[Webkit-unassigned] [Bug 74855] New: chrome.dll!WebCore::RenderBlock::layout+3 RecursionSOV (778c8b32c6289e0e4786686a99048cba)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 19 05:39:06 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=74855

           Summary: chrome.dll!WebCore::RenderBlock::layout+3 RecursionSOV
                    (778c8b32c6289e0e4786686a99048cba)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: rniwa at webkit.org


Created an attachment (id=119851)
 --> (https://bugs.webkit.org/attachment.cgi?id=119851&action=review)
Repro

Chromium: http://code.google.com/p/chromium/issues/detail?id=108054
<html>
  <head>
    <style>
      * {
        position: absolute;
      }
    </style>
    <script>
      window.onload = function() {
        document.designMode="on";
        document.execCommand("selectall");
        document.execCommand("insertparagraph");
        document.execCommand("insertimage");
        document.execCommand("selectall");
        document.execCommand("strikethrough");
        document.execCommand("InsertNewlineInQuotedContent");
        document.execCommand("InsertHorizontalRule");
        // The following line can be removed, in which case the repro only
        // consumes CPU exponentially, but does not trigger a stack exhaustion.
        document.execCommand("InsertOrderedList");
        // Things start to get exponentially slower from here on until we hit
        // a stack exhaustion after only a few executions:
        var i = 0;
        while (1) {
          var iStartTime = new Date().valueOf();
          document.execCommand("insertunorderedlist");
          var nTime = (new Date().valueOf() - iStartTime) / 1000;
          document.title = ('Loop #' + ++i + ' took ' + nTime + ' seconds.');
        }
      };
    </script>
  </head>
  <body>
    x
  </body>
</html>

Loop run time seems to increase exponentially. The repro as-is results in a stack overflow after about 10 loops for me. Remove one line (mentioned in the repro) and  it will not crash, but only consume CPU.

There seem to be two loops involved, the first is seen a few tens of times at the top of the stack, the later is seen a few thousand times below it on the stack (and probably the true cause):
                  chrome.dll!WebCore::RenderBlock::layoutBlock
                  chrome.dll!WebCore::RenderBlock::layout
                  chrome.dll!WebCore::RenderBlock::layoutPositionedObjects

                  chrome.dll!WebCore::RenderBlock::simplifiedLayout
                  chrome.dll!WebCore::RenderBlock::layoutBlock
                  chrome.dll!WebCore::RenderBlock::layout
                  chrome.dll!WebCore::RenderBlock::layoutPositionedObjects

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list