[Webkit-unassigned] [Bug 12066] New: Crash due to runaway mutual recursion when fieldset has display: table-row

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 1 23:50:26 PST 2007 

http://bugs.webkit.org/show_bug.cgi?id=12066

           Summary: Crash due to runaway mutual recursion when fieldset has
                    display: table-row
           Product: WebKit
           Version: 420+ (nightly)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: NEW
          Keywords: HasReduction
          Severity: Major
          Priority: P1
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: bdash at webkit.org


<html>
<head>
    <title>Test HTML Page</title>
    <style type="text/css">
        fieldset { display: table-row; }
    </style>
</head>
<body>
    <fieldset>fieldset</fieldset>
</body>
</html>


results in a crash after quite some delay:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbf7fff7c
0x9000297e in szone_malloc ()
(gdb) bt
#0  0x9000297e in szone_malloc ()
#1  0x9000268f in malloc ()
#2  0x005293ef in WTF::fastMalloc (n=256) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/JavaScriptCore/wtf/FastMalloc.cpp:87
#3  0x01515f86 in WTF::VectorBuffer<WebCore::RenderTableSection::RowStruct,
0ul>::allocateBuffer (this=0x1dbdcd90, newCapacity=16) at Vector.h:248
#4  0x015161a0 in WTF::Vector<WebCore::RenderTableSection::RowStruct,
0ul>::reserveCapacity (this=0x1dbdcd8c, newCapacity=16) at Vector.h:574
#5  0x01516234 in WTF::Vector<WebCore::RenderTableSection::RowStruct,
0ul>::expandCapacity (this=0x1dbdcd8c, newMinCapacity=1) at Vector.h:531
#6  0x015162a5 in WTF::Vector<WebCore::RenderTableSection::RowStruct,
0ul>::resize (this=0x1dbdcd8c, size=1) at Vector.h:560
#7  0x011b1618 in WebCore::RenderTableSection::ensureRows (this=0x1dbdcd2c,
numRows=1) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:154
#8  0x011b20ae in WebCore::RenderTableSection::addChild (this=0x1dbdcd2c,
child=0x1dbdce3c, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:131
#9  0x011b203d in WebCore::RenderTableSection::addChild (this=0x1dbdcd2c,
child=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:120
#10 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdcaec,
child=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200
#11 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdca1c,
newChild=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148
#12 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdca1c,
newChild=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206
#13 0x0116d420 in WebCore::RenderFlow::addChild (this=0x1dbdca1c,
newChild=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderFlow.cpp:112
#14 0x011b2f6b in WebCore::RenderTableRow::addChild (this=0x1dbdc75c,
child=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableRow.cpp:93
#15 0x011b205e in WebCore::RenderTableSection::addChild (this=0x1dbdc64c,
child=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:121
#16 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdc40c,
child=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200
#17 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdc2dc,
newChild=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148
#18 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdc2dc,
newChild=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206
#19 0x0116d420 in WebCore::RenderFlow::addChild (this=0x1dbdc2dc,
newChild=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderFlow.cpp:112
#20 0x011b2f6b in WebCore::RenderTableRow::addChild (this=0x1dbdc07c,
child=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableRow.cpp:93
#21 0x011b205e in WebCore::RenderTableSection::addChild (this=0x1dbdbf6c,
child=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:121
#22 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdbd2c,
child=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200
#23 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdbbfc,
newChild=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148
#24 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdbbfc,
newChild=0x189386ac, beforeChild=0x0) at
/Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206

[and so on for many thousand frames]


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list