[Webkit-unassigned] [Bug 136944] New: Crash in WebCore::RenderGrid::populateExplicitGridAndOrderIterator when trying to allocate huge vector

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 19 01:52:41 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=136944

           Summary: Crash in
                    WebCore::RenderGrid::populateExplicitGridAndOrderItera
                    tor when trying to allocate huge vector
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rhodovan.u-szeged at partner.samsung.com
                CC: svillar at igalia.com, rego at igalia.com,
                    jfernandez at igalia.com
            Blocks: 116980


Created an attachment (id=238358)
 --> (https://bugs.webkit.org/attachment.cgi?id=238358&action=review)
Test case

The failing test:

<!DOCTYPE html>
<style>   
*{
    display:-webkit-inline-grid;
    -webkit-grid-row-start:  87500000000;
}
</style>

This is probably the same issue as http://crbug.com/402006.


The backtrace:


0x00007fffedbf5e7f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
329        *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fffedbf5e7f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
#1  0x00007ffff3a01336 in WTF::VectorBufferBase<WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow> >::allocateBuffer (this=0x8a1978, newCapacity=0x7fffffff) at ../../Source/WTF/wtf/Vector.h:262
#2  0x00007ffff3a00d29 in WTF::Vector<WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>::reserveCapacity (this=0x8a1978, newCapacity=0x7fffffff) at ../../Source/WTF/wtf/Vector.h:967
#3  0x00007ffff39ff96c in WTF::Vector<WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>::expandCapacity (this=0x8a1978, newMinCapacity=0x7fffffff) at ../../Source/WTF/wtf/Vector.h:877
#4  0x00007ffff39fe3c4 in WTF::Vector<WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>::grow (this=0x8a1978, size=0x7fffffff) at ../../Source/WTF/wtf/Vector.h:954
#5  0x00007ffff39fa319 in WebCore::RenderGrid::populateExplicitGridAndOrderIterator (this=0x8a18e0) at ../../Source/WebCore/rendering/RenderGrid.cpp:730
#6  0x00007ffff39f9bff in WebCore::RenderGrid::placeItemsOnGrid (this=0x8a18e0) at ../../Source/WebCore/rendering/RenderGrid.cpp:664
#7  0x00007ffff39faf6a in WebCore::RenderGrid::layoutGridItems (this=0x8a18e0) at ../../Source/WebCore/rendering/RenderGrid.cpp:845
#8  0x00007ffff39f7258 in WebCore::RenderGrid::layoutBlock (this=0x8a18e0, relayoutChildren=0x0) at ../../Source/WebCore/rendering/RenderGrid.cpp:218
#9  0x00007ffff391540f in WebCore::RenderBlock::layout (this=0x8a18e0) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#10 0x00007ffff3941312 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7df8b0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:712
#11 0x00007ffff3940e33 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7df8b0, relayoutChildren=0x1, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:633
#12 0x00007ffff3940250 in WebCore::RenderBlockFlow::layoutBlock (this=0x7df8b0, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#13 0x00007ffff391540f in WebCore::RenderBlock::layout (this=0x7df8b0) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#14 0x00007ffff3b0a689 in WebCore::RenderView::layoutContent (this=0x7df8b0, state=...) at ../../Source/WebCore/rendering/RenderView.cpp:230
#15 0x00007ffff3b0ad59 in WebCore::RenderView::layout (this=0x7df8b0) at ../../Source/WebCore/rendering/RenderView.cpp:355
#16 0x00007ffff368536f in WebCore::FrameView::layout (this=0x8a0a20, allowSubtree=0x1) at ../../Source/WebCore/page/FrameView.cpp:1301
#17 0x00007ffff3053485 in WebCore::Document::implicitClose (this=0x80e840) at ../../Source/WebCore/dom/Document.cpp:2440
#18 0x00007ffff35339c3 in WebCore::FrameLoader::checkCallImplicitClose (this=0x98f538) at ../../Source/WebCore/loader/FrameLoader.cpp:898
#19 0x00007ffff353372b in WebCore::FrameLoader::checkCompleted (this=0x98f538) at ../../Source/WebCore/loader/FrameLoader.cpp:844
#20 0x00007ffff3533494 in WebCore::FrameLoader::finishedParsing (this=0x98f538) at ../../Source/WebCore/loader/FrameLoader.cpp:764
#21 0x00007ffff305bf07 in WebCore::Document::finishedParsing (this=0x80e840) at ../../Source/WebCore/dom/Document.cpp:4523
#22 0x00007ffff33b00f5 in WebCore::HTMLConstructionSite::finishedParsing (this=0xa1fc88) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395
#23 0x00007ffff33edd8d in WebCore::HTMLTreeBuilder::finished (this=0xa1fc70) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2997
#24 0x00007ffff33b8c56 in WebCore::HTMLDocumentParser::end (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:451
#25 0x00007ffff33b8d41 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
#26 0x00007ffff33b76f7 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
#27 0x00007ffff33b8d84 in WebCore::HTMLDocumentParser::attemptToEnd (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:474
#28 0x00007ffff33b8e3b in WebCore::HTMLDocumentParser::finish (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:502
#29 0x00007ffff3525131 in WebCore::DocumentWriter::end (this=0x7b3120) at ../../Source/WebCore/loader/DocumentWriter.cpp:246
#30 0x00007ffff35107e9 in WebCore::DocumentLoader::finishedLoading (this=0x7b3080, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441
#31 0x00007ffff3510552 in WebCore::DocumentLoader::notifyFinished (this=0x7b3080, resource=0x91e7c0) at ../../Source/WebCore/loader/DocumentLoader.cpp:375
#32 0x00007ffff35c7814 in WebCore::CachedResource::checkNotify (this=0x91e7c0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:347
#33 0x00007ffff35c791e in WebCore::CachedResource::finishLoading (this=0x91e7c0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:363
#34 0x00007ffff35c41ac in WebCore::CachedRawResource::finishLoading (this=0x91e7c0, data=0x9beda0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:101
#35 0x00007ffff3573a3a in WebCore::SubresourceLoader::didFinishLoading (this=0x91ed20, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:306
#36 0x00007ffff356f75f in WebCore::ResourceLoader::didFinishLoading (this=0x91ed20, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:512
#37 0x00007ffff3edb101 in WebCore::readCallback (asyncResult=0x7e91a0, data=0x85e960) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302
#38 0x00007fffebaf12ea in async_ready_callback_wrapper (source_object=0x98cb30, res=0x7e91a0, user_data=0x85e960) at ginputstream.c:519
#39 0x00007fffebb10ceb in g_task_return_now (task=0x7e91a0) at gtask.c:1108
#40 0x00007fffebb10d09 in complete_in_idle_cb (task=0x7e91a0) at gtask.c:1117
#41 0x00007fffead672e6 in g_main_dispatch (context=0x677bb0) at gmain.c:3065
#42 g_main_context_dispatch (context=context at entry=0x677bb0) at gmain.c:3641
#43 0x00007fffead67638 in g_main_context_iterate (context=0x677bb0, block=block at entry=0x1, dispatch=dispatch at entry=0x1, self=<optimized out>) at gmain.c:3712
#44 0x00007fffead67a3a in g_main_loop_run (loop=0x6f42e0) at gmain.c:3906
#45 0x00007ffff45cf042 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#46 0x00007ffff2b0b624 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#47 0x00007ffff2b0b489 in WebKit::WebProcessMainUnix (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73
#48 0x000000000040080d in main (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list