[Webkit-unassigned] [Bug 101133] New: Crash when replacing parts of text inputs with content: url(...)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 2 17:15:44 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=101133

           Summary: Crash when replacing parts of text inputs with
                    content: url(...)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: HasReduction
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: esprehn at chromium.org
                CC: eric at webkit.org, jchaffraix at webkit.org,
                    inferno at chromium.org


When you replace a part of a text input with an image using content: url(...) we crash in WebCore::RenderTextControlSingleLine::layout()

    #0 0x7f3d63b22655 in WebCore::RenderTextControlSingleLine::layout() third_party/WebKit/Source/WebCore/rendering/RenderTextControlSingleLine.cpp:111
    #1 0x7f3d62f51f30 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:662
    #2 0x7f3d630979d3 in WebCore::RenderBlock::layoutPositionedObjects(bool) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2682
    #3 0x7f3d6308bc34 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1588
    #4 0x7f3d63086cdd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383
    #5 0x7f3d62f51f30 in WebCore::RenderObject::layoutIfNeeded() third_party/WebKit/Source/WebCore/rendering/RenderObject.h:662
    #6 0x7f3d630979d3 in WebCore::RenderBlock::layoutPositionedObjects(bool) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2682
    #7 0x7f3d6308bc34 in WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1588
    #8 0x7f3d63086cdd in WebCore::RenderBlock::layout() third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:1383


This is enough to cause it:

<style>
input::-webkit-textfield-decoration-container {
    content: url("");
}
</style>
<input type=number>

This is because of the hack in RenderObject::createObject where we swap out the correct renderer for an element with a RenderImage if content is specified and only has a url(...).

http://code.google.com/searchframe#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp&exact_package=chromium&q=RenderObject.cpp&type=cs&l=144

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list