[Webkit-unassigned] [Bug 98680] New: Crash in Chrome when dialog containing <input> and long text is dismissed.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 8 12:37:10 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=98680
Summary: Crash in Chrome when dialog containing <input> and
long text is dismissed.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fil at google.com
CC: bdakin at apple.com
Created an attachment (id=167588)
--> (https://bugs.webkit.org/attachment.cgi?id=167588&action=review)
<input> with long text.
1. In a Google Docs document (http://docs.google.com/document),
2. Insert a link (Ctrl/Cmd + K), and set the URL's text to be wider than the input's width (see overflowed_input.png)
3. Press enter, there is a chain of events that ends up removing the parent dialog element.
When I users press enter I get the following stacktrace:
Thread 0 *CRASHED* ( SIGSEGV @ 0x2600000082 )
0x2600000082
0x7f32c6a2cac9 [chrome] - third_party/WebKit/Source/WebCore/platform/ScrollableArea.cpp:149] WebCore::ScrollableArea::scrollPositionChanged
0x7f32c6abb0c8 [chrome] - third_party/WebKit/Source/WebCore/platform/ScrollAnimator.cpp:149] WebCore::ScrollAnimator::notifyPositionChanged
0x7f32c707f848 [chrome] - third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:1637] WebCore::RenderLayer::scrollToOffset
0x7f32c6975b62 [chrome] - third_party/WebKit/Source/WebCore/html/TextFieldInputType.cpp:187] WebCore::TextFieldInputType::forwardEvent
0x7f32c692cf8b [chrome] - third_party/WebKit/Source/WebCore/html/HTMLInputElement.cpp:1164] WebCore::HTMLInputElement::defaultEventHandler
0x7f32c67e5657 [chrome] - third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:340] WebCore::EventDispatcher::dispatchEvent
0x7f32c67e30c5 [chrome] - third_party/WebKit/Source/WebCore/dom/EventDispatchMediator.cpp:51] WebCore::EventDispatchMediator::dispatchEvent
0x7f32c67e3147 [chrome] - third_party/WebKit/Source/WebCore/dom/EventDispatchMediator.cpp:85] WebCore::BlurEventDispatchMediator::dispatchEvent
0x7f32c67e4842 [chrome] - third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:128] WebCore::EventDispatcher::dispatchEvent
0x7f32c67a64e3 [chrome] - third_party/WebKit/Source/WebCore/dom/Node.cpp:2681] WebCore::Node::dispatchBlurEvent
0x7f32c69f358d [chrome] - third_party/WebKit/Source/WebCore/html/HTMLFormControlElement.cpp:502] WebCore::HTMLFormControlElement::dispatchBlurEvent
0x7f32c695aaef [chrome] - third_party/WebKit/Source/WebCore/html/HTMLTextFormControlElement.cpp:96] WebCore::HTMLTextFormControlElement::dispatchBlurEvent
0x7f32c6775dd1 [chrome] - third_party/WebKit/Source/WebCore/dom/Document.cpp:3777] WebCore::Document::setFocusedNode
0x7f32c67763d3 [chrome] - third_party/WebKit/Source/WebCore/dom/Document.cpp:3689] WebCore::Document::focusedNodeRemoved
0x7f32c6758711 [chrome] - third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:390] WebCore::ContainerNode::removeChild
0x7f32c6bb6d13 [chrome] - third_party/WebKit/Source/WebCore/bindings/v8/custom/V8NodeCustom.cpp:105] WebCore::V8Node::removeChildCallback
0x7f32c61bc2f1 [chrome] - v8/src/builtins.cc:1145] v8::internal::Builtin_HandleApiCall
0x21d19450618d
If the cursor position is at the beginning of the text, and so the text is left-aligned with the <input>, there is no crash.
Clicking OK (which blurs the <input> first) does not lead to this crash.
>From doing a Chrome biset, it starts to repro for me at 22.0.1229.60 (r150285), webkit roll: 124811:124835
Here are the webkit changes: http://trac.webkit.org/log/trunk/?rev=124835&stop_rev=124811&verbose=on&limit=10000. It seems to be related to http://trac.webkit.org/changeset/124489.
Unfortunately I have not been successful in creating a more minimal repro case. It's also the case that some people don't ever encounter it.
We have a workaround that we are pushing soon, basically setting the <input> to display:none on keydown if the key pressed is Enter. But it seems like this is a problem that can be encountered elsewhere on the web.
Here are some user complaints:
https://productforums.google.com/forum/?fromgroups=#!searchin/chrome/%22aw$20snap%22$20link/chrome/0Nbj6UpNhBo/CYlXymfdsoMJ
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list