[Webkit-unassigned] [Bug 33075] New: WebCore::RenderInline::mapLocalToContainer RecursionSOV (f6a51883f6be6a6c0fca30ae47a1b115)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 31 00:42:24 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=33075

           Summary: WebCore::RenderInline::mapLocalToContainer
                    RecursionSOV (f6a51883f6be6a6c0fca30ae47a1b115)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


execCommand can be used to trigger infinite recursion. I'm having the repro
reduced to workable size and will add it when it's done. The problem is obvious
from the source code though; below is the vulnerable function, which calls
itself on the last line. Once the repro is reduced, I should be able to show
you how to trigger it.

void RenderInline::mapLocalToContainer(RenderBoxModelObject* repaintContainer,
bool fixed, bool useTransforms, TransformState& transformState) const
{
    if (repaintContainer == this)
        return;

    if (RenderView *v = view()) {
        if (v->layoutStateEnabled() && !repaintContainer) {
            LayoutState* layoutState = v->layoutState();
            IntSize offset = layoutState->m_offset;
            if (style()->position() == RelativePosition && layer())
                offset += layer()->relativePositionOffset();
            transformState.move(offset);
            return;
        }
    }

    bool containerSkipped;
    RenderObject* o = container(repaintContainer, &containerSkipped);
    if (!o)
        return;

    IntSize containerOffset = offsetFromContainer(o);

    bool preserve3D = useTransforms && (o->style()->preserves3D() ||
style()->preserves3D());
    if (useTransforms && shouldUseTransformFromContainer(o)) {
        TransformationMatrix t;
        getTransformFromContainer(o, containerOffset, t);
        transformState.applyTransform(t, preserve3D ?
TransformState::AccumulateTransform : TransformState::FlattenTransform);
    } else
        transformState.move(containerOffset.width(), containerOffset.height(),
preserve3D ? TransformState::AccumulateTransform :
TransformState::FlattenTransform);

    if (containerSkipped) {
        // There can't be a transform between repaintContainer and o, because
transforms create containers, so it should be safe
        // to just subtract the delta between the repaintContainer and o.
        IntSize containerOffset =
repaintContainer->offsetFromAncestorContainer(o);
        transformState.move(-containerOffset.width(),
-containerOffset.height(), preserve3D ? TransformState::AccumulateTransform :
TransformState::FlattenTransform);
        return;
    }

    o->mapLocalToContainer(repaintContainer, fixed, useTransforms,
transformState);
}

Id:          WebCore::RenderInline::mapLocalToContainer RecursionSOV
(f6a51883f6be6a6c0fca30ae47a1b115)
Description: Recursive function call in
WebCore::RenderInline::mapLocalToContainer
Stack:
  WebCore::RenderInline::mapLocalToContainer
  WebCore::RenderInline::mapLocalToContainer
  <snip>
  WebCore::RenderInline::mapLocalToContainer
  WebCore::RenderObject::mapLocalToContainer
  WebCore::RenderObject::localToAbsolute
  WebCore::VisiblePosition::xOffsetForVerticalNavigation
  WebCore::SelectionController::modify
  WebCore::TypingCommand::forwardDeleteKeyPressed
  WebCore::TypingCommand::doApply
  WebCore::EditCommand::apply
  WebCore::TypingCommand::forwardDeleteKeyPressed
  WebCore::executeForwardDelete
  WebCore::Editor::Command::execute
  WebCore::Document::execCommand
  WebCore::DocumentInternal::execCommandCallback
  v8::internal::Builtin_HandleApiCall
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  WebCore::V8Proxy::runScript
  WebCore::V8Proxy::evaluate
  WebCore::ScriptController::evaluate
  WebCore::ScriptController::executeScript
  WebCore::ScriptController::executeScript
  WebCore::ScriptController::executeIfJavaScriptURL
  WebCore::FrameLoader::changeLocation
  WebCore::RedirectScheduler::timerFired
  WebCore::Timer<...>::fired
  WebCore::ThreadTimers::sharedTimerFiredInternal
  MessageLoop::RunTask
  MessageLoop::DoWork
  base::MessagePumpDefault::Run
  MessageLoop::RunInternal
  MessageLoop::Run
  RendererMain

Event details

Processes    
   0    id: f14 create  name: chrome.exe
.  1    id: 61c child   name: chrome.exe
Current process:
0n1564 C:\chromium-latest\chrome.exe
       Session: 0  User: VM3-XP32SP3-CJ\SkyLined  Command Line:
"C:\chromium-latest\chrome.exe" --type=renderer --no-sandbox
--js-flags=--expose-gc --lang=en-US
--force-fieldtest=DnsImpact/_max_2s_queue_prefetch/GlobalSdch/_global_enable_sdch/SocketLateBinding/_enable_late_binding/
--channel=3860.01052700.306296198
Threads    
. 12  Id: 61c.a84 Suspend: 1 Teb: 7ffdf000 Unfrozen "Main Thread"
  13  Id: 61c.fa0 Suspend: 1 Teb: 7ffde000 Unfrozen
  14  Id: 61c.c18 Suspend: 1 Teb: 7ffdd000 Unfrozen "Chrome_ChildIOThread"
  15  Id: 61c.964 Suspend: 1 Teb: 7ffdc000 Unfrozen
ExceptionAddress    02114d49
(chrome_1c30000!WebCore::RenderInline::mapLocalToContainer+0x00000009)
ExceptionCode    c00000fd (Stack overflow)
ExceptionFlags    00000000
NumberParameters    2
Parameter[0]    00000001
Parameter[1]    00032fd8

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list