Bug 12066
| Summary: | Crash due to runaway recursion when fieldset has display: table-row | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Rowe (bdash) <mrowe> |
| Component: | Layout and Rendering | Assignee: | Darin Adler <darin> |
| Status: | RESOLVED FIXED | ||
| Severity: | Major | CC: | ddkilzer |
| Priority: | P2 | Keywords: | HasReduction, InRadar |
| Version: | 420+ | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
Mark Rowe (bdash)
<html>
<head>
<title>Test HTML Page</title>
<style type="text/css">
fieldset { display: table-row; }
</style>
</head>
<body>
<fieldset>fieldset</fieldset>
</body>
</html>
results in a crash after quite some delay:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xbf7fff7c
0x9000297e in szone_malloc ()
(gdb) bt
#0 0x9000297e in szone_malloc ()
#1 0x9000268f in malloc ()
#2 0x005293ef in WTF::fastMalloc (n=256) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/JavaScriptCore/wtf/FastMalloc.cpp:87
#3 0x01515f86 in WTF::VectorBuffer<WebCore::RenderTableSection::RowStruct, 0ul>::allocateBuffer (this=0x1dbdcd90, newCapacity=16) at Vector.h:248
#4 0x015161a0 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::reserveCapacity (this=0x1dbdcd8c, newCapacity=16) at Vector.h:574
#5 0x01516234 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::expandCapacity (this=0x1dbdcd8c, newMinCapacity=1) at Vector.h:531
#6 0x015162a5 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::resize (this=0x1dbdcd8c, size=1) at Vector.h:560
#7 0x011b1618 in WebCore::RenderTableSection::ensureRows (this=0x1dbdcd2c, numRows=1) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:154
#8 0x011b20ae in WebCore::RenderTableSection::addChild (this=0x1dbdcd2c, child=0x1dbdce3c, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:131
#9 0x011b203d in WebCore::RenderTableSection::addChild (this=0x1dbdcd2c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:120
#10 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdcaec, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200
#11 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdca1c, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148
#12 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdca1c, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206
#13 0x0116d420 in WebCore::RenderFlow::addChild (this=0x1dbdca1c, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderFlow.cpp:112
#14 0x011b2f6b in WebCore::RenderTableRow::addChild (this=0x1dbdc75c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableRow.cpp:93
#15 0x011b205e in WebCore::RenderTableSection::addChild (this=0x1dbdc64c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:121
#16 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdc40c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200
#17 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdc2dc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148
#18 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdc2dc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206
#19 0x0116d420 in WebCore::RenderFlow::addChild (this=0x1dbdc2dc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderFlow.cpp:112
#20 0x011b2f6b in WebCore::RenderTableRow::addChild (this=0x1dbdc07c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableRow.cpp:93
#21 0x011b205e in WebCore::RenderTableSection::addChild (this=0x1dbdbf6c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:121
#22 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdbd2c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200
#23 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdbbfc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148
#24 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdbbfc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206
[and so on for many thousand frames]
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Mark Rowe (bdash)
This also occurs with WebKit 418.9.1.
Mark Rowe (bdash)
<rdar://problem/4928671>
Maciej Stachowiak
Downgrading since this is not a regression and does not affect a known real-world site.
Darin Adler
Sending LayoutTests/ChangeLog
Adding LayoutTests/fast/css/fieldset-display-row-expected.checksum
Adding (bin) LayoutTests/fast/css/fieldset-display-row-expected.png
Adding LayoutTests/fast/css/fieldset-display-row-expected.txt
Adding LayoutTests/fast/css/fieldset-display-row.html
Sending WebCore/ChangeLog
Sending WebCore/rendering/RenderContainer.cpp
Sending WebCore/rendering/RenderTable.cpp
Transmitting file data ........
Committed revision 21520.