p/chromium.linux/builders/Android%20Clang%20Builder%20%28dbg%29/builds/1281/steps/compile/logs/stdio
Kent Tamura
Comment 19 2012-11-13 16:40:18 PST
Was it fixed by https://bugs.webkit.org/show_bug.cgi?id=102108 ?
Dimitri Glazkov (Google)
Comment 20 2012-11-13 17:15:49 PST
Doh! Can you guys re-land the patch?
Eric Seidel (no email)
Comment 21 2012-11-13 17:34:08 PST
There is no real need for these two tests to be separate. :) But that also shouldn't stand in the way of this patch (re-)landing.
Takashi Sakamoto
Comment 22 2012-11-13 18:10:50 PST
Sorry, Dimitri. Thank you, Kent-san. I will re-land the patch. Best regards, Takashi Sakamoto
Takashi Sakamoto
Comment 23 2012-11-13 18:11:40 PST
Created attachment 174046 [details] Patch for landing
WebKit Review Bot
Comment 24 2012-11-14 02:47:47 PST
Comment on attachment 174046 [details] Patch for landing Clearing flags on attachment: 174046 Committed r134584: <http://trac.webkit.org/changeset/134584>
WebKit Review Bot
Comment 25 2012-11-14 02:47:52 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.