[Webkit-unassigned] [Bug 98680] New: Crash in Chrome when dialog containing <input> and long text is dismissed.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 8 12:37:10 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=98680

           Summary: Crash in Chrome when dialog containing <input> and
                    long text is dismissed.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fil at google.com
                CC: bdakin at apple.com


Created an attachment (id=167588)
 --> (https://bugs.webkit.org/attachment.cgi?id=167588&action=review)
<input> with long text.

1. In a Google Docs document (http://docs.google.com/document),
2. Insert a link (Ctrl/Cmd + K), and set the URL's text to be wider than the input's width (see overflowed_input.png)
3. Press enter, there is a chain of events that ends up removing the parent dialog element.

When I users press enter I get the following stacktrace:
Thread 0 *CRASHED* ( SIGSEGV @ 0x2600000082 )

0x2600000082            
0x7f32c6a2cac9    [chrome]    - third_party/WebKit/Source/WebCore/platform/ScrollableArea.cpp:149]    WebCore::ScrollableArea::scrollPositionChanged
0x7f32c6abb0c8    [chrome]    - third_party/WebKit/Source/WebCore/platform/ScrollAnimator.cpp:149]    WebCore::ScrollAnimator::notifyPositionChanged
0x7f32c707f848    [chrome]    - third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:1637]    WebCore::RenderLayer::scrollToOffset
0x7f32c6975b62    [chrome]    - third_party/WebKit/Source/WebCore/html/TextFieldInputType.cpp:187]    WebCore::TextFieldInputType::forwardEvent
0x7f32c692cf8b    [chrome]    - third_party/WebKit/Source/WebCore/html/HTMLInputElement.cpp:1164]    WebCore::HTMLInputElement::defaultEventHandler
0x7f32c67e5657    [chrome]    - third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:340]    WebCore::EventDispatcher::dispatchEvent
0x7f32c67e30c5    [chrome]    - third_party/WebKit/Source/WebCore/dom/EventDispatchMediator.cpp:51]    WebCore::EventDispatchMediator::dispatchEvent
0x7f32c67e3147    [chrome]    - third_party/WebKit/Source/WebCore/dom/EventDispatchMediator.cpp:85]    WebCore::BlurEventDispatchMediator::dispatchEvent
0x7f32c67e4842    [chrome]    - third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:128]    WebCore::EventDispatcher::dispatchEvent
0x7f32c67a64e3    [chrome]    - third_party/WebKit/Source/WebCore/dom/Node.cpp:2681]    WebCore::Node::dispatchBlurEvent
0x7f32c69f358d    [chrome]    - third_party/WebKit/Source/WebCore/html/HTMLFormControlElement.cpp:502]    WebCore::HTMLFormControlElement::dispatchBlurEvent
0x7f32c695aaef    [chrome]    - third_party/WebKit/Source/WebCore/html/HTMLTextFormControlElement.cpp:96]    WebCore::HTMLTextFormControlElement::dispatchBlurEvent
0x7f32c6775dd1    [chrome]    - third_party/WebKit/Source/WebCore/dom/Document.cpp:3777]    WebCore::Document::setFocusedNode
0x7f32c67763d3    [chrome]    - third_party/WebKit/Source/WebCore/dom/Document.cpp:3689]    WebCore::Document::focusedNodeRemoved
0x7f32c6758711    [chrome]    - third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:390]    WebCore::ContainerNode::removeChild
0x7f32c6bb6d13    [chrome]    - third_party/WebKit/Source/WebCore/bindings/v8/custom/V8NodeCustom.cpp:105]    WebCore::V8Node::removeChildCallback
0x7f32c61bc2f1    [chrome]    - v8/src/builtins.cc:1145]    v8::internal::Builtin_HandleApiCall
0x21d19450618d    

If the cursor position is at the beginning of the text, and so the text is left-aligned with the <input>, there is no crash.
Clicking OK (which blurs the <input> first) does not lead to this crash.

>From doing a Chrome biset, it starts to repro for me at 22.0.1229.60 (r150285), webkit roll: 124811:124835

Here are the webkit changes: http://trac.webkit.org/log/trunk/?rev=124835&stop_rev=124811&verbose=on&limit=10000. It seems to be related to http://trac.webkit.org/changeset/124489. 

Unfortunately I have not been successful in creating a more minimal repro case. It's also the case that some people don't ever encounter it.

We have a workaround that we are pushing soon, basically setting the <input> to display:none on keydown if the key pressed is Enter. But it seems like this is a problem that can be encountered elsewhere on the web.

Here are some user complaints:
https://productforums.google.com/forum/?fromgroups=#!searchin/chrome/%22aw$20snap%22$20link/chrome/0Nbj6UpNhBo/CYlXymfdsoMJ

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list