[Webkit-unassigned] [Bug 64282] New: addLayers, Element::recalcStyle, RenderObject::removeLayers infinite recursion

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 11 08:00:40 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=64282

           Summary: addLayers, Element::recalcStyle,
                    RenderObject::removeLayers infinite recursion
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML Editing
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: rniwa at webkit.org


Chromium: https://code.google.com/p/chromium/issues/detail?id=88924

Repro:
<body onload="go()"><pre style="word-wrap: break-word; white-space: pre-wrap;">x</pre></body>
<script>
  function go() {
    document.execCommand("SelectAll", false);
    document.designMode="on";
    document.execCommand("Underline");
    document.execCommand("InsertHorizontalRule", false);
    document.execCommand("InsertOrderedList");
    document.execCommand("insertimage", false);
    document.execCommand("insertimage", false);
    document.execCommand("JustifyRight");
    document.execCommand("InsertHorizontalRule", false);
    document.execCommand("SelectAll", false);
    document.execCommand("insertorderedlist", false);
  }
</script>

The repro will cause very deeply (infinitely?) nested tags. It's obvious that this should not happend. This deep nesting leads to stack overflow in one of these three locations:
http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp&q=RenderObject::removeLayers&exact_package=chromium&l=466

http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/dom/Element.cpp&q=Element::recalcStyle&exact_package=chromium&l=1176

http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp&q=addLayers&exact_package=chromium&l=442

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list