54734 2011-02-18 02:10:11 -0800 chrome.dll!WebCore..ApplyStyleCommand..pushDownInlineStyleAroundNode OOM (93871a71195a4feb563917607f83aaa6) 2011-03-28 04:02:25 -0700 1 1 1 Unclassified WebKit HTML Editing 528+ (Nightly build) PC Windows Vista NEW P1 Normal --- 1 skylined webkit-unassigned rniwa oldest_to_newest 353490 0 82936 skylined 2011-02-18 02:10:11 -0800 Created attachment 82936 Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=73384 It appears that ApplyStyleCommand::pushDownInlineStyleAroundNode can go into an infinite loop and push elements into a Vector until all memory is consumed: http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/editing/ApplyStyleCommand.cpp&q=pushDownInlineStyleAroundNode&exact_package=chromium&sa=N&cd=1&ct=rc&l=1420 void ApplyStyleCommand::pushDownInlineStyleAroundNode(CSSMutableStyleDeclaration* style, Node* targetNode) { <snip> Vector<RefPtr<Element> > elementsToPushDown; while (current != targetNode) { // BJW: This can be an infinite loop <snip> if (current->isStyledElement() && isStyledInlineElementToRemove(static_cast<Element*>(current))) { styledElement = static_cast<StyledElement*>(current); elementsToPushDown.append(styledElement); // This causes OOM in infinite loops <snip> Repro: <html> <head> <script> function go() { document.designMode="on"; document.execCommand("SelectAll"); document.execCommand("delete"); document.execCommand("delete",false); document.execCommand("insertimage",false);; document.execCommand("selectall"); document.execCommand("strikethrough"); document.execCommand("insertimage", false); document.execCommand("justifycenter"); document.execCommand("InsertOrderedList"); document.execCommand("insertimage",false); document.execCommand("insertorderedlist"); document.execCommand("InsertHorizontalRule",false); document.execCommand("justifyright",false); document.execCommand("insertparagraph"); document.execCommand("indent"); document.execCommand("delete"); document.execCommand("Undo"); document.execCommand("underline"); document.execCommand("removeformat",false); } </script> </head> <body onload="go()"> </body> </html> id: chrome.dll!WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode OOM (93871a71195a4feb563917607f83aaa6) description: Cannot allocate enough memory in chrome.dll!WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode application: Chromium 11.0.671.0 stack: chrome.dll!WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode chrome.dll!WebCore::ApplyStyleCommand::removeInlineStyle chrome.dll!WebCore::ApplyStyleCommand::applyInlineStyle chrome.dll!WebCore::ApplyStyleCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite chrome.dll!WebCore::RemoveFormatCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::Editor::removeFormattingAndStyle chrome.dll!WebCore::executeRemoveFormat chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ... 365351 1 rniwa 2011-03-10 11:31:57 -0800 This hang didn't reproduce with WebKit r80641 on Mac. Could you try obtaining the DOM & selection on Chrome / WebKit that reproduce the issue right before you run the last document.execCommand("removeformat",false); ? We might still be able to reproduce the hang if we ran RemoveFormat on that DOM. 374393 2 skylined 2011-03-28 04:02:25 -0700 Sorry for the slow response, this one slipped through. "Could you try obtaining the DOM & selection on Chrome / WebKit" - sure, but what exactly do you mean with that? 82936 2011-02-18 02:10:11 -0800 2011-02-18 02:10:11 -0800 Repro repro.html text/html 1054 skylined PGh0bWw+CiAgPGhlYWQ+CiAgICA8c2NyaXB0PgogICAgICBmdW5jdGlvbiBnbygpIHsKICAgICAg ICBkb2N1bWVudC5kZXNpZ25Nb2RlPSJvbiI7CiAgICAgICAgZG9jdW1lbnQuZXhlY0NvbW1hbmQo IlNlbGVjdEFsbCIpOwogICAgICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJkZWxldGUiKTsKICAg ICAgICBkb2N1bWVudC5leGVjQ29tbWFuZCgiZGVsZXRlIixmYWxzZSk7CiAgICAgICAgZG9jdW1l bnQuZXhlY0NvbW1hbmQoImluc2VydGltYWdlIixmYWxzZSk7OwogICAgICAgIGRvY3VtZW50LmV4 ZWNDb21tYW5kKCJzZWxlY3RhbGwiKTsKICAgICAgICBkb2N1bWVudC5leGVjQ29tbWFuZCgic3Ry aWtldGhyb3VnaCIpOwogICAgICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJpbnNlcnRpbWFnZSIs IGZhbHNlKTsKICAgICAgICBkb2N1bWVudC5leGVjQ29tbWFuZCgianVzdGlmeWNlbnRlciIpOwog ICAgICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJJbnNlcnRPcmRlcmVkTGlzdCIpOwogICAgICAg IGRvY3VtZW50LmV4ZWNDb21tYW5kKCJpbnNlcnRpbWFnZSIsZmFsc2UpOwogICAgICAgIGRvY3Vt ZW50LmV4ZWNDb21tYW5kKCJpbnNlcnRvcmRlcmVkbGlzdCIpOwogICAgICAgIGRvY3VtZW50LmV4 ZWNDb21tYW5kKCJJbnNlcnRIb3Jpem9udGFsUnVsZSIsZmFsc2UpOwogICAgICAgIGRvY3VtZW50 LmV4ZWNDb21tYW5kKCJqdXN0aWZ5cmlnaHQiLGZhbHNlKTsKICAgICAgICBkb2N1bWVudC5leGVj Q29tbWFuZCgiaW5zZXJ0cGFyYWdyYXBoIik7CiAgICAgICAgZG9jdW1lbnQuZXhlY0NvbW1hbmQo ImluZGVudCIpOwogICAgICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJkZWxldGUiKTsKICAgICAg ICBkb2N1bWVudC5leGVjQ29tbWFuZCgiVW5kbyIpOwogICAgICAgIGRvY3VtZW50LmV4ZWNDb21t YW5kKCJ1bmRlcmxpbmUiKTsKICAgICAgICBkb2N1bWVudC5leGVjQ29tbWFuZCgicmVtb3ZlZm9y bWF0IixmYWxzZSk7CiAgICAgIH0KICAgIDwvc2NyaXB0PgogIDwvaGVhZD4KICA8Ym9keSBvbmxv YWQ9ImdvKCkiPgogIDwvYm9keT4KPC9odG1sPg==