152847 – Absolute positioning -webkit-search-cancel-button crashes Safari

Bug 152847 - Absolute positioning -webkit-search-cancel-button crashes Safari

Summary: Absolute positioning -webkit-search-cancel-button crashes Safari

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	Safari 9
Hardware:	Mac OS X 10.10

Importance:	P2 Normal
Assignee:	zalan

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-01-07 12:33 PST by m.renty
Modified:	2016-01-08 22:28 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (17.21 KB, patch) 2016-01-08 20:13 PST, zalan	no flags	Details \| Formatted Diff \| Diff
Patch (27.66 KB, patch) 2016-01-08 20:54 PST, zalan	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description m.renty 2016-01-07 12:33:55 PST

When trying to absolute position of the -webkit-search-cancel-button of an input[type=search] Safari quits unexpectedly.
I recreated it in JSBin http://jsbin.com/bimiqipojo, you can trigger it by focussing the input.
Tested this both in OSX 10.10 and 10.11.

Comment 1 zalan 2016-01-07 19:42:44 PST

I can't reproduce it with trunk r194751.

Comment 2 m.renty 2016-01-08 00:18:58 PST

What do you mean with trunk r194751?
I have enclosed a link to JSBin where I recreated the bug, when you focus the input Safari quits every time.

(In reply to comment #1)
> I can't reproduce it with trunk r194751.

Comment 3 zalan 2016-01-08 13:07:45 PST

(In reply to comment #2)
> What do you mean with trunk r194751?
> I have enclosed a link to JSBin where I recreated the bug, when you focus
> the input Safari quits every time.
> 
> (In reply to comment #1)
> > I can't reproduce it with trunk r194751.

Could you include the version of Safari that you use to reproduce this crash?
(something like Version 9.0.X (XXXXX.X.X))

Comment 4 Simon Fraser (smfr) 2016-01-08 13:18:34 PST

I can reproduce with r194567. Click in the input, then type:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010cb003b7 WebCore::RenderBox::offsetFromContainer(WebCore::RenderElement&, WebCore::LayoutPoint const&, bool*) const + 135
1   com.apple.WebCore             	0x000000010cbeade3 WebCore::RenderThemeMac::convertToPaintingRect(WebCore::RenderObject const&, WebCore::RenderObject const&, WebCore::FloatRect const&, WebCore::IntRect const&) const + 131
2   com.apple.WebCore             	0x000000010cbef558 WebCore::RenderThemeMac::paintSearchFieldCancelButton(WebCore::RenderObject const&, WebCore::PaintInfo const&, WebCore::IntRect const&) + 1096
3   com.apple.WebCore             	0x000000010cbe740c WebCore::RenderTheme::paint(WebCore::RenderBox const&, WebCore::ControlStates&, WebCore::PaintInfo const&, WebCore::LayoutRect const&) + 1516
4   com.apple.WebCore             	0x000000010bed579d WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 541
5   com.apple.WebCore             	0x000000010bed2db5 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 277
6   com.apple.WebCore             	0x000000010bed5126 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 326
7   com.apple.WebCore             	0x000000010cb57871 WebCore::RenderLayer::paintBackgroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 385
8   com.apple.WebCore             	0x000000010cb546ea WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2650
9   com.apple.WebCore             	0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320
10  com.apple.WebCore             	0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320
11  com.apple.WebCore             	0x000000010cb52677 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int) + 263
12  com.apple.WebCore             	0x000000010c43cd12 WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) + 514
13  com.apple.WebCore             	0x000000010cc58630 WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) + 416
14  com.apple.WebCore             	0x000000010bfa174d WebCore::RenderWidget::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 909
15  com.apple.WebCore             	0x000000010bfa10e3 WebCore::RenderWidget::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 787
16  com.apple.WebCore             	0x000000010cb5abba WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 394
17  com.apple.WebCore             	0x000000010cb57b40 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool) + 496
18  com.apple.WebCore             	0x000000010cb54840 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2992
19  com.apple.WebCore             	0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320
20  com.apple.WebCore             	0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320
21  com.apple.WebCore             	0x000000010cb52677 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int) + 263
22  com.apple.WebCore             	0x000000010c43cd12 WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) + 514
23  com.apple.WebCore             	0x000000010cc58630 WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) + 416
24  com.apple.WebCore             	0x000000010bfa174d WebCore::RenderWidget::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 909
25  com.apple.WebCore             	0x000000010bfa10e3 WebCore::RenderWidget::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 787
26  com.apple.WebCore             	0x000000010cb5abba WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 394
27  com.apple.WebCore             	0x000000010cb57b40 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool) + 496
28  com.apple.WebCore             	0x000000010cb54840 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2992
29  com.apple.WebCore             	0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320
30  com.apple.WebCore             	0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320
31  com.apple.WebCore             	0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320
32  com.apple.WebCore             	0x000000010cb54988 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 3320
33  com.apple.WebCore             	0x000000010cb65bcc WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, unsigned int, unsigned int) + 524
34  com.apple.WebCore             	0x000000010cb65e70 WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 528
35  com.apple.WebCore             	0x000000010c469977 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 135
36  com.apple.WebCore             	0x000000010caa18c9 WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow, 16ul>&) + 345
37  com.apple.WebCore             	0x000000010ce1e533 WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 163
38  com.apple.WebCore             	0x000000010cec34ac -[WebSimpleLayer drawInContext:] + 172

Comment 5 Radar WebKit Bug Importer 2016-01-08 13:18:45 PST

<rdar://problem/24112087>

Comment 6 m.renty 2016-01-08 13:20:53 PST

It occurs in Safari Version 9.0.2 (10601.3.9) both on OSX 10.10.5 and 10.11.2.
When you focus the input[type=search] everything is fine, but when you type the first character Safari quits.

(In reply to comment #3)
> (In reply to comment #2)
> > What do you mean with trunk r194751?
> > I have enclosed a link to JSBin where I recreated the bug, when you focus
> > the input Safari quits every time.
> > 
> > (In reply to comment #1)
> > > I can't reproduce it with trunk r194751.
> 
> Could you include the version of Safari that you use to reproduce this crash?
> (something like Version 9.0.X (XXXXX.X.X))

Comment 7 zalan 2016-01-08 13:30:35 PST

containingRenderer -> null

ASSERTION FAILED: containingRenderer
RenderThemeMac.mm(685) : WebCore::FloatRect WebCore::RenderThemeMac::convertToPaintingRect(const WebCore::RenderObject &, const WebCore::RenderObject &, const WebCore::FloatRect &, const WebCore::IntRect &) const
1   0x10f02cb80 WTFCrash
2   0x112bad992 WebCore::RenderThemeMac::convertToPaintingRect(WebCore::RenderObject const&, WebCore::RenderObject const&, WebCore::FloatRect const&, WebCore::IntRect const&) const
3   0x112bb6b21 WebCore::RenderThemeMac::paintSearchFieldCancelButton(WebCore::RenderObject const&, WebCore::PaintInfo const&, WebCore::IntRect const&)
4   0x112ba566c WebCore::RenderTheme::paint(WebCore::RenderBox const&, WebCore::ControlStates&, WebCore::PaintInfo const&, WebCore::LayoutRect const&)
5   0x112902d79 WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&)
6   0x112892dd4 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&)
7   0x1128920e5 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&)
8   0x1129eb250 WebCore::RenderLayer::paintBackgroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*)
9   0x1129e75f6 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
10  0x1129e6c5a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
11  0x1129e59d6 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
12  0x1129eb374 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
13  0x1129e7848 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
14  0x1129e6c5a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
15  0x1129e59d6 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
16  0x1129eb374 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
17  0x1129e7848 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
18  0x1129e6c5a WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
19  0x1129e59d6 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
20  0x1129e5321 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int)
21  0x11185b3ce WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&)

Comment 8 zalan 2016-01-08 20:13:16 PST

Created attachment 268605 [details]
Patch

Comment 9 zalan 2016-01-08 20:54:17 PST

Created attachment 268610 [details]
Patch

Comment 10 Simon Fraser (smfr) 2016-01-08 21:22:49 PST

Comment on attachment 268610 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=268610&action=review

> Source/WebCore/rendering/RenderThemeMac.mm:679
> +    IntPoint offsetFromInputRenderer = roundedIntPoint(customButtonRenderer.localToContainerPoint(customButtonRenderer.contentBoxRect().location(), &inputRenderer));

Should this be FloatPoint or LayoutPoint?

Comment 11 WebKit Commit Bot 2016-01-08 22:27:59 PST

Comment on attachment 268610 [details]
Patch

Clearing flags on attachment: 268610

Committed r194817: <http://trac.webkit.org/changeset/194817>

Comment 12 WebKit Commit Bot 2016-01-08 22:28:04 PST

All reviewed patches have been landed.  Closing bug.