RESOLVED FIXED Bug 121148
[Qt] SHOULD NEVER BE REACHED is touched WebCore::InputType::createStepRange 
https://bugs.webkit.org/show_bug.cgi?id=121148
Summary [Qt] SHOULD NEVER BE REACHED is touched WebCore::InputType::createStepRange
Renata Hodovan
Reported 2013-09-11 01:50:55 PDT
The test causes the crash: <input style="-webkit-appearance:slider-vertical;"> Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56dafad in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff43d0183 in WebCore::InputType::createStepRange (this=0x8c1eb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/InputType.cpp:1015 #2 0x00007ffff43ce73a in WebCore::InputType::maximum (this=0x8c1eb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/InputType.cpp:307 #3 0x00007ffff4393d7a in WebCore::HTMLInputElement::maximum (this=0x7998c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLInputElement.cpp:333 #4 0x00007ffff4a9e95b in WebCore::RenderThemeQStyle::paintSliderTrack (this=0x7dee70, o=0x8e3bc8, pi=..., r=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/qt/RenderThemeQStyle.cpp:440 #5 0x00007ffff49bef14 in WebCore::RenderTheme::paint (this=0x7dee70, o=0x8e3bc8, paintInfo=..., r=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderTheme.cpp:322 #6 0x00007ffff4870a62 in WebCore::RenderBox::paintBoxDecorations (this=0x8e3bc8, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBox.cpp:1184 #7 0x00007ffff481489e in WebCore::RenderBlock::paintObject (this=0x8e3bc8, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3299 #8 0x00007ffff48126cf in WebCore::RenderBlock::paint (this=0x8e3bc8, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3019 #9 0x00007ffff49bb168 in WebCore::RenderTextControlSingleLine::paint (this=0x8e3bc8, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderTextControlSingleLine.cpp:80 #10 0x00007ffff47e3630 in WebCore::InlineBox::paint (this=0x8ecb88, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/InlineBox.cpp:230 #11 0x00007ffff47ebce3 in WebCore::InlineFlowBox::paint (this=0x8ecbe8, paintInfo=..., paintOffset=..., lineTop=..., lineBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/InlineFlowBox.cpp:1170 #12 0x00007ffff49d9938 in WebCore::RootInlineBox::paint (this=0x8ecbe8, paintInfo=..., paintOffset=..., lineTop=..., lineBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RootInlineBox.cpp:212 #13 0x00007ffff49437dd in WebCore::RenderLineBoxList::paint (this=0x7de9e0, renderer=0x7de948, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLineBoxList.cpp:262 #14 0x00007ffff4813eff in WebCore::RenderBlock::paintContents (this=0x7de948, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3206 #15 0x00007ffff4814a48 in WebCore::RenderBlock::paintObject (this=0x7de948, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3323 #16 0x00007ffff48126cf in WebCore::RenderBlock::paint (this=0x7de948, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3019 #17 0x00007ffff4814407 in WebCore::RenderBlock::paintChild (this=0x782548, child=0x7de948, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3256 #18 0x00007ffff481403d in WebCore::RenderBlock::paintChildren (this=0x782548, paintInfo=..., paintOffset=..., paintInfoForChild=..., usePrintRect=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3226 #19 0x00007ffff4813fe1 in WebCore::RenderBlock::paintContents (this=0x782548, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3219 #20 0x00007ffff4814a48 in WebCore::RenderBlock::paintObject (this=0x782548, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3323 #21 0x00007ffff48126cf in WebCore::RenderBlock::paint (this=0x782548, paintInfo=..., paintOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:3019 #22 0x00007ffff4911185 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase (this=0x7dd2f8, phase=WebCore::PaintPhaseForeground, layerFragments=..., context=0x7fffffffb930, localPaintingInfo=..., paintBehavior=0, subtreePaintRootForRenderer=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:4175 #23 0x00007ffff4910e8a in WebCore::RenderLayer::paintForegroundForFragments (this=0x7dd2f8, layerFragments=..., context=0x7fffffffb930, transparencyLayerContext=0x7fffffffb930, transparencyPaintDirtyRect=..., haveTransparency=false, localPaintingInfo=..., paintBehavior=0, subtreePaintRootForRenderer=0x0, selectionOnly=false, forceBlackText=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:4151 #24 0x00007ffff490f7b4 in WebCore::RenderLayer::paintLayerContents (this=0x7dd2f8, context=0x7fffffffb930, paintingInfo=..., paintFlags=224) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:3882 #25 0x00007ffff490e694 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=0x7dd2f8, context=0x7fffffffb930, paintingInfo=..., paintFlags=224) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:3646 #26 0x00007ffff490e589 in WebCore::RenderLayer::paintLayer (this=0x7dd2f8, context=0x7fffffffb930, paintingInfo=..., paintFlags=224) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:3628 ---Type <return> to continue, or q <return> to quit--- #27 0x00007ffff490fe45 in WebCore::RenderLayer::paintList (this=0x7a79b8, list=0x8ec700, context=0x7fffffffb930, paintingInfo=..., paintFlags=224) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:3968 #28 0x00007ffff490f873 in WebCore::RenderLayer::paintLayerContents (this=0x7a79b8, context=0x7fffffffb930, paintingInfo=..., paintFlags=224) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:3893 #29 0x00007ffff490e694 in WebCore::RenderLayer::paintLayerContentsAndReflection (this=0x7a79b8, context=0x7fffffffb930, paintingInfo=..., paintFlags=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:3646 #30 0x00007ffff490e589 in WebCore::RenderLayer::paintLayer (this=0x7a79b8, context=0x7fffffffb930, paintingInfo=..., paintFlags=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:3628 #31 0x00007ffff490d84c in WebCore::RenderLayer::paint (this=0x7a79b8, context=0x7fffffffb930, damageRect=..., paintBehavior=0, subtreePaintRoot=0x0, region= 0x0, paintFlags=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:3438 #32 0x00007ffff4671fba in WebCore::FrameView::paintContents (this=0x7e1ff0, p=0x7fffffffb930, rect=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:3564 #33 0x00007ffff3b97e0a in QWebFrameAdapter::renderRelativeCoords (this=0x7a38f0, painter=0x7fffffffba90, layers=255, clip=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WebCoreSupport/QWebFrameAdapter.cpp:541 #34 0x00007ffff7baa7a0 in QWebFrame::render (this=0x7e18c0, painter=0x7fffffffba90, layer=..., clip=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WidgetApi/qwebframe.cpp:644 #35 0x00007ffff7baa870 in QWebFrame::render (this=0x7e18c0, painter=0x7fffffffba90, clip=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WidgetApi/qwebframe.cpp:654 #36 0x00007ffff7bb9492 in QWebView::paintEvent (this=0x7ac910, ev=0x7fffffffc270) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WidgetApi/qwebview.cpp:829 #37 0x00007ffff3064848 in QWidget::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #38 0x00007ffff7bb923b in QWebView::event (this=0x7ac910, e=0x7fffffffc270) at /home/reni/Data/REPOS/webkit_sec/Source/WebKit/qt/WidgetApi/qwebview.cpp:733 #39 0x00007ffff302ddbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #40 0x00007ffff3031075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #41 0x00007ffff21c1dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #42 0x00007ffff3061705 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #43 0x00007ffff306217b in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #44 0x00007ffff3061256 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #45 0x00007ffff306217b in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #46 0x00007ffff3061fd1 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #47 0x00007ffff3061fd1 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #48 0x00007ffff3061256 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #49 0x00007ffff303709f in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #50 0x00007ffff3037839 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #51 0x00007ffff3082bc3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #52 0x00007ffff302ddbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #53 0x00007ffff3031075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #54 0x00007ffff21c1dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #55 0x00007ffff26983a7 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #56 0x00007ffff269f53d in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #57 0x00007ffff268ea68 in QWindowSystemInterface::sendWindowSystemEventsImplementation(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #58 0x00007fffe80776b0 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/plugins/platforms/libxcb.so #59 0x00007fffee34a2d6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3065 ---Type <return> to continue, or q <return> to quit--- #60 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3641 #61 0x00007fffee34a628 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3712 #62 0x00007fffee34a6cc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3773 #63 0x00007ffff22094bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #64 0x00007ffff21c0d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #65 0x00007ffff21c4120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #66 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #67 0x0000000000423680 in main (argc=2, argv=0x7fffffffdb08) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Attachments
Proposed patch according to yosins comment (4.08 KB, patch)
2013-09-12 05:11 PDT, Renata Hodovan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
yosin
Comment 1 2013-09-11 21:09:00 PDT
RenderThemeQStyle::paintSliderTrack() should check HTMLInputElement::isSteppable() rather than HTMLInputElement is rendered as slider. bool RenderThemeQStyle::paintSliderTrack(...) { ... HTMLInputElement* slider = o->node()->toInputElement(); if (slider && slider->isSteppable()) { ... p.styleOption.slider.maximum = slider->maximum() * width; ... } ... } Note: Blink doesn't assert for data:text/html,<input style="-webkit-appearance:slider-vertical;">
Renata Hodovan
Comment 2 2013-09-12 05:11:19 PDT
Created attachment 211422 [details] Proposed patch according to yosins comment
Kent Tamura
Comment 3 2013-09-12 14:45:42 PDT
Comment on attachment 211422 [details] Proposed patch according to yosins comment ok
WebKit Commit Bot
Comment 4 2013-09-12 15:08:28 PDT
Comment on attachment 211422 [details] Proposed patch according to yosins comment Clearing flags on attachment: 211422 Committed r155651: <http://trac.webkit.org/changeset/155651>
WebKit Commit Bot
Comment 5 2013-09-12 15:08:31 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.