57431 – Crash when dynamically adding input fields with certain css and attributes to a div

Bug 57431 - Crash when dynamically adding input fields with certain css and attributes to a div

Summary: Crash when dynamically adding input fields with certain css and attributes to...

Status:	RESOLVED DUPLICATE of bug 46088

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac (Intel) OS X 10.6

Importance:	P1 Normal
Assignee:	Nobody

URL:	http://jsfiddle.net/jbrichau/cERX6/
Keywords:

Depends on:
Blocks:

Reported:	2011-03-30 00:59 PDT by johan
Modified:	2011-03-30 21:38 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
self-contained testcase (1.90 KB, text/html) 2011-03-30 10:16 PDT, johan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description johan 2011-03-30 00:59:46 PDT

The fiddle that is available in the url shows how webkit crashes when I dynamically add input fields to a div. 

On Webkit or Safari, it takes a couple of seconds before it crashes. On Chrome, I get the 'aw snap' page. 
I just tried it on the Webkit nightly build of March 30th 2011. 

The first link in the page makes webkit crash. This one adds two input fields to the page using jquery.

The second link makes the password input field appear twice on the same page. Although only a single one exists in the DOM. The difference is that we left out the label of the password field.

The third link makes it work. Here, we removed the autofocus attribute from the first input field.

If we remove the css, it works as well.

However, all the above are workarounds trying to circumvent a problem I am unable to pinpoint, but which seems to be in webkit.

Comment 1 Alexey Proskuryakov 2011-03-30 10:06:01 PDT

Could you please attach a self-contained test case to this Bugzilla bug? It's better to have everything pertinent to an issue in one place, not on 3rd party servers.

Asserts with a debug build of ToT:

ASSERTION FAILED: !renderer()
/Users/ap/Safari/OpenSource/Source/WebCore/dom/Node.cpp(1449) : void WebCore::Node::createRendererIfNeeded()
1   WebCore::Node::createRendererIfNeeded()
2   WebCore::Element::attach()
3   WebCore::ContainerNode::attach()
4   WebCore::Element::attach()
5   WebCore::HTMLFormControlElement::attach()
6   WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, bool)
7   WebCore::replaceChildrenWithFragment(WebCore::HTMLElement*, WTF::PassRefPtr<WebCore::DocumentFragment>, int&)
8   WebCore::HTMLElement::setInnerHTML(WTF::String const&, int&)
9   WebCore::setJSHTMLElementInnerHTML(JSC::ExecState*, JSC::JSObject*, JSC::JSValue)
10  bool JSC::lookupPut<WebCore::JSHTMLElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*)
11  void JSC::lookupPut<WebCore::JSHTMLElement, WebCore::JSElement>(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*, JSC::PutPropertySlot&)
<...>

Comment 2 johan 2011-03-30 10:16:04 PDT

Created attachment 87559 [details]
self-contained testcase

Comment 3 Kent Tamura 2011-03-30 21:38:01 PDT

This is a variant of the autofocus issue, Bug 46088.
I confirmed a patch in Bug 46088 fixed the problem in the attachment johan posted.

However some reviewers didn't like the patches in Bug 46088.  Do you have any good idea to fix this issue?

Comment 4 Kent Tamura 2011-03-30 21:38:33 PDT


*** This bug has been marked as a duplicate of bug 46088 ***