Created attachment 358028 [details] Patch

The m_dataListDropdownIndicator is constructed in TextFieldInputType::createShadowSubtree(). However when the element is being cloned, createShadowSubtree() returns early because element()->hasAttributeWithoutSynchronization(listAttr) is false (the list attribute is not set yet). * frame #0: 0x00000004b8aebdb8 WebCore`WebCore::Element::hasAttributeWithoutSynchronization(this=0x00000004e19000f8, name=0x00000004bd6640d0) const at Element.h:747 frame #1: 0x00000004ba8caa18 WebCore`WebCore::TextFieldInputType::needsContainer(this=0x00000004e08adb48) const at TextFieldInputType.cpp:307 frame #2: 0x00000004ba8c6560 WebCore`WebCore::TextFieldInputType::createShadowSubtree(this=0x00000004e08adb48) at TextFieldInputType.cpp:339 frame #3: 0x00000004ba7637f8 WebCore`WebCore::HTMLInputElement::didAddUserAgentShadowRoot(this=0x00000004e19000f8, (null)=0x00000004dd4004b0) at HTMLInputElement.cpp:157 frame #4: 0x00000004ba3bfcc3 WebCore`WebCore::Element::addShadowRoot(this=0x00000004e19000f8, newShadowRoot=0x00007ffee95880f8) at Element.cpp:2061 frame #5: 0x00000004ba3c0536 WebCore`WebCore::Element::ensureUserAgentShadowRoot(this=0x00000004e19000f8) at Element.cpp:2156 frame #6: 0x00000004ba7635d0 WebCore`WebCore::HTMLInputElement::create(tagName=0x00000004e1100150, document=0x00000004d9e02180, form=0x0000000000000000, createdByParser=false) at HTMLInputElement.cpp:143 frame #7: 0x00000004b83f0f88 WebCore`WebCore::inputConstructor(tagName=0x00000004e1100150, document=0x00000004d9e02180, formElement=0x0000000000000000, createdByParser=false) at HTMLElementFactory.cpp:332 frame #8: 0x00000004b83ea80e WebCore`WebCore::HTMLElementFactory::createKnownElement(name=0x00000004e1100150, document=0x00000004d9e02180, formElement=0x0000000000000000, createdByParser=false) at HTMLElementFactory.cpp:763 frame #9: 0x00000004ba2f16f4 WebCore`WebCore::Document::createElement(this=0x00000004d9e02180, name=0x00000004e1100150, createdByParser=false) at Document.cpp:1088 frame #10: 0x00000004ba3b5421 WebCore`WebCore::Element::cloneElementWithoutAttributesAndChildren(this=0x00000004e11000f8, targetDocument=0x00000004d9e02180) at Element.cpp:382 frame #11: 0x00000004ba3b5242 WebCore`WebCore::Element::cloneElementWithoutChildren(this=0x00000004e11000f8, targetDocument=0x00000004d9e02180) at Element.cpp:370 frame #12: 0x00000004ba3b51a7 WebCore`WebCore::Element::cloneNodeInternal(this=0x00000004e11000f8, targetDocument=0x00000004d9e02180, type=SelfWithTemplateContent) at Element.cpp:354 frame #13: 0x00000004ba2a10b9 WebCore`WebCore::ContainerNode::cloneChildNodes(this=0x00000004e0f005b0, clone=0x00000004e0f00618) at ContainerNode.cpp:756 frame #14: 0x00000004ba2a1149 WebCore`WebCore::ContainerNode::cloneChildNodes(this=0x00000004e1700060, clone=0x00000004e0d00160) at ContainerNode.cpp:758 frame #15: 0x00000004ba320168 WebCore`WebCore::DocumentFragment::cloneNodeInternal(this=0x00000004e1700060, targetDocument=0x00000004d9e02180, type=Everything) at DocumentFragment.cpp:79 frame #16: 0x00000004ba2f1fde WebCore`WebCore::Document::importNode(this=0x00000004d9e02180, nodeToImport=0x00000004e1700060, deep=true) at Document.cpp:990 frame #17: 0x00000004b894da94 WebCore`WebCore::jsDocumentPrototypeFunctionImportNodeBody(state=0x00007ffee9588830, castedThis=0x00000004d745c000, throwScope=0x00007ffee95887b0) at JSDocument.cpp:4679 frame #18: 0x00000004b89309e0 WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(state=0x00007ffee9588830, operationName="importNode")), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) at JSDOMOperation.h:53 frame #19: 0x00000004b89306cc WebCore`WebCore::jsDocumentPrototypeFunctionImportNode(state=0x00007ffee9588830) at JSDocument.cpp:4684 and we set the list attr later at * frame #0: 0x00000004ba3c9537 WebCore`WebCore::Element::cloneAttributesFromElement(this=0x00000004e19000f8, other=0x00000004e11000f8) at Element.cpp:3820 frame #1: 0x00000004ba3b53af WebCore`WebCore::Element::cloneDataFromElement(this=0x00000004e19000f8, other=0x00000004e11000f8) at Element.cpp:3863 frame #2: 0x00000004ba3b52dc WebCore`WebCore::Element::cloneElementWithoutChildren(this=0x00000004e11000f8, targetDocument=0x00000004d9e02180) at Element.cpp:376 frame #3: 0x00000004ba3b51a7 WebCore`WebCore::Element::cloneNodeInternal(this=0x00000004e11000f8, targetDocument=0x00000004d9e02180, type=SelfWithTemplateContent) at Element.cpp:354 frame #4: 0x00000004ba2a10b9 WebCore`WebCore::ContainerNode::cloneChildNodes(this=0x00000004e0f005b0, clone=0x00000004e0f00618) at ContainerNode.cpp:756 frame #5: 0x00000004ba2a1149 WebCore`WebCore::ContainerNode::cloneChildNodes(this=0x00000004e1700060, clone=0x00000004e0d00160) at ContainerNode.cpp:758 frame #6: 0x00000004ba320168 WebCore`WebCore::DocumentFragment::cloneNodeInternal(this=0x00000004e1700060, targetDocument=0x00000004d9e02180, type=Everything) at DocumentFragment.cpp:79 frame #7: 0x00000004ba2f1fde WebCore`WebCore::Document::importNode(this=0x00000004d9e02180, nodeToImport=0x00000004e1700060, deep=true) at Document.cpp:990 frame #8: 0x00000004b894da94 WebCore`WebCore::jsDocumentPrototypeFunctionImportNodeBody(state=0x00007ffee9588830, castedThis=0x00000004d745c000, throwScope=0x00007ffee95887b0) at JSDocument.cpp:4679 frame #9: 0x00000004b89309e0 WebCore`long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(state=0x00007ffee9588830, operationName="importNode")), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) at JSDOMOperation.h:53 frame #10: 0x00000004b89306cc WebCore`WebCore::jsDocumentPrototypeFunctionImportNode(state=0x00007ffee9588830) at JSDocument.cpp:4684 frame #11: 0x00004b5beec01177 I am not familiar with the DOM element cloning flow whether it is expected to not have the attributes set while calling createShadowSubtree() and the m_dataListDropdownIndicator should be constructed later (as in the patch) or simply the order is wrong.

[ 0] 0x000000010bc970d3 WebCore`WebCore::RenderThemeMac::paintListButtonForInput(WebCore::RenderObject const&, WebCore::GraphicsContext&, WebCore::FloatRect const&) [inlined] WebCore::Node::hasRareData() const at Node.h:626 622 Node(Document&, ConstructionType); 623 624 virtual void addSubresourceAttributeURLs(ListHashSet<URL>&) const { } 625 -> 626 bool hasRareData() const { return getFlag(HasRareDataFlag); } 627 628 NodeRareData* rareData() const; 629 NodeRareData& ensureRareData(); 630 void clearRareData(); [ 0] 0x000000010bc970d3 WebCore`WebCore::RenderThemeMac::paintListButtonForInput(WebCore::RenderObject const&, WebCore::GraphicsContext&, WebCore::FloatRect const&) [inlined] WebCore::Node::renderer() const at Node.h:417 413 // ----------------------------------------------------------------------------- 414 // Integration with rendering tree 415 416 // As renderer() includes a branch you should avoid calling it repeatedly in hot code paths. -> 417 RenderObject* renderer() const { return hasRareData() ? m_data.m_rareData->renderer() : m_data.m_renderer; }; 418 void setRenderer(RenderObject* renderer) 419 { 420 if (hasRareData()) 421 m_data.m_rareData->setRenderer(renderer); [ 0] 0x000000010bc970d3 WebCore`WebCore::RenderThemeMac::paintListButtonForInput(WebCore::RenderObject const&, WebCore::GraphicsContext&, WebCore::FloatRect const&) [inlined] WebCore::ContainerNode::renderer() const at RenderElement.h:481 477 } 478 479 inline RenderElement* ContainerNode::renderer() const 480 { -> 481 return downcast<RenderElement>(Node::renderer()); 482 } 483 484 inline int adjustForAbsoluteZoom(int value, const RenderElement& renderer) 485 { [ 0] 0x000000010bc970d3 WebCore`WebCore::RenderThemeMac::paintListButtonForInput(WebCore::RenderObject const&, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 419 at RenderThemeMac.mm:1147 [ 1] 0x000000010bc97860 WebCore`WebCore::RenderThemeMac::paintTextField(WebCore::RenderObject const&, WebCore::PaintInfo const&, WebCore::FloatRect const&) + 944 at RenderThemeMac.mm:1210:9 [ 2] 0x000000010cb71927 WebCore`WebCore::RenderTheme::paintBorderOnly(WebCore::RenderBox const&, WebCore::PaintInfo const&, WebCore::LayoutRect const&) + 423 at RenderTheme.cpp:459:16 [ 3] 0x000000010b6d72b5 WebCore`WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1189 at RenderBox.cpp:1307:142 [ 4] 0x000000010b6d460a WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 74 at RenderBlock.cpp:1224:13 [ 5] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 6] 0x000000010cacbd83 WebCore`WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 22 at RenderElement.cpp:986:13 [ 6] 0x000000010cacbd6d WebCore`WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 93 at RenderElement.cpp:998 [ 7] 0x000000010ca5eb94 WebCore`WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 116 at InlineElementBox.cpp:81:16 [ 8] 0x000000010b6fa84f WebCore`WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1039 at InlineFlowBox.cpp:1208:23 [ 9] 0x000000010b6fa3d1 WebCore`WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 33 at RootInlineBox.cpp:168:20 [ 10] 0x000000010b6d7ea5 WebCore`WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 901 at RenderLineBoxList.cpp:260:19 [ 11] 0x000000010b6d47f4 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 19 at RenderBlock.cpp:1125:9 [ 11] 0x000000010b6d47e1 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 545 at RenderBlock.cpp:1261 [ 12] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 13] 0x000000010ca6ef70 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 640 at RenderBlock.cpp:1181:19 [ 14] 0x000000010b6d51be WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 94 at RenderBlock.cpp:1145:14 [ 15] 0x000000010b6d4817 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 54 at RenderBlock.cpp:1138:9 [ 15] 0x000000010b6d47e1 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 545 at RenderBlock.cpp:1261 [ 16] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 17] 0x000000010ca6ef70 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 640 at RenderBlock.cpp:1181:19 [ 18] 0x000000010b6d51be WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 94 at RenderBlock.cpp:1145:14 [ 19] 0x000000010b6d4817 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 54 at RenderBlock.cpp:1138:9 [ 19] 0x000000010b6d47e1 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 545 at RenderBlock.cpp:1261 [ 20] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 21] 0x000000010cacbdc8 WebCore`WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 22 at RenderElement.cpp:986:13 [ 21] 0x000000010cacbdb2 WebCore`WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 162 at RenderElement.cpp:1001 [ 22] 0x000000010ca6ef59 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 617 at RenderBlock.cpp:1179:19 [ 23] 0x000000010b79966e WebCore`WebCore::RenderFlexibleBox::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 94 at RenderFlexibleBox.cpp:355:14 [ 24] 0x000000010b6d4817 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 54 at RenderBlock.cpp:1138:9 [ 24] 0x000000010b6d47e1 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 545 at RenderBlock.cpp:1261 [ 25] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 26] 0x000000010ca6ef70 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 640 at RenderBlock.cpp:1181:19 [ 27] 0x000000010b6d51be WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 94 at RenderBlock.cpp:1145:14 [ 28] 0x000000010b6d4817 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 54 at RenderBlock.cpp:1138:9 [ 28] 0x000000010b6d47e1 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 545 at RenderBlock.cpp:1261 [ 29] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 30] 0x000000010ca6ef70 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 640 at RenderBlock.cpp:1181:19 [ 31] 0x000000010b6d51be WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 94 at RenderBlock.cpp:1145:14 [ 32] 0x000000010b6d4817 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 54 at RenderBlock.cpp:1138:9 [ 32] 0x000000010b6d47e1 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 545 at RenderBlock.cpp:1261 [ 33] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 34] 0x000000010cb0f3c5 WebCore`WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) + 405 at RenderLayer.cpp:4712:20 [ 35] 0x000000010cb0d19e WebCore`WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) + 414 at RenderLayer.cpp:4689:9 [ 36] 0x000000010cb0a29b WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3163 at RenderLayer.cpp:4297:17 [ 37] 0x000000010cb0a384 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) [inlined] WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 65 at RenderLayer.cpp:4414:21 [ 37] 0x000000010cb0a343 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3331 at RenderLayer.cpp:4310 [ 38] 0x000000010cb07a71 WebCore`WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy) + 273 at RenderLayer.cpp:3784:5 [ 39] 0x000000010c83aced WebCore`WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy) + 717 at FrameView.cpp:4195:16 [ 40] 0x000000010c8cbf5e WebCore`WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy) + 558 at ScrollView.cpp:1195:9 [ 41] 0x000000010b75e29b WebCore`WebCore::RenderWidget::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 683 at RenderWidget.cpp:250:15 [ 42] 0x000000010b75dd33 WebCore`WebCore::RenderWidget::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 867 at RenderWidget.cpp:302:9 [ 43] 0x000000010cacbdc8 WebCore`WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 22 at RenderElement.cpp:986:13 [ 43] 0x000000010cacbdb2 WebCore`WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 162 at RenderElement.cpp:1001 [ 44] 0x000000010ca5eb94 WebCore`WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 116 at InlineElementBox.cpp:81:16 [ 45] 0x000000010b6fa84f WebCore`WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1039 at InlineFlowBox.cpp:1208:23 [ 46] 0x000000010b6fa3d1 WebCore`WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 33 at RootInlineBox.cpp:168:20 [ 47] 0x000000010b6d7ea5 WebCore`WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 901 at RenderLineBoxList.cpp:260:19 [ 48] 0x000000010b6d47f4 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 19 at RenderBlock.cpp:1125:9 [ 48] 0x000000010b6d47e1 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 545 at RenderBlock.cpp:1261 [ 49] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 50] 0x000000010ca6ef70 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 640 at RenderBlock.cpp:1181:19 [ 51] 0x000000010b6d51be WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 94 at RenderBlock.cpp:1145:14 [ 52] 0x000000010b6d4817 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) [inlined] WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 54 at RenderBlock.cpp:1138:9 [ 52] 0x000000010b6d47e1 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 545 at RenderBlock.cpp:1261 [ 53] 0x000000010b6d6993 WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 243 at RenderBlock.cpp:1104:5 [ 54] 0x000000010cb0f3c5 WebCore`WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) + 405 at RenderLayer.cpp:4712:20 [ 55] 0x000000010cb0d19e WebCore`WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) + 414 at RenderLayer.cpp:4689:9 [ 56] 0x000000010cb0a29b WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3163 at RenderLayer.cpp:4297:17 [ 57] 0x000000010cb0a384 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) [inlined] WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 65 at RenderLayer.cpp:4414:21 [ 57] 0x000000010cb0a343 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3331 at RenderLayer.cpp:4310 [ 58] 0x000000010cb0a384 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) [inlined] WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 65 at RenderLayer.cpp:4414:21 [ 58] 0x000000010cb0a343 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3331 at RenderLayer.cpp:4310 [ 59] 0x000000010cb07a71 WebCore`WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy) + 273 at RenderLayer.cpp:3784:5 [ 60] 0x000000010c83aced WebCore`WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy) + 717 at FrameView.cpp:4195:16 [ 61] 0x000000010c8318b3 WebCore`WebCore::FrameView::paintContentsForSnapshot(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::FrameView::SelectionInSnapshot, WebCore::FrameView::CoordinateSpaceForSnapshot) + 243 at FrameView.cpp:4242:9 [ 62] 0x000000010ac92584 WebKit`WebKit::paintSnapshotAtSize(WebCore::IntRect const&, WebCore::IntSize const&, unsigned int, WebCore::Frame&, WebCore::FrameView&, WebCore::GraphicsContext&) + 439 at WebPage.cpp:2136:15 [ 63] 0x000000010ac92306 WebKit`WebKit::WebPage::snapshotAtSize(WebCore::IntRect const&, WebCore::IntSize const&, unsigned int) + 194 at WebPage.cpp:2170:5 [ 64] 0x000000010a8e2906 WebKit`WebKit::WebPage::scaledSnapshotWithOptions(WebCore::IntRect const&, double, unsigned int) + 194 at WebPage.cpp:2100:12 [ 65] 0x000000010a909e46 WebKit`::WKBundlePageCreateScaledSnapshotInDocumentCoordinates(WKBundlePageRef, WKRect, double, WKImageOptions) + 97 at WKBundlePage.cpp:474:50 [ 66] 0x000000029441e82a Safari`Safari::WK::BundlePage::createScaledSnapshotInDocumentCoordinates(CGRect, double, unsigned int) const + 112 at BundlePage.mm:199:25 [ 67] 0x000000029474aa57 Safari`Safari::createSnapshot(Safari::WK::BundlePage const&, CGSize, Safari::SnapshotOptions) + 505 at SnapshotCreation.mm:168:35 [ 68] 0x0000000294342e15 Safari`Safari::BrowserBundlePageController::createSnapshot(unsigned long long, WKSize) + 39 at BrowserBundlePageController.mm:972:39 [ 69] 0x000000029434e2c7 Safari`Safari::BrowserBundlePageController::handleMessageToPage(Safari::WK::BundlePage const&, NSString*, Safari::WK::Type const&) + 1355 at BrowserBundlePageControllerMessageReceiver.mm:140:24 [ 70] 0x0000000294338d78 Safari`Safari::BrowserBundleController::dispatchMessageToPage(Safari::WK::BundlePage const&, NSString*, Safari::WK::Type const&) + 42 at BrowserBundleControllerMessageDispatcher.mm:35:12 [ 71] 0x0000000294337e16 Safari`Safari::BrowserBundleController::didReceiveMessageToPage(Safari::WK::Bundle const&, Safari::WK::BundlePage const&, Safari::WK::String const&, Safari::WK::Type const&) + 48 at BrowserBundleController.mm:486:9 [ 72] 0x000000029441c11b Safari`Safari::WK::didReceiveMessageToPage(OpaqueWKBundle const*, OpaqueWKBundlePage const*, OpaqueWKString const*, void const*, void const*) + 125 at BundleClient.mm:69:47 [ 73] 0x000000010ac095c4 WebKit`WebKit::InjectedBundleClient::didReceiveMessageToPage(WebKit::InjectedBundle&, WebKit::WebPage&, WTF::String const&, API::Object*) + 178 at InjectedBundleClient.cpp:78:5 [ 74] 0x000000010ac92033 WebKit`WebKit::WebPage::postInjectedBundleMessage(WTF::String const&, WebKit::UserData const&) + 77 at WebPage.cpp:2000:21 [ 75] 0x000000010aca43af WebKit`WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) [inlined] void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WTF::String const&, WebKit::UserData const&), std::__1::tuple<WTF::String, WebKit::UserData>, 0ul, 1ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::String const&, WebKit::UserData const&), std::__1::tuple<WTF::String, WebKit::UserData>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 11 at HandleMessage.h:41:5 [ 75] 0x000000010aca43a4 WebKit`WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) [inlined] void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WTF::String const&, WebKit::UserData const&), std::__1::tuple<WTF::String, WebKit::UserData>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<WTF::String, WebKit::UserData>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::String const&, WebKit::UserData const&)) at HandleMessage.h:47 [ 75] 0x000000010aca43a4 WebKit`WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) [inlined] void IPC::handleMessage<Messages::WebPage::PostInjectedBundleMessage, WebKit::WebPage, void (WebKit::WebPage::*)(WTF::String const&, WebKit::UserData const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::String const&, WebKit::UserData const&)) + 49 at HandleMessage.h:133 [ 75] 0x000000010aca4373 WebKit`WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) + 11411 at WebPageMessageReceiver.cpp:925 [ 76] 0x000000010a932d7e WebKit`IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 126 at MessageReceiverMap.cpp:123:26 [ 77] 0x000000010abf1a97 WebKit`WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 27 at WebProcess.cpp:656:30 [ 78] 0x000000010a924be1 WebKit`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 107 at Connection.cpp:1005:9 [ 79] 0x000000010a9282f5 WebKit`IPC::Connection::dispatchOneIncomingMessage() + 179 at Connection.cpp:1074:5 [ 80] 0x00000002901d1f18 JavaScriptCore`WTF::RunLoop::performWork() [inlined] WTF::Function<void ()>::operator()() const + 15 at Function.h:56:35 [ 80] 0x00000002901d1f09 JavaScriptCore`WTF::RunLoop::performWork() + 297 at RunLoop.cpp:123 [ 81] 0x00000002901d2151 JavaScriptCore`WTF::RunLoop::performWork(void*) + 33 at RunLoopCF.cpp:38:37 [ 82] 0x00007fff4c5ce474 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 16 at CFRunLoop.c:1980:9 [ 83] 0x00007fff4c5ce41a CoreFoundation`__CFRunLoopDoSource0 + 107 at CFRunLoop.c:2015:13 [ 84] 0x00007fff4c5b1eb4 CoreFoundation`__CFRunLoopDoSources0 + 194 at CFRunLoop.c:2051:29 [ 85] 0x00007fff4c5b145d CoreFoundation`__CFRunLoopRun + 1218 at CFRunLoop.c:2922:41 [ 86] 0x00007fff4c5b0d47 CoreFoundation`CFRunLoopRunSpecific + 462 at CFRunLoop.c:3247:18 [ 87] 0x00007fff4e9da4a9 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 279 at NSRunLoop.m:367:5 [ 88] 0x00007fff4e9da37e Foundation`-[NSRunLoop(NSRunLoop) run] + 75 at NSRunLoop.m:389:12

Comment on attachment 358028 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=358028&action=review > LayoutTests/fast/forms/datalist/datalist-crash-when-cloned.html:14 > +document.body.appendChild(ice.cloneNode()); Can we also test that dualist works? This is such a simple test that it should function perfectly fine.

It appears to me that we also want a null pointer check in RenderThemeMac::paintListButtonForInput with a debug assertion.

Created attachment 358070 [details] Patch

Comment on attachment 358070 [details] Patch Attachment 358070 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/10545662 New failing tests: fast/forms/datalist/datalist-textinput-appearance.html fast/forms/datalist/datalist-searchinput-appearance.html

Created attachment 358072 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6

Created attachment 358189 [details] Patch

Comment on attachment 358189 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=358189&action=review > LayoutTests/fast/forms/datalist/datalist-crash-when-dynamic.html:2 > +<input id="ice" list="ice-cream-flavors" name="ice-cream-choice"> Get rid of list= here

Created attachment 358208 [details] Patch

Comment on attachment 358208 [details] Patch Looks good!

Comment on attachment 358208 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=358208&action=review > Source/WebCore/html/TextFieldInputType.cpp:837 > if (!m_dataListDropdownIndicator) > - return; > + createDataListDropdownIndicator(); I think we need to check that listAttr is set in the element.

Comment on attachment 358208 [details] Patch Clearing flags on attachment: 358208 Committed r239786: <https://trac.webkit.org/changeset/239786>

All reviewed patches have been landed. Closing bug.

*** Bug 191633 has been marked as a duplicate of this bug. ***

Hi, I get a "datalist" crash with same traceback top part `paintListButtonForInput` through `paintForegroundForFragmentsWithPhase` in both Safari Version 13.0.3 (15608.3.10.1.4) and Safari TP Release 94 (Safari 13.1, WebKit 15609.1.6.1) in our internal website. At the same time, the test attached to this ticket doesn't cause a crash. Sadly my content is a bit dynamic and I could not (so far) create a MRE from it. How can I help tracking down this issue? Thanks!

(In reply to Dima Tisnek from comment #17) > Hi, I get a "datalist" crash with same traceback top part > `paintListButtonForInput` through `paintForegroundForFragmentsWithPhase` in > both Safari Version 13.0.3 (15608.3.10.1.4) and Safari TP Release 94 (Safari > 13.1, WebKit 15609.1.6.1) in our internal website. > > At the same time, the test attached to this ticket doesn't cause a crash. > > Sadly my content is a bit dynamic and I could not (so far) create a MRE from > it. > > How can I help tracking down this issue? > Thanks! Could you file a new bug with a test case?