[Webkit-unassigned] [Bug 15054] New: Divide by 0 in AutoTableLayout::layout

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 22 16:54:53 PDT 2007 

http://bugs.webkit.org/show_bug.cgi?id=15054

           Summary: Divide by 0 in AutoTableLayout::layout
           Product: WebKit
           Version: 522+ (nightly)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Tables
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: marv.decker at gmail.com


This is based on a crash dump, so I don't have repro steps. However, it looks
like the code can produce divide by 0. Here's the code in question:

    // spread over the rest
    if (available > 0 && nEffCols > numAutoEmptyCellsOnly) {
        int total = nEffCols - numAutoEmptyCellsOnly;
        // still have some width to spread
        int i = nEffCols;
        while (i--) {
            // variable columns with empty cells only don't get any width
            if (m_layoutStruct[i].width.isAuto() &&
                    m_layoutStruct[i].emptyCellsOnly)
                continue;
            int w = available / total;  <<<< divide by 0
            available -= w;
            total--;
            m_layoutStruct[i].calcWidth += w;
        }
    }

The crash/divide by 0 is in "int w = available / total;"

It looks like this crash will occur any time
  available > 0, nEffCols > numAutoEmptyCellsOnly, and
  numAutoEmptyCellsOnly > 0 and nEffCols > numAutoEmptyCellsOnly + 1
It appears that the common case is numAutoEmptyCellsOnly is 0, I did not see
any other value in my testing, and I don't know how to get this value to be
different. Maybe somebody familiar with table layout can produce a testcase.

For example, if nEffCols = 3, numAutoEmptyCellsOnly = 1:
We will get:
  i = 3
  total = 2
The first time through the loop:
  i will be changed from 3 to 2
  total --    means total = 1
The second time through the loop:
  i will be changed from 2 to 1
  total -- means total = 0
The third time through the loop:
  i will be changed from 1 to 0
  w = available / total -> DIVIDE BY 0


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list