[Webkit-unassigned] [Bug 30898] Browser crash by deeply nested elements
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 9 19:49:10 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=30898
TAMURA, Kent <tkent at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Platform|PC |All
OS/Version|Windows Vista |All
--- Comment #4 from TAMURA, Kent <tkent at chromium.org> 2009-11-09 19:49:09 PDT ---
As for http://fs.org.ua/oops.svg
This crashes Safari and Chromium on only Windows
The data is 33,000 nested <a> elements.
It's a stack overflow at verticalPosition() and verticalPositionFromCache()
I confirmed this was solved by increasing the stack size.
chrome_62f30000!WebCore::RenderObject::isInline(void)+0x3
chrome_62f30000!WebCore::RenderBoxModelObject::verticalPosition(bool firstLine
= false)+0x24
chrome_62f30000!WebCore::RenderInline::verticalPositionFromCache(bool firstLine
= false)+0x5b
chrome_62f30000!WebCore::RenderBoxModelObject::verticalPosition(bool firstLine
= false)+0x13b
chrome_62f30000!WebCore::RenderInline::verticalPositionFromCache(bool firstLine
= false)+0x5b
chrome_62f30000!WebCore::RenderBoxModelObject::verticalPosition(bool firstLine
= false)+0x13b
chrome_62f30000!WebCore::RenderInline::verticalPositionFromCache(bool firstLine
= false)+0x5b
chrome_62f30000!WebCore::RenderBoxModelObject::verticalPosition(bool firstLine
= false)+0x13b
chrome_62f30000!WebCore::RenderInline::verticalPositionFromCache(bool firstLine
= false)+0x5b
chrome_62f30000!WebCore::RenderBoxModelObject::verticalPosition(bool firstLine
= false)+0x13b
chrome_62f30000!WebCore::RenderInline::verticalPositionFromCache(bool firstLine
= false)+0x5b
As for the attached HTML
This crashes Safari on not only Windows but also Mac OS.
The data is 33,000 nested DIV elements.
It seems a stack overflow at layout() / layoutBlock() /
layoutBlockChildren().
0 com.apple.WebCore 0x90beea5c
WebCore::RenderBlock::layoutBlock(bool) + 12
1 com.apple.WebCore 0x90beea18 WebCore::RenderBlock::layout()
+ 40
2 com.apple.WebCore 0x90bf0744
WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 932
3 com.apple.WebCore 0x90bef28d
WebCore::RenderBlock::layoutBlock(bool) + 2109
4 com.apple.WebCore 0x90beea18 WebCore::RenderBlock::layout()
+ 40
5 com.apple.WebCore 0x90bf0744
WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 932
6 com.apple.WebCore 0x90bef28d
WebCore::RenderBlock::layoutBlock(bool) + 2109
7 com.apple.WebCore 0x90beea18 WebCore::RenderBlock::layout()
+ 40
8 com.apple.WebCore 0x90bf0744
WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 932
9 com.apple.WebCore 0x90bef28d
WebCore::RenderBlock::layoutBlock(bool) + 2109
10 com.apple.WebCore 0x90beea18 WebCore::RenderBlock::layout()
+ 40
11 com.apple.WebCore 0x90bf0744
WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 932
12 com.apple.WebCore 0x90bef28d
WebCore::RenderBlock::layoutBlock(bool) + 2109
13 com.apple.WebCore 0x90beea18 WebCore::RenderBlock::layout()
+ 40
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list