[Webkit-unassigned] [Bug 61055] chrome.dll!WebCore::RenderInline::addFocusRingRects OOM (7176a6f69e3fa63b4b743761cb216707)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 18 08:38:35 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=61055
--- Comment #1 from Berend-Jan Wever <skylined at chromium.org> 2011-05-18 08:38:35 PST ---
Here's a variation that causes chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads to use a lot of memory, but not so much as the previous and without a loop. On systems with sufficient RAM, this will not cause a crash. In low memory situations, it will:
Repro:
<script>
function f() {
document.designMode="on";
document.execCommand("SelectAll", false);
document.execCommand("Underline");
document.execCommand("InsertHorizontalRule", false);
document.execCommand("InsertUnorderedList", false);
document.execCommand("insertunorderedlist");
document.execCommand("undo");
document.execCommand("inserthorizontalrule", false);
document.execCommand("InsertOrderedList");
document.execCommand("InsertOrderedList", false);
document.execCommand("selectall");
document.execCommand("insertimage", false);
document.execCommand("outdent", false);
document.execCommand("insertparagraph");
document.execCommand("SelectAll", false);
document.execCommand("removeformat", false);
document.execCommand("insertimage", false);
document.execCommand("insertorderedlist", false);
}
</script>
<body onload="f()"><pre>x</pre></body>
id: chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads OOM (df4e2984520457194fecc131e9fbd804)
description: Cannot allocate enough memory in chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads
stack: chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads
chrome.dll!WebCore::AccessibilityRenderObject::boundingBoxRect
chrome.dll!WebKit::WebAccessibilityObject::boundingBoxRect
chrome.dll!webkit_glue::WebAccessibility::Init
chrome.dll!webkit_glue::WebAccessibility::WebAccessibility
chrome.dll!webkit_glue::WebAccessibility::Init
chrome.dll!webkit_glue::WebAccessibility::WebAccessibility
chrome.dll!RenderView::SendPendingAccessibilityNotifications
chrome.dll!`anonymous namespace'::TaskClosureAdapter::Run
chrome.dll!MessageLoop::RunTask
chrome.dll!MessageLoop::DoWork
chrome.dll!base::MessagePumpDefault::Run
chrome.dll!MessageLoop::RunInternal
chrome.dll!MessageLoop::Run
chrome.dll!RendererMain
chrome.dll!`anonymous namespace'::RunNamedProcessTypeMain
chrome.dll!ChromeMain
chrome.exe!MainDllLoader::Launch
chrome.exe!wWinMain
chrome.exe!__tmainCRTStartup
kernel32.dll!BaseProcessStart
Source:
void RenderObject::absoluteFocusRingQuads(Vector<FloatQuad>& quads)
{
Vector<IntRect> rects;
// FIXME: addFocusRingRects() needs to be passed this transform-unaware
// localToAbsolute() offset here because RenderInline::addFocusRingRects()
// implicitly assumes that. This doesn't work correctly with transformed
// descendants.
FloatPoint absolutePoint = localToAbsolute();
addFocusRingRects(rects, absolutePoint.x(), absolutePoint.y());
size_t count = rects.size();
for (size_t i = 0; i < count; ++i) {
IntRect rect = rects[i];
rect.move(-absolutePoint.x(), -absolutePoint.y());
quads.append(localToAbsoluteQuad(FloatQuad(rect)));
}
}
I'm assuming "count" gets very large, which causes the large allocation.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list