NEW 203969
Styling display with '!important' in ::-webkit-list-button crashes 
https://bugs.webkit.org/show_bug.cgi?id=203969
Summary Styling display with '!important' in ::-webkit-list-button crashes
Stephen McGruer
Reported 2019-11-07 11:09:40 PST
Created attachment 383061 [details] Reproduction of bug I was attempting to remove the blue drop-down arrow that appears when using a 'list' attribute on an <input> element, when I found that styling ::-webkit-list-button with 'display: none !important' appears to crash Safari. Removing the '!important' appears to resolve the crash (albeit it doesn't actually do what I want...) See the attached reproduction (or the web-hosted version at https://output.jsbin.com/vuyayej/quiet); on loading it I get "A problem repeatedly occurred with ...". I reproduced this on Browserstack Safari 12.1 on Mojave, but have also had colleagues reproduce with: * 13.0.3 (14608.3.10.10.1) * Release 95 (Safari 13.1, WebKit 14609.1.7) It does NOT appear to reproduce on an iOS device: * Mozilla/5.0 (iPhone; CPU iPhone OS 13_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.4 Mobile/15E148 Safari/604.1
Attachments
Reproduction of bug (426 bytes, text/html)
2019-11-07 11:09 PST, Stephen McGruer 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ali Juma
Comment 1 2019-11-07 11:18:52 PST
Looks like buttonElement has a null renderer in RenderThemeMac::paintListButtonForInput. Here's a crash stack: * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x3c) * frame #0: 0x000000011b38d31c WebCore`WebCore::RenderObject::RenderObjectBitfields::isAnonymous(this=0x000000000000003c) const at RenderObject.h:912:9 frame #1: 0x000000011b38d2f9 WebCore`WebCore::RenderObject::isAnonymous(this=0x0000000000000000) const at RenderObject.h:388:51 frame #2: 0x000000011b378089 WebCore`WebCore::RenderObject::node(this=0x0000000000000000) const at RenderObject.h:484:33 frame #3: 0x000000011b377fab WebCore`WebCore::RenderThemeMac::updatePressedState(this=0x0000000120704f40, cell=0x00007fbad06811e0, o=0x0000000000000000) at RenderThemeMac.mm:997:34 frame #4: 0x000000011b378f4c WebCore`WebCore::RenderThemeMac::paintListButtonForInput(this=0x0000000120704f40, o=0x000000013fbb13a0, context=0x00007ffeeaccc9d8, r={ x = 10.0, y = 10.0, width = 146.0, height = 19.0 }) at RenderThemeMac.mm:1124:13 frame #5: 0x000000011b379e61 WebCore`WebCore::RenderThemeMac::paintTextField(this=0x0000000120704f40, o=0x000000013fbb13a0, paintInfo=0x00007ffeeacca200, r={ x = 10.0, y = 10.0, width = 146.0, height = 19.0 }) at RenderThemeMac.mm:1188:9 frame #6: 0x000000011e5f32f4 WebCore`WebCore::RenderTheme::paintBorderOnly(this=0x0000000120704f40, box=0x000000013fbb13a0, paintInfo=0x00007ffeeacca200, rect={ x = 10px (640), y = 10px (640), width = 145.875px (9336), height = 19px (1216) }) at RenderTheme.cpp:460:16 frame #7: 0x000000011e3abe40 WebCore`WebCore::RenderBox::paintBoxDecorations(this=0x000000013fbb13a0, paintInfo=0x00007ffeeacca200, paintOffset={ x = 10px (640), y = 10px (640) }) at RenderBox.cpp:1358:142 frame #8: 0x000000011e378c2b WebCore`WebCore::RenderBlock::paintObject(this=0x000000013fbb13a0, paintInfo=0x00007ffeeacca200, paintOffset={ x = 10px (640), y = 10px (640) }) at RenderBlock.cpp:1223:13 frame #9: 0x000000011e3777de WebCore`WebCore::RenderBlock::paint(this=0x000000013fbb13a0, paintInfo=0x00007ffeeacca200, paintOffset={ x = 8px (512), y = 8px (512) }) at RenderBlock.cpp:1103:5
Radar WebKit Bug Importer
Comment 2 2019-11-07 11:41:14 PST
<rdar://problem/56991359>
Note You need to log in before you can comment on or make changes to this bug.