[Webkit-unassigned] [Bug 54730] New: chrome.dll!WebCore::findPlaceForCounter+1 RecursionSOV (a5da9b73c78c638758c4402f7beabe57)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 18 01:02:45 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=54730

           Summary: chrome.dll!WebCore::findPlaceForCounter+1 RecursionSOV
                    (a5da9b73c78c638758c4402f7beabe57)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=82932)
 --> (https://bugs.webkit.org/attachment.cgi?id=82932&action=review)
Repro

Chromium: http://code.google.com/p/chromium/issues/detail?id=73379
findPlaceForCounter & makeCounterNode can call eachother recursively:

static bool findPlaceForCounter(RenderObject* counterOwner, const AtomicString& identifier, bool isReset, CounterNode*& parent, CounterNode*& previousSibling)
<snip>
    RenderObject* currentRenderer = previousInPreOrder(counterOwner);
    previousSibling = 0;
    while (currentRenderer) {
        CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false);
<snip>

static CounterNode* makeCounterNode(RenderObject* object, const AtomicString& identifier, bool alwaysCreateCounter)
<snip>
    CounterNode* newParent = 0;
    CounterNode* newPreviousSibling = 0;
    RefPtr<CounterNode> newNode = CounterNode::create(object, isReset, value);
    if (findPlaceForCounter(object, identifier, isReset, newParent, newPreviousSibling))
<snip>

id:             chrome.dll!WebCore::findPlaceForCounter+1 RecursionSOV (a5da9b73c78c638758c4402f7beabe57)
description:    Recursive function calls in chrome.dll!WebCore::findPlaceForCounter and chrome.dll!WebCore::makeCounterNode: 9205 loops
application:    Chromium 11.0.671.0

Repro:
<html>
  <head>
    <script>
      function go() {
        document.write('x<dd><strike style="counter-increment:r"></dd>x');
        document.open();
      }
    </script>
  </head>
  <body onload="go()"></body>
</html>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list